diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 304d382d66..c1bbf123e3 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -36,7 +36,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "pam_unix(cron:session): session closed for user root", "event": { "kind": "event", - "provider": "cron" + "provider": "cron", + "reason": "session closed" + }, + "related": { + "user": [ + "root" + ] + }, + "user": { + "name": "root" }, "wallix": {} } @@ -52,7 +61,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "pam_unix(sudo:session): session closed for user wabuser", "event": { "kind": "event", - "provider": "sudo" + "provider": "sudo", + "reason": "session closed" + }, + "related": { + "user": [ + "wabuser" + ] + }, + "user": { + "name": "wabuser" }, "wallix": {} } @@ -323,15 +341,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "sudo" }, "process": { - "command_line": "/opt/wab/bin/WABCleanApprovals close" + "command_line": "/opt/wab/bin/WABCleanApprovals close", + "working_directory": "/root" }, "related": { "user": [ - "wabuser ;" + "wabuser" ] }, "user": { - "name": "wabuser ;" + "name": "wabuser" }, "wallix": {} } @@ -3908,6 +3927,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.ip` | `ip` | Host ip addresses. | |`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.working_directory` | `keyword` | The working directory of the process. | |`service.name` | `keyword` | Name of the service. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index d9f57b22b6..05147c3103 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -129,7 +129,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "IpPort": "-", "LogonProcessName": "Schannel", "LogonType": "3", - "ProcessName": "c:\\windows\\system32\\lsass.exe", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", "Severity": "Info", "SourceName": "Microsoft-Windows-Security-Auditing", "SubjectDomainName": "CORPDOMAIN", @@ -153,9 +153,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "name": "Schannel", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -587,7 +587,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "Image": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ParentImage": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe", @@ -614,8 +614,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "powershell.exe -file c:/dir/scripts/nagios/get-localadmgroupmembership/get-localadmgroupmembership.ps1", - "executable": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe", + "command_line": "powershell.exe -file C:/Dir/Scripts/Nagios/Get-LocalAdmGroupMembership/Get-LocalAdmGroupMembership.ps1", + "executable": "C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe", "hash": { "md5": "b3ad5364cf04b6ab05616dd483aaf618", "sha1": "e5b0a0f4a59d6d5377332eece20f8f3df5cebe4e", @@ -624,17 +624,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": 2932, "name": "powershell.exe", "parent": { - "command_line": "c:\\\\program files\\\\nsclient++\\\\nscp.exe service --run --name nscp", - "executable": "c:\\\\program files\\\\nsclient++\\\\nscp.exe", + "command_line": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe service --run --name nscp", + "executable": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe", "name": "nscp.exe", - "working_directory": "c:\\\\program files\\\\nsclient++\\\\" + "working_directory": "C:\\\\Program Files\\\\NSClient++\\\\" }, "pid": 2932, "ppid": "1776", "thread": { "id": 3956 }, - "working_directory": "c:\\\\program files\\\\nsclient++\\\\" + "working_directory": "C:\\\\Program Files\\\\NSClient++\\\\" }, "related": { "hash": [ @@ -866,7 +866,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 16 }, "file": { - "name": "font download", + "name": "Font Download", "size": -1 }, "host": { @@ -956,7 +956,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "name": "sharpbits.zip", "owner": "DESKTOP-FOOBARZ\\userXYZ", - "path": "c:\\users\\userxyz\\downloads\\sharpbits.zip" + "path": "C:\\Users\\userXYZ\\Downloads\\sharpbits.zip" }, "host": { "hostname": "DESKTOP-FOOBARZ", @@ -1046,8 +1046,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 37 }, "file": { - "name": "sharpbitstestx.zip", - "path": "sharpbitstestx.zip", + "name": "sharpbitsTestX.zip", + "path": "sharpbitsTestX.zip", "size": 524444 }, "host": { @@ -1123,8 +1123,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Execution Name": "%%813", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "Path": "file:_c:\\users\\r1\\downloads\\tmp2\\tmp2\\win32\\mimidrv.sys", - "ProcessName": "c:\\windows\\explorer.exe", + "Path": "file:_C:\\Users\\r1\\Downloads\\tmp2\\tmp2\\Win32\\mimidrv.sys", + "ProcessName": "C:\\Windows\\explorer.exe", "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}", "Severity": "WARNING", "SourceName": "Microsoft-Windows-Windows Defender", @@ -1794,7 +1794,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "LogonProcessName": "Advapi ", "LogonType": "9", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\ccm\\ccmexec.exe", + "ProcessName": "C:\\Windows\\CCM\\CcmExec.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -1826,14 +1826,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\ccm\\ccmexec.exe", + "executable": "C:\\Windows\\CCM\\CcmExec.exe", "id": 996, "name": "Advapi ", "pid": 996, "thread": { "id": 1920 }, - "working_directory": "c:\\windows\\ccm\\" + "working_directory": "C:\\Windows\\CCM\\" }, "related": { "hosts": [ @@ -2046,7 +2046,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "DestinationPort": "443", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "Image": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{0BA009B0-846C-5CDE-0000-0010821E0D00}", @@ -2082,14 +2082,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoftedgecp.exe", + "executable": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\MicrosoftEdgeCP.exe", "id": 4200, - "name": "microsoftedgecp.exe", + "name": "MicrosoftEdgeCP.exe", "pid": 4200, "thread": { "id": 532 }, - "working_directory": "c:\\windows\\systemapps\\microsoft.microsoftedge_8wekyb3d8bbwe\\" + "working_directory": "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" }, "related": { "hosts": [ @@ -2167,14 +2167,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmic.exe", + "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "id": 11260, - "name": "wmic.exe", + "name": "WMIC.exe", "pid": 11260, "thread": { "id": 13732 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\System32\\wbem\\" }, "related": { "hosts": [ @@ -2637,7 +2637,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectType": "Unknown", "OpcodeValue": 0, "PrivilegeList": "-", - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "ERROR", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2663,14 +2663,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 728, "name": "svchost.exe", "pid": 728, "thread": { "id": 736 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -2714,7 +2714,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectValueName": "FirmwareUpdatesNotInstalled", "OpcodeValue": 0, "OperationType": "%%1904", - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2740,14 +2740,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 4, "name": "svchost.exe", "pid": 4, "thread": { "id": 14940 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -2788,7 +2788,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Keywords": "-9214364837600034816", "ObjectServer": "Security", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", + "ProcessName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2814,14 +2814,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", + "executable": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", "id": 4, "name": "powershell.exe", "pid": 4, "thread": { "id": 6740 }, - "working_directory": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\" + "working_directory": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\" }, "related": { "hosts": [ @@ -2867,7 +2867,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "Security", "ObjectType": "Process", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "ProcessName": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2882,7 +2882,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "file": { "name": "lsass.exe", - "path": "\\device\\harddiskvolume2\\windows\\system32\\lsass.exe" + "path": "\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe" }, "host": { "hostname": "V-FOO", @@ -2897,14 +2897,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "id": 4, - "name": "wmiprvse.exe", + "name": "WmiPrvSE.exe", "pid": 4, "thread": { "id": 10820 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\System32\\wbem\\" }, "related": { "hosts": [ @@ -2946,7 +2946,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "Security", "ObjectType": "Token", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\searchindexer.exe", + "ProcessName": "C:\\Windows\\System32\\SearchIndexer.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -2972,14 +2972,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\searchindexer.exe", + "executable": "C:\\Windows\\System32\\SearchIndexer.exe", "id": 4, - "name": "searchindexer.exe", + "name": "SearchIndexer.exe", "pid": 4, "thread": { "id": 7416 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3046,20 +3046,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "process": { "command_line": "taskhostw.exe", - "executable": "c:\\windows\\system32\\taskhostw.exe", + "executable": "C:\\Windows\\System32\\taskhostw.exe", "id": 3648, "name": "taskhostw.exe", "parent": { - "command_line": "c:\\windows\\system32\\svchost.exe", - "executable": "c:\\windows\\system32\\svchost.exe", + "command_line": "C:\\Windows\\System32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 3648, "thread": { "id": 14728 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3102,7 +3102,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "EventType": "AUDIT_SUCCESS", "Keywords": "-9214364837600034816", "OpcodeValue": 0, - "ProcessName": "c:\\windows\\system32\\svchost.exe", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", @@ -3129,14 +3129,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\Windows\\System32\\svchost.exe", "id": 4, "name": "svchost.exe", "pid": 4, "thread": { "id": 13048 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3751,10 +3751,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\logonui.exe", + "Image": "C:\\Windows\\System32\\LogonUI.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\windows\\system32\\winlogon.exe", + "ParentImage": "C:\\Windows\\System32\\winlogon.exe", "ProcessGuid": "{0BA009B0-847B-5CDE-0000-001038720D00}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -3778,26 +3778,26 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\windows\\system32\\logonui.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", - "executable": "c:\\windows\\system32\\logonui.exe", + "command_line": "C:\\Windows\\System32\\LogonUI.exe /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d", + "executable": "C:\\Windows\\System32\\LogonUI.exe", "hash": { "md5": "d40c84e829922b70d511bb2cc6268d49", "sha256": "9a54ee3d6d16d0fe3458b1ae1212f546f94b9e28e5a845d311a04191c724d652" }, "id": 4540, - "name": "logonui.exe", + "name": "LogonUI.exe", "parent": { - "command_line": "c:\\windows\\system32\\winlogon.exe", - "executable": "c:\\windows\\system32\\winlogon.exe", + "command_line": "C:\\Windows\\System32\\winlogon.exe", + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 4540, "ppid": "476", "thread": { "id": 2152 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "related": { "hash": [ @@ -3867,21 +3867,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\windows\\system32\\reg.exe add hklm\\software\\microsoft\\command processor /v disableunccheck /t reg_dword /d 0x1 /f /reg:32", - "executable": "c:\\windows\\system32\\reg.exe", + "command_line": "C:\\Windows\\system32\\reg.exe add HKLM\\SOFTWARE\\Microsoft\\Command Processor /v DisableUNCCheck /t REG_DWORD /d 0x1 /f /reg:32", + "executable": "C:\\Windows\\System32\\reg.exe", "id": 3920, "name": "reg.exe", "parent": { - "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", - "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", - "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0\\" + "working_directory": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" }, "pid": 3920, "thread": { "id": 3484 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -3952,21 +3952,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe /n c:\\users\\userfoo\\downloads\\background for adi-msi-dis june 2010 fr (1).docx /o ", - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "command_line": "C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE /n C:\\Users\\USERFOO\\Downloads\\Background for ADI-MSI-DIS June 2010 FR (1).docx /o ", + "executable": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WINWORD.EXE", "id": 5004, - "name": "winword.exe", + "name": "WINWORD.EXE", "parent": { - "command_line": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", - "executable": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe", + "command_line": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "working_directory": "c:\\program files (x86)\\google\\chrome\\application\\" + "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\" }, "pid": 5004, "thread": { "id": 5632 }, - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16\\" + "working_directory": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\" }, "related": { "hosts": [ @@ -4012,7 +4012,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "Binary Data", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\\\windows\\\\system32\\\\svchost.exe", + "Image": "C:\\\\Windows\\\\System32\\\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{34EA5B98-48E6-5F99-1600-000000000E00}", @@ -4039,14 +4039,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\\\windows\\\\system32\\\\svchost.exe", + "executable": "C:\\\\Windows\\\\System32\\\\svchost.exe", "id": 1436, "name": "svchost.exe", "pid": 1436, "thread": { "id": 2860 }, - "working_directory": "c:\\\\windows\\\\system32\\\\" + "working_directory": "C:\\\\Windows\\\\System32\\\\" }, "registry": { "hive": "HKU", @@ -4108,7 +4108,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "size_in_char": 16 }, "file": { - "name": "font download", + "name": "Font Download", "size": -1 }, "host": { @@ -4253,7 +4253,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ObjectServer": "NT Local Security Authority / Authentication Service", "OpcodeValue": 0, "PrivilegeList": "SeTcbPrivilege", - "ProcessName": "c:\\windows\\system32\\lsass.exe", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Service": "LsaRegisterLogonProcess()", "Severity": "INFO", @@ -4280,14 +4280,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "id": 4, "name": "lsass.exe", "pid": 4, "thread": { "id": 19016 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -4397,7 +4397,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "properties": { "AccountName": "Syst\u00e8me", "AccountType": "User", - "CallTrace": "c:\\windows\\system32\\ntdll.dll+9c534|c:\\windows\\system32\\kernelbase.dll+305fe|c:\\windows\\system32\\vboxservice.exe+12d8d|c:\\windows\\system32\\vboxservice.exe+140cf|c:\\windows\\system32\\vboxservice.exe+1435d|c:\\windows\\system32\\vboxservice.exe+fc2b|c:\\windows\\system32\\vboxservice.exe+1071a|c:\\windows\\system32\\vboxservice.exe+17fe|c:\\windows\\system32\\vboxservice.exe+31c1f|c:\\windows\\system32\\vboxservice.exe+35682|c:\\windows\\system32\\vboxservice.exe+fbbeb|c:\\windows\\system32\\vboxservice.exe+fbc7f|c:\\windows\\system32\\kernel32.dll+17bd4|c:\\windows\\system32\\ntdll.dll+6ce51", + "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+305fe|C:\\Windows\\System32\\VBoxService.exe+12d8d|C:\\Windows\\System32\\VBoxService.exe+140cf|C:\\Windows\\System32\\VBoxService.exe+1435d|C:\\Windows\\System32\\VBoxService.exe+fc2b|C:\\Windows\\System32\\VBoxService.exe+1071a|C:\\Windows\\System32\\VBoxService.exe+17fe|C:\\Windows\\System32\\VBoxService.exe+31c1f|C:\\Windows\\System32\\VBoxService.exe+35682|C:\\Windows\\System32\\VBoxService.exe+fbbeb|C:\\Windows\\System32\\VBoxService.exe+fbc7f|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", "Domain": "AUTORITE NT", "EventType": "INFO", "GrantedAccess": "0x1400", @@ -4405,10 +4405,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxservice.exe", + "SourceImage": "C:\\Windows\\System32\\VBoxService.exe", "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "920", - "TargetImage": "c:\\windows\\system32\\ctfmon.exe", + "TargetImage": "C:\\WINDOWS\\system32\\ctfmon.exe", "TargetProcessId": "4324", "Task": 10 }, @@ -4428,14 +4428,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\vboxservice.exe", + "executable": "C:\\Windows\\System32\\VBoxService.exe", "id": 920, - "name": "vboxservice.exe", + "name": "VBoxService.exe", "pid": 920, "thread": { "id": 10352 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -4475,7 +4475,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "Image": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4F1-5C41-0000-001028060400}", @@ -4491,7 +4491,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file": { "created": "2019-12-16T15:10:53.715000Z", "name": "cur.scr", - "path": "c:\\windows\\temp\\symdelta_2060\\content.zip.tmp\\cur.scr" + "path": "C:\\Windows\\Temp\\SymDelta_2060\\content.zip.tmp\\cur.scr" }, "host": { "hostname": "USERNAME01.ACT.CORP.local", @@ -4506,14 +4506,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\ccsvchst.exe", + "executable": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\ccSvcHst.exe", "id": 2060, - "name": "ccsvchst.exe", + "name": "ccSvcHst.exe", "pid": 2060, "thread": { "id": 9332 }, - "working_directory": "c:\\program files (x86)\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\bin\\" + "working_directory": "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Bin\\" }, "related": { "hosts": [ @@ -4554,7 +4554,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "DWORD (0x00000001)", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\services.exe", + "Image": "C:\\Windows\\system32\\services.exe", "Keywords": "-9223372036854775808", "MessEventType": "SetValue", "OpcodeValue": 0, @@ -4582,14 +4582,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\services.exe", + "executable": "C:\\Windows\\system32\\services.exe", "id": 572, "name": "services.exe", "pid": 572, "thread": { "id": 27948 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "registry": { "data": { @@ -4641,7 +4641,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Details": "\\??\\C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20100330.020\\ENG64.SYS", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\services.exe", + "Image": "C:\\Windows\\system32\\services.exe", "Keywords": "-9223372036854775808", "MessEventType": "SetValue", "OpcodeValue": 0, @@ -4669,14 +4669,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\services.exe", + "executable": "C:\\Windows\\system32\\services.exe", "id": 572, "name": "services.exe", "pid": 572, "thread": { "id": 35536 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "registry": { "data": { @@ -4730,7 +4730,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "EventType": "INFO", "Hash": "MD5=C570199C8261A913BBAA5C7D5020498B,SHA256=0454B363C7F09FF5AB778F07DF4F5FA123CC73E950283234717C50066CB62EA7,IMPHASH=00000000000000000000000000000000", "HostUrl": "https://entreprises.interepargne.natixis.com/", - "Image": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{3cb7cf38-a48b-609a-490c-000000002a00}", @@ -4751,8 +4751,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "md5": "c570199c8261a913bbaa5c7d5020498b", "sha256": "0454b363c7f09ff5ab778f07df4f5fa123cc73e950283234717c50066cb62ea7" }, - "name": "hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier", - "path": "c:\\users\\pipin_touque\\downloads\\hostfoo avril 2011_plan d \u00e9pargne entreprise_1400085 (4).zip:zone.identifier" + "name": "HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier", + "path": "C:\\Users\\Pipin_Touque\\Downloads\\HOSTFOO avril 2011_Plan d \u00e9pargne entreprise_1400085 (4).zip:Zone.Identifier" }, "host": { "hostname": "PCFOO4019.Comte.local", @@ -4767,14 +4767,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files\\google\\chrome\\application\\chrome.exe", + "executable": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "id": 3768, "name": "chrome.exe", "pid": 3768, "thread": { "id": 6860 }, - "working_directory": "c:\\program files\\google\\chrome\\application\\" + "working_directory": "C:\\Program Files\\Google\\Chrome\\Application\\" }, "related": { "hash": [ @@ -4960,7 +4960,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "Image": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "Keywords": "-9223372036854775808", "MessEventType": "ConnectPipe", "OpcodeValue": 0, @@ -4987,14 +4987,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\wbem\\wmiprvse.exe", + "executable": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "id": 4032, "name": "wmiprvse.exe", "pid": 4032, "thread": { "id": 2780 }, - "working_directory": "c:\\windows\\system32\\wbem\\" + "working_directory": "C:\\Windows\\system32\\wbem\\" }, "related": { "hosts": [ @@ -5035,10 +5035,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "Image": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", + "ParentImage": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", "ProcessGuid": "{9beb284d-cc28-6055-3602-000000004900}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -5062,27 +5062,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", - "executable": "c:\\program files (x86)\\interact\\bin\\iacomclient.exe", + "command_line": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", + "executable": "C:\\Program Files (x86)\\Interact\\Bin\\IAComClient.exe", "hash": { "imphash": "5eb894b14a9a429f917fa1e528b4e86b", "md5": "6e2ed6bd7a43497c351551d04aeb6444", "sha256": "e721bd7242e4571cdbc7729f54118abaa806fa309059f21f09829b5275c1a751" }, "id": 2016, - "name": "iacomclient.exe", + "name": "IAComClient.exe", "parent": { - "command_line": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "executable": "c:\\program files (x86)\\interact\\bin\\iamanager.exe", - "name": "iamanager.exe", - "working_directory": "c:\\program files (x86)\\interact\\bin\\" + "command_line": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", + "executable": "C:\\Program Files (x86)\\Interact\\Bin\\IAManager.exe", + "name": "IAManager.exe", + "working_directory": "C:\\Program Files (x86)\\Interact\\Bin\\" }, "pid": 2016, "ppid": "4756", "thread": { "id": 7472 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\WINDOWS\\system32\\" }, "related": { "hash": [ @@ -5127,10 +5127,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "Image": "C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, - "ParentImage": "c:\\windows\\system32\\svchost.exe", + "ParentImage": "C:\\Windows\\System32\\svchost.exe", "ProcessGuid": "{178446c4-1ef2-64f7-fa8d-010000001100}", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", @@ -5154,27 +5154,27 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "command_line": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe /onlogon", - "executable": "c:\\program files\\microsoft office\\root\\office16\\sdxhelper.exe", + "command_line": "C:\\Program Files\\Microsoft Office\\root\\Office16\\sdxhelper.exe /onlogon", + "executable": "C:\\Program Files\\Microsoft Office\\root\\Office16\\SDXHelper.exe", "hash": { "imphash": "0ae5922afcef4767754a10f016cd4b30", "md5": "f924bbc6fbf646fa0478aebe5d37504c", "sha256": "4494aa7bf1058262f3d2f412b681af2af42e34490144fbfd0db579d966b8fbb6" }, "id": 18144, - "name": "sdxhelper.exe", + "name": "SDXHelper.exe", "parent": { - "command_line": "c:\\windows\\system32\\svchost.exe -k netsvfoo -p -s schedule", - "executable": "c:\\windows\\system32\\svchost.exe", + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvfoo -p -s Schedule", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "pid": 18144, "ppid": "1772", "thread": { "id": 748 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\system32\\" }, "related": { "hash": [ @@ -5290,7 +5290,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\svchost.exe", + "Image": "C:\\WINDOWS\\system32\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-a5a2-5e46-0000-00104fae7900}", @@ -5356,14 +5356,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\svchost.exe", + "executable": "C:\\WINDOWS\\system32\\svchost.exe", "id": 5228, "name": "svchost.exe", "pid": 5228, "thread": { "id": 3448 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\WINDOWS\\system32\\" }, "related": { "hosts": [ @@ -5403,7 +5403,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\syswow64\\svchost.exe", + "Image": "C:\\Windows\\SysWOW64\\svchost.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{ab376ee3-7152-60a2-6808-000000001000}", @@ -5429,14 +5429,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\syswow64\\svchost.exe", + "executable": "C:\\Windows\\SysWOW64\\svchost.exe", "id": 4888, "name": "svchost.exe", "pid": 4888, "thread": { "id": 3768 }, - "working_directory": "c:\\windows\\syswow64\\" + "working_directory": "C:\\Windows\\SysWOW64\\" }, "related": { "hosts": [ @@ -5544,7 +5544,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "DestinationPort": "1723", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\windows\\system32\\lsass.exe", + "Image": "C:\\Windows\\System32\\lsass.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{23AD1E42-B4C1-5C41-0000-0010B4020100}", @@ -5580,14 +5580,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", "id": 564, "name": "lsass.exe", "pid": 564, "thread": { "id": 8112 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5637,7 +5637,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "ImageLoaded": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "ImageLoaded": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", @@ -5664,7 +5664,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\eng64.sys", + "executable": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\eng64.sys", "hash": { "imphash": "48152bc64cb1ea5e4592c852d8bac3fd", "md5": "be2d7adb437eb7c9607d60f481729c1f", @@ -5676,7 +5676,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "thread": { "id": 3548 }, - "working_directory": "c:\\programdata\\symantec\\symantec endpoint protection\\12.1.5337.5000.105\\data\\definitions\\virusdefs\\20101008.007\\" + "working_directory": "C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\12.1.5337.5000.105\\Data\\Definitions\\VirusDefs\\20101008.007\\" }, "related": { "hash": [ @@ -5721,8 +5721,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "AccountType": "User", "Domain": "AUTORITE NT", "EventType": "INFO", - "Image": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", - "ImageLoaded": "c:\\windows\\system32\\bcryptprimitives.dll", + "Image": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe", + "ImageLoaded": "C:\\Windows\\System32\\bcryptprimitives.dll", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{c8188de9-7bbb-5fcf-0000-0010f7277203}", @@ -5743,7 +5743,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "sha256": "6b47f3e88cdedf8f31f91940e38a4544818c79d153323262f9f46b21f41d262c" }, "name": "bcryptprimitives.dll", - "path": "c:\\windows\\system32\\bcryptprimitives.dll" + "path": "C:\\Windows\\System32\\bcryptprimitives.dll" }, "host": { "hostname": "DESKTOP-FOOBARZ", @@ -5758,14 +5758,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\hxtsr.exe", + "executable": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\HxTsr.exe", "id": 10540, - "name": "hxtsr.exe", + "name": "HxTsr.exe", "pid": 10540, "thread": { "id": 5408 }, - "working_directory": "c:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\" + "working_directory": "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_16005.13228.41011.0_x64__8wekyb3d8bbwe\\" }, "related": { "hash": [ @@ -5813,13 +5813,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "OpcodeValue": 0, "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Severity": "INFO", - "SourceImage": "c:\\windows\\system32\\vboxtray.exe", + "SourceImage": "C:\\Windows\\System32\\VBoxTray.exe", "SourceName": "Microsoft-Windows-Sysmon", "SourceProcessId": "9808", "StartAddress": "0xFFFFCFBA48C52460", "StartFunction": "LoadLibraryA", - "StartModule": "c:\\windows\\system32\\ntdll.dll", - "TargetImage": "c:\\windows\\system32\\csrss.exe", + "StartModule": "C:\\Windows\\SYSTEM32\\ntdll.dll", + "TargetImage": "C:\\Windows\\System32\\csrss.exe", "TargetProcessId": "10576", "Task": 8 }, @@ -5839,14 +5839,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\vboxtray.exe", + "executable": "C:\\Windows\\System32\\VBoxTray.exe", "id": 9808, - "name": "vboxtray.exe", + "name": "VBoxTray.exe", "pid": 9808, "thread": { "id": 10704 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5887,7 +5887,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Device": "\\Device\\HarddiskVolume1", "Domain": "NT AUTHORITY", "EventType": "INFO", - "Image": "c:\\windows\\system32\\logonui.exe", + "Image": "C:\\Windows\\System32\\LogonUI.exe", "Keywords": "-9223372036854775808", "OpcodeValue": 0, "ProcessGuid": "{FC729081-70A2-5FDB-6701-000000000600}", @@ -5912,14 +5912,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\logonui.exe", + "executable": "C:\\Windows\\System32\\LogonUI.exe", "id": 6428, - "name": "logonui.exe", + "name": "LogonUI.exe", "pid": 6428, "thread": { "id": 3916 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -5978,14 +5978,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\qwinsta.exe", + "executable": "C:\\Windows\\System32\\qwinsta.exe", "id": 12980, "name": "qwinsta.exe", "pid": 12980, "thread": { "id": 92 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "user": [ @@ -6046,14 +6046,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "windows" }, "process": { - "executable": "c:\\windows\\system32\\conhost.exe", + "executable": "C:\\Windows\\System32\\conhost.exe", "id": 4380, "name": "conhost.exe", "pid": 4380, "thread": { "id": 88 }, - "working_directory": "c:\\windows\\system32\\" + "working_directory": "C:\\Windows\\System32\\" }, "related": { "hosts": [ @@ -6086,7 +6086,6 @@ The following table lists the fields that are extracted, normalized under the EC |`action.id` | `number` | | |`action.properties.Accesses` | `keyword` | | |`action.properties.BytesTotal` | `keyword` | | -|`action.properties.CallTrace` | `keyword` | | |`action.properties.ConfigurationFile` | `keyword` | | |`action.properties.Content` | `keyword` | | |`action.properties.ContextInfo` | `keyword` | | @@ -6100,7 +6099,6 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.HostName` | `keyword` | | |`action.properties.HostUrl` | `keyword` | | |`action.properties.Image` | `keyword` | | -|`action.properties.ImageLoaded` | `keyword` | Image file loaded by the process | |`action.properties.Keywords` | `keyword` | | |`action.properties.LastASSecurityIntelligenceAge` | `keyword` | | |`action.properties.LastAVSecurityIntelligenceAge` | `keyword` | | @@ -6111,17 +6109,14 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.NewValue` | `keyword` | | |`action.properties.Old Value` | `keyword` | | |`action.properties.ParentImage` | `keyword` | | -|`action.properties.Path` | `keyword` | | |`action.properties.ProcessName` | `keyword` | | |`action.properties.ProxyServer` | `keyword` | | |`action.properties.ReferrerUrl` | `keyword` | | |`action.properties.SentUpdateServer` | `keyword` | | |`action.properties.ServiceFileName` | `keyword` | | -|`action.properties.SourceImage` | `keyword` | Name of the source image | |`action.properties.StartFunction` | `keyword` | | |`action.properties.StartModule` | `keyword` | | |`action.properties.StatusInformation` | `keyword` | | -|`action.properties.TargetImage` | `keyword` | Name of the target image | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | |`action.properties.ThreatName` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 50d672fd9c..aad9fbef02 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert`, `event` | -| Category | `network` | +| Category | `network`, `threat` | | Type | `info` | @@ -29,12 +29,91 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "test_aianalyst.json" + + ```json + + { + "message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}", + "event": { + "category": "network", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-10-15T01:53:52.520000Z", + "darktrace": { + "threat_visualizer": { + "acknowledged": false, + "activityId": "da39a3ee", + "aiaScore": 55.52733790170975, + "attackPhases": [ + 2 + ], + "breachDevices": [ + { + "did": 62, + "hostname": null, + "identifier": null, + "ip": "10.0.0.#36859", + "mac": null, + "sid": 25, + "subnet": null + } + ], + "category": "critical", + "children": [ + "a400af0f-a297-478c-8fc6-c778a9558183" + ], + "currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183", + "externalTriggered": false, + "groupCategory": "suspicious", + "groupScore": 2.449186624037094, + "groupingIds": [ + "511a418e" + ], + "mitreTactics": [ + "command-and-control" + ], + "periods": [ + { + "end": 1697334713852, + "start": 1697334679535 + } + ], + "relatedBreaches": [ + { + "modelName": "Device / New User Agent", + "pbid": 34952, + "threatScore": 31.0, + "timestamp": 1697334680000 + } + ], + "userTriggered": false + } + }, + "device": { + "id": "62" + }, + "host": { + "id": "62" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + } + } + + ``` + + === "test_anomalous_file.json" ```json { - "message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2023-06-28T11:53:50Z", @@ -141,7 +220,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"}}", + "message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2023-06-28T21:31:29Z", @@ -235,7 +314,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2023-03-14T12:53:21Z", @@ -342,7 +421,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2022-06-22T15:56:27Z", @@ -439,7 +518,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"}}", + "message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2022-06-15T12:01:36Z", @@ -516,7 +595,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"}}", + "message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", "end": "2023-04-17T11:34:25Z", @@ -610,58 +689,75 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`darktrace.threat_visualizer.acknowledged` | `boolean` | Whether the event has been acknowledged. (example value: 'FALSE') | +|`darktrace.threat_visualizer.activityId` | `keyword` | Used by pre-v5.2 legacy incident construction. An identifier for the specific activity detected by AI Analyst. If groupByActivity=true, this field should be used to group events together into an incident. (example value: 'da39a3ee') | +|`darktrace.threat_visualizer.aiaScore` | `number` | The anomalousness of the event as classified by AI Analyst - out of 100. (example value: '98') | +|`darktrace.threat_visualizer.attackPhases` | `array` | Of the six attack phases, which phases are applicable to the activity. (example value: '5') | +|`darktrace.threat_visualizer.breachDevices` | `array` | An array of devices involved in the related model breach(es). | +|`darktrace.threat_visualizer.category` | `keyword` | The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical') | +|`darktrace.threat_visualizer.children` | `array` | A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633') | |`darktrace.threat_visualizer.commentCount` | `number` | The number of comments made against this breach. | |`darktrace.threat_visualizer.creationTime` | `number` | The timestamp that the record of the breach was created. This is distinct from the time field. | +|`darktrace.threat_visualizer.currentGroup` | `keyword` | The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633') | |`darktrace.threat_visualizer.device.firstSeen` | `number` | The first time the device was seen on the network. | -|`darktrace.threat_visualizer.device.ip` | `string` | The current IP associated with the device. | +|`darktrace.threat_visualizer.device.ip` | `keyword` | The current IP associated with the device. | |`darktrace.threat_visualizer.device.ips` | `array` | IPs associated with the device historically. | -|`darktrace.threat_visualizer.device.ips.ip` | `string` | A historic IP associated with the device. | +|`darktrace.threat_visualizer.device.ips.ip` | `keyword` | A historic IP associated with the device. | |`darktrace.threat_visualizer.device.ips.sid` | `number` | The subnet id for the subnet the IP belongs to. | -|`darktrace.threat_visualizer.device.ips.time` | `string` | The time the IP was last seen associated with that device in readable format. | +|`darktrace.threat_visualizer.device.ips.time` | `keyword` | The time the IP was last seen associated with that device in readable format. | |`darktrace.threat_visualizer.device.ips.timems` | `number` | The time the IP was last seen associated with that device in epoch time. | |`darktrace.threat_visualizer.device.lastSeen` | `number` | The last time the device was seen on the network. | |`darktrace.threat_visualizer.device.sid` | `number` | The subnet id for the subnet the device is currently located in. | |`darktrace.threat_visualizer.device.typelabel` | `keyword` | The device type in readable format. | |`darktrace.threat_visualizer.device.typename` | `keyword` | The device type in system format. | -|`darktrace.threat_visualizer.model.now.behaviour` | `string` | The score modulation function as set in the model editor. | -|`darktrace.threat_visualizer.model.now.category` | `string` | The behavior category associated with the model at the time of request. | +|`darktrace.threat_visualizer.externalTriggered` | `boolean` | Whether the event was created as a result of an externally triggered AI Analyst investigation. (example value: 'FALSE') | +|`darktrace.threat_visualizer.groupCategory` | `keyword` | The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. (example value: 'critical') | +|`darktrace.threat_visualizer.groupScore` | `number` | The current overall score of the incident this event is part of. Relevant for v5.2+ incident construction only. (example value: '72.9174234') | +|`darktrace.threat_visualizer.groupingIds` | `array` | Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false, this field should be used to group events together into an incident. (example value: '268d2b8c') | +|`darktrace.threat_visualizer.mitreTactics` | `array` | An array of MITRE ATT&CK Framework tactics that have been mapped to this event. (example value: 'lateral-movement') | +|`darktrace.threat_visualizer.model.now.behaviour` | `keyword` | The score modulation function as set in the model editor. | +|`darktrace.threat_visualizer.model.now.category` | `keyword` | The behavior category associated with the model at the time of request. | |`darktrace.threat_visualizer.model.now.defeats` | `array` | An array of model defeats - AND conditions - which if met, prevent the model from breaching. | -|`darktrace.threat_visualizer.model.now.defeats.arguments.value` | `string` | | -|`darktrace.threat_visualizer.model.now.defeats.comparator` | `string` | The comparator that the value is compared against the create the defeat. | +|`darktrace.threat_visualizer.model.now.defeats.arguments.value` | `keyword` | | +|`darktrace.threat_visualizer.model.now.defeats.comparator` | `keyword` | The comparator that the value is compared against the create the defeat. | |`darktrace.threat_visualizer.model.now.defeats.defeatID` | `number` | A unique ID for the defeat. | -|`darktrace.threat_visualizer.model.now.defeats.filtertype` | `string` | The filter the defeat is made from. | -|`darktrace.threat_visualizer.model.now.description` | `string` | The optional description of the model. | +|`darktrace.threat_visualizer.model.now.defeats.filtertype` | `keyword` | The filter the defeat is made from. | +|`darktrace.threat_visualizer.model.now.description` | `keyword` | The optional description of the model. | |`darktrace.threat_visualizer.model.now.edited.userID` | `number` | Username that last edited the model. | -|`darktrace.threat_visualizer.model.now.message` | `string` | The commit message for the change. | +|`darktrace.threat_visualizer.model.now.message` | `keyword` | The commit message for the change. | |`darktrace.threat_visualizer.model.now.mitre.tactics` | `array` | An array of MITRE ATT&CK framework tactics the model has been mapped to. | |`darktrace.threat_visualizer.model.now.mitre.techniques` | `array` | An array of MITRE ATT&CK framework techniques the model has been mapped to. | -|`darktrace.threat_visualizer.model.now.name` | `string` | Name of the model that was breached. | +|`darktrace.threat_visualizer.model.now.name` | `keyword` | Name of the model that was breached. | |`darktrace.threat_visualizer.model.now.phid` | `number` | The model policy history id. Increments when the model is modified. | |`darktrace.threat_visualizer.model.now.pid` | `number` | The policy id of the model that was breached. | |`darktrace.threat_visualizer.model.now.priority` | `number` | The numeric behavior category associated with the model at the time of request: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical. | |`darktrace.threat_visualizer.model.now.tags` | `array` | AP: Bruteforce | -|`darktrace.threat_visualizer.model.now.uuid` | `string` | A unique ID that is generated on creation of the model. | +|`darktrace.threat_visualizer.model.now.uuid` | `keyword` | A unique ID that is generated on creation of the model. | |`darktrace.threat_visualizer.model.now.version` | `number` | The version of the model. Increments on each edit. | -|`darktrace.threat_visualizer.model.then.behaviour` | `string` | The score modulation function as set in the model editor. | -|`darktrace.threat_visualizer.model.then.category` | `string` | The behavior category associated with the model at the time of the breach. | +|`darktrace.threat_visualizer.model.then.behaviour` | `keyword` | The score modulation function as set in the model editor. | +|`darktrace.threat_visualizer.model.then.category` | `keyword` | The behavior category associated with the model at the time of the breach. | |`darktrace.threat_visualizer.model.then.defeats` | `array` | An array of model defeats - AND conditions - which if met, prevent the model from breaching. | -|`darktrace.threat_visualizer.model.then.defeats.arguments.value` | `string` | | -|`darktrace.threat_visualizer.model.then.defeats.comparator` | `string` | The comparator that the value is compared against the create the defeat. | +|`darktrace.threat_visualizer.model.then.defeats.arguments.value` | `keyword` | | +|`darktrace.threat_visualizer.model.then.defeats.comparator` | `keyword` | The comparator that the value is compared against the create the defeat. | |`darktrace.threat_visualizer.model.then.defeats.defeatID` | `number` | A unique ID for the defeat. | -|`darktrace.threat_visualizer.model.then.defeats.filtertype` | `string` | The filter the defeat is made from. | -|`darktrace.threat_visualizer.model.then.description` | `string` | The optional description of the model. | +|`darktrace.threat_visualizer.model.then.defeats.filtertype` | `keyword` | The filter the defeat is made from. | +|`darktrace.threat_visualizer.model.then.description` | `keyword` | The optional description of the model. | |`darktrace.threat_visualizer.model.then.mitre.tactics` | `array` | An array of MITRE ATT&CK framework tactics the model has been mapped to. | |`darktrace.threat_visualizer.model.then.mitre.techniques` | `array` | An array of MITRE ATT&CK framework techniques the model has been mapped to. | -|`darktrace.threat_visualizer.model.then.name` | `string` | Name of the model that was breached. | +|`darktrace.threat_visualizer.model.then.name` | `keyword` | Name of the model that was breached. | |`darktrace.threat_visualizer.model.then.phid` | `number` | The model policy history id. Increments when the model is modified. | |`darktrace.threat_visualizer.model.then.pid` | `number` | The policy id of the model that was breached. | |`darktrace.threat_visualizer.model.then.priority` | `number` | The numeric behavior category associated with the model at the time of the breach: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical. | |`darktrace.threat_visualizer.model.then.tags` | `array` | A list of tags that have been applied to this model in the Threat Visualizer model editor. | -|`darktrace.threat_visualizer.model.then.uuid` | `string` | A unique ID that is generated on creation of the model. | +|`darktrace.threat_visualizer.model.then.uuid` | `keyword` | A unique ID that is generated on creation of the model. | |`darktrace.threat_visualizer.model.then.version` | `number` | The version of the model. Increments on each edit. | |`darktrace.threat_visualizer.pbid` | `number` | The policy breach ID of the model breach. | +|`darktrace.threat_visualizer.periods` | `array` | An array of one or more periods of time where anomalous activity occurred that AI Analyst investigated. | +|`darktrace.threat_visualizer.relatedBreaches` | `array` | An array of model breaches related to the activity investigated by AI analyst. | |`darktrace.threat_visualizer.score` | `number` | The model breach score, represented by a value between 0 and 1. | |`darktrace.threat_visualizer.time` | `number` | The timestamp when the record was created in epoch time. | +|`darktrace.threat_visualizer.userTriggered` | `boolean` | Whether the event was created as a result of a user-triggered AI Analyst investigation. (example value: 'FALSE') | +|`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | @@ -669,6 +765,8 @@ The following table lists the fields that are extracted, normalized under the EC |`host.hostname` | `keyword` | Hostname of the host. | |`host.id` | `keyword` | Unique host id. | |`host.ip` | `ip` | Host ip addresses. | +|`host.mac` | `keyword` | Host MAC addresses. | +|`host.name` | `keyword` | Name of the host. | |`observer.name` | `keyword` | Custom name of the observer. | |`observer.product` | `keyword` | The product name of the observer. | |`service.name` | `keyword` | Name of the service. | diff --git a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md index 7bcc6717d6..718027abea 100644 --- a/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md +++ b/_shared_content/operations_center/integrations/generated/9f47aa9f-52d7-4849-9462-cf7fc8bcd51a.md @@ -53,7 +53,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "IoT", "site_name": "Main", "subcategory": "Facilities", - "uid": "2bad8dfb-0bf8-4dcc-87c6-a669c8a30933" + "type": "UPS" }, "event_id": "11111111" } @@ -72,6 +72,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "id": "2bad8dfb-0bf8-4dcc-87c6-a669c8a30933", "ip": [ "1.2.3.4" ], @@ -139,7 +140,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "IT", "site_name": "Main", "subcategory": "Computers", - "uid": "e74fc1c7-215c-4cd0-b266-df935b70221e" + "type": "PC" }, "event_id": "51455158" } @@ -158,6 +159,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "id": "e74fc1c7-215c-4cd0-b266-df935b70221e", "ip": [ "1.2.3.4" ], @@ -225,7 +227,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "IT", "site_name": "Main", "subcategory": "Network", - "uid": "e98cadb0-1838-4cc0-98f0-79d2a4678684" + "type": "Firewall" }, "event_id": "51455159" } @@ -244,6 +246,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "id": "e98cadb0-1838-4cc0-98f0-79d2a4678684", "ip": [ "5.6.7.8" ], @@ -311,7 +314,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "IT", "site_name": "Main", "subcategory": "Servers", - "uid": "71b2bde6-370d-4a00-840d-bd828de48364" + "type": "Server" }, "event_id": "1111111", "sender_id": "NRLDV001" @@ -331,6 +334,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "BWMGLTVSTE" }, "host": { + "id": "71b2bde6-370d-4a00-840d-bd828de48364", "ip": [ "1.2.3.4" ], @@ -388,6 +392,86 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_malicius_communication.json" + + ```json + + { + "message": "CEF:0|Claroty|Claroty|0.0|838|alert_affected_device|5|alert_id=838 alert_type_name=Malicious Internet Communication alert_name=Malicious Internet Communication: 5.6.7.8 alert_category=Threat alert_description=Internet communication detected between reported malicious IP address 5.6.7.8 and 5 devices alert_device_status=Unresolved alert_labels=[] alert_assignees=[] alert_note=None alert_mitre_technique_ids=[] alert_mitre_technique_names=[] device_asset_id=NLDPEOR device_uid=32c289c4-95f8-467b-92be-ae425fc0ea85 device_mac_list=[None] device_ip_list=['1.2.3.4'] device_site_name=Lost & Found device_category=IT device_subcategory=Computers device_manufacturer=None device_type=PC device_type_family=PC device_model=None device_connection_type_list=['Ethernet'] device_network_list=['Corporate'] device_labels=[] device_assignees=[] device_note=None device_os=Windows 10/Server 20H1 20H1 external_ip=5.6.7.8 malicious_ip_type=c2_ip malicious_ip_severity=3 malicious_ip_confidence=85 malicious_ip_source=threatfox osint malicious_ip_threat_type=C2 geo_location=France domain=localhost", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "severity": 5, + "type": [ + "connection" + ] + }, + "claroty": { + "xdome": { + "alert": { + "category": "Threat", + "description": "Internet communication detected between reported malicious IP address 5.6.7.8 and 5 devices", + "id": "838", + "name": "Malicious Internet Communication: 5.6.7.8" + }, + "device": { + "category": "IT", + "site_name": "Lost & Found", + "subcategory": "Computers", + "type": "PC", + "type_family": "PC" + }, + "malicious_ip": { + "confidence": "85", + "severity": "3", + "source": "threatfox osint", + "threat_type": "C2", + "type": "c2_ip" + } + } + }, + "destination": { + "address": "localhost", + "domain": "localhost", + "ip": "5.6.7.8" + }, + "device": { + "id": "NLDPEOR" + }, + "host": { + "id": "32c289c4-95f8-467b-92be-ae425fc0ea85", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "null" + ], + "os": { + "full": "Windows 10/Server 20H1 20H1" + }, + "type": "PC" + }, + "observer": { + "product": "Claroty", + "vendor": "Claroty", + "version": "0.0" + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + + ``` + + === "test_phi_protocol.json" ```json @@ -413,7 +497,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "Industrial", "site_name": "Main", "subcategory": "Clinical Lab", - "uid": "f257cf93-017d-42b7-9292-75dc8a8e248f" + "type": "Hematology Analyzer" }, "event_id": "11111111" } @@ -432,6 +516,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "id": "f257cf93-017d-42b7-9292-75dc8a8e248f", "ip": [ "1.2.3.4" ], @@ -494,7 +579,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": "IT", "site_name": "Main", "subcategory": "Computers", - "uid": "6162cd8a-8dc8-40b2-8a4a-e7a922862505" + "type": "PC" }, "event_id": "11111111" } @@ -513,6 +598,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { + "id": "6162cd8a-8dc8-40b2-8a4a-e7a922862505", "ip": [ "1.2.3.4" ], @@ -559,12 +645,23 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`claroty.xdome.alert.category` | `keyword` | | +|`claroty.xdome.alert.description` | `keyword` | | +|`claroty.xdome.alert.id` | `keyword` | | +|`claroty.xdome.alert.name` | `keyword` | | +|`claroty.xdome.alert.type` | `keyword` | | |`claroty.xdome.client_id` | `keyword` | | |`claroty.xdome.device.category` | `keyword` | | |`claroty.xdome.device.site_name` | `keyword` | | |`claroty.xdome.device.subcategory` | `keyword` | | -|`claroty.xdome.device.uid` | `keyword` | | +|`claroty.xdome.device.type` | `keyword` | | +|`claroty.xdome.device.type_family` | `keyword` | | |`claroty.xdome.event_id` | `keyword` | | +|`claroty.xdome.malicious_ip.confidence` | `keyword` | | +|`claroty.xdome.malicious_ip.severity` | `keyword` | | +|`claroty.xdome.malicious_ip.source` | `keyword` | | +|`claroty.xdome.malicious_ip.threat_type` | `keyword` | | +|`claroty.xdome.malicious_ip.type` | `keyword` | | |`claroty.xdome.sender_id` | `keyword` | | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | @@ -576,6 +673,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.id` | `keyword` | Unique host id. | |`host.ip` | `ip` | Host ip addresses. | |`host.mac` | `keyword` | Host MAC addresses. | |`host.os.full` | `keyword` | Operating system name, including the version or code name. |