diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index 0b440ea247..10d1c671e4 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -444,6 +444,126 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "mobile_detection_summary_1.json" + + ```json + + { + "message": "{\n \"metadata\": {\n \"customerIDString\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n \"offset\": 701283,\n \"eventType\": \"MobileDetectionSummaryEvent\",\n \"eventCreationTime\": 1649420269000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SensorId\": \"85ae98xxxxxxd9a8f2\",\n \"MobileDetectionId\": 1310556238,\n \"ComputerName\": \"CS-SE-EZ64\",\n \"UserName\": \"demo\",\n \"ContextTimeStamp\": 1649061056,\n \"DetectId\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238\",\n \"DetectName\": \"AppSideloadDetected\",\n \"DetectDescription\": \"Apps are installed from outside the PlayStore. Trigger based on a System callback when apps are installed or updated.\",\n \"Tactic\": \"Insecure security posture\",\n \"TacticId\": \"CSTA0009\",\n \"Technique\": \"Bad device settings\",\n \"TechniqueId\": \"CST0024\",\n \"Objective\": \"Falcon Detection Method\",\n \"Severity\": 50,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n \"MobileAppsDetails\": [\n {\n \"AppIdentifier\": \"com.facebook.katana\",\n \"AndroidAppLabel\": \"Facebook\",\n \"DexFileHashes\": \"abc456xxxxxxxxxxxxxxxxdef789\",\n \"ImageFileName\": \"/data/app/com.facebook.katana-djFExxxxxxxxxrkg==/base.apk\",\n \"AppInstallerInformation\": \"unknown\",\n \"IsBeingDebugged\": false,\n \"AndroidAppVersionName\": \"323.0.0.46.119\",\n \"IsContainerized\": false\n }\n ]\n }\n}", + "event": { + "category": [ + "intrusion_detection" + ], + "dataset": [ + "MobileDetection" + ], + "kind": "alert", + "severity": 50, + "type": "info", + "url": "https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV" + }, + "@timestamp": "2022-04-08T12:17:49Z", + "agent": { + "id": "85ae98xxxxxxd9a8f2" + }, + "crowdstrike": { + "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV", + "detect_description": "Apps are installed from outside the PlayStore. Trigger based on a System callback when apps are installed or updated.", + "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238", + "detect_name": "AppSideloadDetected", + "event_objective": "Falcon Detection Method", + "event_type": "MobileDetectionSummaryEvent" + }, + "host": { + "name": "CS-SE-EZ64" + }, + "observer": { + "product": "Falcon for Mobile", + "vendor": "CrowdStrike" + }, + "related": { + "user": [ + "demo" + ] + }, + "threat": { + "tactic": { + "id": "CSTA0009", + "name": "Insecure security posture" + }, + "technique": { + "id": "CST0024", + "name": "Bad device settings" + } + }, + "user": { + "name": "demo" + } + } + + ``` + + +=== "mobile_detection_summary_2.json" + + ```json + + { + "message": "{\n \"metadata\": {\n \"customerIDString\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n \"offset\": 701283,\n \"eventType\": \"MobileDetectionSummaryEvent\",\n \"eventCreationTime\": 1649420269000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"SensorId\": \"85ae98xxxxxxd9a8f2\",\n \"MobileDetectionId\": 1310556238,\n \"ComputerName\": \"CS-SE-EZ64\",\n \"UserName\": \"demo\",\n \"ContextTimeStamp\": 1649061056,\n \"DetectId\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238\",\n \"DetectName\": \"PlayIntegrityAppCheckFailed\",\n \"DetectDescription\": \"The Google Play Integrity application check for Falcon for Mobile failed. The application communicating with the cloud is not legitimate.\",\n \"Tactic\": \"Persistence\",\n \"TacticId\": \"TA0028\",\n \"Technique\": \"Compromise Application Executable\",\n \"TechniqueId\": \"T1577\",\n \"Objective\": \"Keep Access\",\n \"Severity\": 90,\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n \"VerifiedBootState\": 0,\n \"PlayIntegrityErrorList\": [\n 7,\n 12\n ],\n \"PlayIntegrityMeetsBasicIntegrity\": true,\n \"PlayIntegrityMeetsDeviceIntegrity\": true,\n \"PlayIntegrityMeetsStrongIntegrity\": true,\n \"SourceVendors\": \"CrowdStrike\",\n \"SourceProducts\": \"Falcon for Mobile\",\n \"DataDomains\": \"Endpoint\"\n }\n}", + "event": { + "category": [ + "intrusion_detection" + ], + "dataset": [ + "MobileDetection" + ], + "kind": "alert", + "severity": 90, + "type": "info", + "url": "https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV" + }, + "@timestamp": "2022-04-08T12:17:49Z", + "agent": { + "id": "85ae98xxxxxxd9a8f2" + }, + "crowdstrike": { + "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV", + "detect_description": "The Google Play Integrity application check for Falcon for Mobile failed. The application communicating with the cloud is not legitimate.", + "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238", + "detect_name": "PlayIntegrityAppCheckFailed", + "event_objective": "Keep Access", + "event_type": "MobileDetectionSummaryEvent" + }, + "host": { + "name": "CS-SE-EZ64" + }, + "observer": { + "product": "Falcon for Mobile", + "vendor": "CrowdStrike" + }, + "related": { + "user": [ + "demo" + ] + }, + "threat": { + "tactic": { + "id": "TA0028", + "name": "Persistence" + }, + "technique": { + "id": "T1577", + "name": "Compromise Application Executable" + } + }, + "user": { + "name": "demo" + } + } + + ``` + + === "module_event.json" ```json @@ -787,6 +907,7 @@ The following table lists the fields that are extracted, normalized under the EC |`crowdstrike.detect_name` | `keyword` | Name of the identity-based detection | |`crowdstrike.edge.subject_id` | `keyword` | The identifier of a parent vertex in the graph exploration | |`crowdstrike.edge.type` | `keyword` | The type of relationship with the subject | +|`crowdstrike.event_objective` | `keyword` | Objective of the event | |`crowdstrike.event_type` | `keyword` | Type of the event | |`crowdstrike.host_groups` | `keyword` | The ids of groups the host belongs to | |`crowdstrike.host_id` | `keyword` | The crowdstrike identifier of the host | @@ -809,6 +930,7 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | @@ -825,6 +947,9 @@ The following table lists the fields that are extracted, normalized under the EC |`host.ip` | `ip` | Host ip addresses. | |`host.mac` | `keyword` | Host MAC addresses. | |`host.name` | `keyword` | Name of the host. | +|`network.application` | `keyword` | Application level protocol name. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.end` | `date` | The time the process ended. | |`process.executable` | `keyword` | Absolute path to the process executable. | @@ -848,7 +973,9 @@ The following table lists the fields that are extracted, normalized under the EC |`threat.indicator.description` | `keyword` | Indicator description | |`threat.indicator.file.hash.sha256` | `keyword` | SHA256 hash. | |`threat.indicator.type` | `keyword` | Type of indicator | +|`threat.tactic.id` | `keyword` | Threat tactic id. | |`threat.tactic.name` | `keyword` | Threat tactic. | +|`threat.technique.id` | `keyword` | Threat technique id. | |`threat.technique.name` | `keyword` | Threat technique name. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 2d13f520b4..303e8b5803 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -167,6 +167,205 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "alert_1.json" + + ```json + + { + "message": "{\n \"level_int\": 30,\n \"detection_origin\": \"agent\",\n \"threat_key\": \"2971\",\n \"log_type\": \"alert\",\n \"rule_name\": \"File Added/Modified in Startup Directory\",\n \"status\": \"new\",\n \"aggregation_key\": \"e9cb2440a0ef88bdf8133cb7d5e41b66a903ba84df49659a05720ee1ac1caa33\",\n \"tags\": [\n \"attack.persistence\",\n \"attack.t1547.001\"\n ],\n \"tenant\": \"\",\n \"level\": \"medium\",\n \"rule_id\": \"73d2962a-48ed-4fc1-937c-0a5bc688a072\",\n \"quarantine\": 4,\n \"alert_subtype\": \"process\",\n \"threat_values\": [],\n \"details_file\": {\n \"target_filename\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\DeepL auto-start.lnk\"\n },\n \"threat_type\": \"new\",\n \"groups\": [],\n \"alert_type\": \"sigma\",\n \"process\": {\n \"pe_info\": {\n \"file_description\": \"Windows Explorer\",\n \"product_version\": \"10.0.19041.1706\",\n \"file_version\": \"10.0.19041.1706 (WinBuild.160101.0800)\",\n \"company_name\": \"Microsoft Corporation\",\n \"product_name\": \"Microsoft\u00ae Windows\u00ae Operating System\",\n \"original_filename\": \"EXPLORER.EXE\",\n \"internal_name\": \"explorer\",\n \"pe_timestamp\": \"2019-11-01T20:27:45.000Z\",\n \"legal_copyright\": \"\u00a9 Microsoft Corporation. All rights reserved.\"\n },\n \"logonid\": 1111111,\n \"commandline\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"parent_unique_id\": \"27717f1b-edb4-49d7-aa3b-aab2e0beb389\",\n \"hashes\": {\n \"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\"\n },\n \"log_type\": \"process\",\n \"usersid\": \"S-1-5-21-1111111111-2222222222-3333333333-44444\",\n \"status\": 0,\n \"parent_integrity_level\": \"Medium\",\n \"size\": 5114880,\n \"pe_timestamp_int\": 1572640065,\n \"parent_image\": \"C:\\\\Windows\\\\System32\\\\userinit.exe\",\n \"process_unique_id\": \"762b5b06-dfcf-431e-8352-7b83d6ff7ed6\",\n \"session\": 1,\n \"ioc_matches\": [],\n \"pe_timestamp\": \"2019-11-01T20:27:45.000Z\",\n \"grandparent_image\": \"C:\\\\Windows\\\\System32\\\\winlogon.exe\",\n \"fake_parent_image\": \"\",\n \"signed\": true,\n \"process_name\": \"explorer.exe\",\n \"sigma_rule_content\": \"\",\n \"pid\": 11560,\n \"fake_ppid\": 0,\n \"fake_parent_commandline\": \"\",\n \"grandparent_integrity_level\": \"System\",\n \"current_directory\": \"C:\\\\Windows\\\\system32\\\\\",\n \"image_name\": \"C:\\\\Windows\\\\explorer.exe\",\n \"create_time\": \"2024-01-15T08:12:43.045Z\",\n \"ppid\": 6452,\n \"grandparent_commandline\": \"winlogon.exe\",\n \"log_platform_flag\": 0,\n \"parent_commandline\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\",\n \"ancestors\": \"C:\\\\Windows\\\\System32\\\\userinit.exe|C:\\\\Windows\\\\System32\\\\winlogon.exe\",\n \"integrity_level\": \"Medium\",\n \"username\": \"EXAMPLE\\\\jdoe\"\n },\n \"alert_unique_id\": \"44c633d9-b38d-4acb-87a5-7db9bd8ab38a\",\n \"type\": \"rtlogs\",\n \"execution\": 0,\n \"alert_time\": \"2024-01-15T08:13:47.621+00:00\",\n \"image_name\": \"C:\\\\Windows\\\\explorer.exe\",\n \"mitre_cells\": [\n \"persistence__t1547.001\"\n ],\n \"@event_create_date\": \"2024-01-15T08:13:47.621Z\",\n \"@version\": \"1\",\n \"maturity\": \"stable\",\n \"agent\": {\n \"additional_info\": null,\n \"agentid\": \"d82e1ff6-f268-42a1-9091-df230fb3c85e\",\n \"groups\": [\n {\n \"id\": \"ba5a8596-5bfc-401a-a46e-1111f7d35a23\",\n \"name\": \"EXAMPLE\"\n }\n ],\n \"osversion\": \"10.0.19042\",\n \"osproducttype\": \"Windows 10 Pro\",\n \"domainname\": \"EXAMPLE\",\n \"distroid\": null,\n \"ostype\": \"windows\",\n \"hostname\": \"PL-3049\",\n \"version\": \"3.2.5\",\n \"dnsdomainname\": \"example.org\",\n \"domain\": null\n },\n \"@timestamp\": \"2024-01-15T08:14:59.497966Z\",\n \"msg\": \"Detects when a file is added or modified in the startup directory\"\n}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-01-15T08:13:47.621000Z", + "agent": { + "id": "d82e1ff6-f268-42a1-9091-df230fb3c85e", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\DeepL auto-start.lnk" + }, + "harfanglab": { + "aggregation_key": "e9cb2440a0ef88bdf8133cb7d5e41b66a903ba84df49659a05720ee1ac1caa33", + "alert_subtype": "process", + "alert_time": "2024-01-15T08:13:47.621+00:00", + "alert_unique_id": "44c633d9-b38d-4acb-87a5-7db9bd8ab38a", + "execution": 0, + "groups": [], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "EXAMPLE", + "hostname": "PL-3049", + "name": "PL-3049", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19042" + } + }, + "log": { + "hostname": "PL-3049" + }, + "process": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "name": "explorer.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\userinit.exe", + "executable": "C:\\Windows\\System32\\userinit.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Windows Explorer", + "file_version": "10.0.19041.1706 (WinBuild.160101.0800)", + "original_file_name": "EXPLORER.EXE", + "product": "Microsoft\u00ae Windows\u00ae Operating System" + }, + "pid": 11560, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "hosts": [ + "PL-3049" + ], + "user": [ + "EXAMPLE\\jdoe" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a file is added or modified in the startup directory", + "id": "73d2962a-48ed-4fc1-937c-0a5bc688a072", + "name": "File Added/Modified in Startup Directory" + }, + "user": { + "name": "EXAMPLE\\jdoe" + } + } + + ``` + + +=== "alert_2.json" + + ```json + + { + "message": "{\n \"type\": \"rtlogs\",\n \"mitre_cells\": [\n \"persistence__t1547.001\"\n ],\n \"level_int\": 30,\n \"quarantine\": 4,\n \"detection_origin\": \"agent\",\n \"alert_type\": \"sigma\",\n \"@timestamp\": \"2024-01-17T08:25:58.942517Z\",\n \"details_registry\": {\n \"details\": \"\\\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Chrome\\\\5.25.0\\\\chromium\\\\chromium.exe\\\" --no-startup-window /prefetch:5\",\n \"event_type\": \"SetValue\",\n \"target_object\": \"HKU\\\\S-1-5-21-111111111-222222222222-3333333333-4444\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleChromeAutoLaunch_292993993B6DCE00DC4A6B0723EC700E\"\n },\n \"rule_id\": \"00000000-0000-0000-0000-000000000000\",\n \"maturity\": \"stable\",\n \"image_name\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Chrome\\\\5.25.0\\\\chromium\\\\chromium.exe\",\n \"alert_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"tenant\": \"\",\n \"@event_create_date\": \"2024-01-17T08:19:06.071Z\",\n \"threat_key\": 2912,\n \"level\": \"medium\",\n \"log_type\": \"alert\",\n \"agent\": {\n \"ostype\": \"windows\",\n \"osversion\": \"10.0.19042\",\n \"additional_info\": null,\n \"domainname\": \"EXAMPLE\",\n \"version\": \"3.2.9\",\n \"domain\": null,\n \"osproducttype\": \"Windows 10 Pro\",\n \"dnsdomainname\": \"example.org\",\n \"agentid\": \"00000000-0000-0000-0000-000000000000\",\n \"distroid\": null,\n \"hostname\": \"PL3024\"\n },\n \"threat_values\": [\n \":\\\\users\\\\\\\\appdata\\\\local\\\\onelaunch\\\\5.25.0\\\\chromium\\\\chromium.exe --no-startup-window /prefetch:5\"\n ],\n \"execution\": 0,\n \"msg\": \"Detects when an suspicious entry is added/modified in one of the autostart extensibility point (ASEP) in the registry.\\n An attacker may achieve persistence by referencing a program with a registry run key.\\n It is recommended to investigate the process that added the key as well as the target of the registry key for malicious content.\",\n \"threat_type\": \"commandline\",\n \"@version\": \"1\",\n \"process\": {\n \"parent_commandline\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"pe_timestamp\": \"2023-10-11T05:50:38.000Z\",\n \"fake_parent_image\": \"\",\n \"size\": 1802200,\n \"pe_timestamp_int\": 1697003438,\n \"ppid\": 3132,\n \"grandparent_integrity_level\": \"Medium\",\n \"fake_ppid\": 0,\n \"dont_create_process\": true,\n \"log_platform_flag\": 0,\n \"image_name\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Chrome\\\\5.25.0\\\\chromium\\\\chromium.exe\",\n \"current_directory\": \"C:\\\\Windows\\\\system32\\\\\",\n \"parent_integrity_level\": \"Medium\",\n \"log_type\": \"process\",\n \"ancestors\": \"C:\\\\Windows\\\\explorer.exe|C:\\\\Windows\\\\System32\\\\userinit.exe|C:\\\\Windows\\\\System32\\\\winlogon.exe\",\n \"username\": \"EXAMPLE\\\\jdoe\",\n \"fake_parent_commandline\": \"\",\n \"grandparent_commandline\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\",\n \"parent_image\": \"C:\\\\Windows\\\\explorer.exe\",\n \"process_name\": \"chromium.exe\",\n \"pe_info\": {\n \"legal_copyright\": \"Copyright 2018\",\n \"pe_timestamp\": \"2023-10-11T05:50:38.000Z\",\n \"file_version\": \"118.0.0.0\",\n \"product_version\": \"118.0.0.0\",\n \"internal_name\": \"chromium_exe\",\n \"file_description\": \"Chrome\",\n \"company_name\": \"Chrome\",\n \"original_filename\": \"chromium.exe\",\n \"product_name\": \"Chrome\"\n },\n \"session\": 1,\n \"ioc_matches\": [],\n \"signature_info\": {\n \"signed_authenticode\": true,\n \"signer_info\": {\n \"serial_number\": \"08eb9739b29536226513191ec7264032\",\n \"issuer_name\": \"DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1\",\n \"display_name\": \"GOOGLE INC.\",\n \"thumbprint_sha256\": \"9ef74106802ed78fc995f2b01aeaecebc1a60a7479a257f405d3520d19eaacff\",\n \"thumbprint\": \"dcc4e5f8c45b3139dd88ce1e42a224013b81d55e\"\n },\n \"signed_catalog\": false,\n \"root_info\": {\n \"serial_number\": \"059b1b579e8e2132e23907bda777755c\",\n \"issuer_name\": \"DigiCert Trusted Root G4\",\n \"display_name\": \"DigiCert Trusted Root G4\",\n \"thumbprint_sha256\": \"552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988\",\n \"thumbprint\": \"ddfb16cd4931c973a2037d3fc83a4d7d775d05e4\"\n }\n },\n \"parent_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"create_time\": \"2024-01-17T08:18:59.297Z\",\n \"grandparent_image\": \"C:\\\\Windows\\\\System32\\\\userinit.exe\",\n \"integrity_level\": \"Medium\",\n \"commandline\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Chrome\\\\5.25.0\\\\chromium\\\\chromium.exe --no-startup-window /prefetch:5\",\n \"pid\": 11888,\n \"usersid\": \"S-1-5-21-111111111-222222222222-3333333333-4444\",\n \"hashes\": {\n \"sha1\": \"7f50d8c3cf3ec79122a876e969bdb65d939becd0\",\n \"sha256\": \"76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4\",\n \"md5\": \"0a4448b31ce7f83cb7691a2657f330f1\"\n },\n \"status\": 0,\n \"logonid\": 3041508,\n \"process_unique_id\": \"00000000-0000-0000-0000-000000000000\",\n \"signed\": true\n },\n \"status\": \"new\",\n \"groups\": [\n {\n \"name\": \"EXAMPLE\",\n \"id\": \"00000000-0000-0000-0000-000000000000\"\n }\n ],\n \"alert_time\": \"2024-01-17T08:19:06.071+00:00\",\n \"rule_name\": \"Registry Autorun Key Added\",\n \"alert_subtype\": \"process\",\n \"tags\": [\n \"attack.persistence\",\n \"attack.t1112\",\n \"attack.t1547.001\"\n ]\n}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-01-17T08:19:06.071000Z", + "agent": { + "id": "00000000-0000-0000-0000-000000000000", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "0a4448b31ce7f83cb7691a2657f330f1", + "sha1": "7f50d8c3cf3ec79122a876e969bdb65d939becd0", + "sha256": "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4" + } + }, + "harfanglab": { + "alert_subtype": "process", + "alert_time": "2024-01-17T08:19:06.071+00:00", + "alert_unique_id": "00000000-0000-0000-0000-000000000000", + "execution": 0, + "groups": [ + "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "EXAMPLE", + "hostname": "PL3024", + "name": "PL3024", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19042" + } + }, + "log": { + "hostname": "PL3024" + }, + "process": { + "command_line": "C:\\Users\\jdoe\\AppData\\Local\\Chrome\\5.25.0\\chromium\\chromium.exe --no-startup-window /prefetch:5", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Chrome\\5.25.0\\chromium\\chromium.exe", + "name": "chromium.exe", + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe" + }, + "pe": { + "company": "Chrome", + "description": "Chrome", + "file_version": "118.0.0.0", + "original_file_name": "chromium.exe", + "product": "Chrome" + }, + "pid": 11888, + "working_directory": "C:\\Windows\\system32\\" + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-111111111-222222222222-3333333333-4444\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", + "path": "HKU\\S-1-5-21-111111111-222222222222-3333333333-4444\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleChromeAutoLaunch_292993993B6DCE00DC4A6B0723EC700E", + "value": "\"C:\\Users\\jdoe\\AppData\\Local\\Chrome\\5.25.0\\chromium\\chromium.exe\" --no-startup-window /prefetch:5" + }, + "related": { + "hash": [ + "0a4448b31ce7f83cb7691a2657f330f1", + "76eac7b5f53e0d58a98d5a6ddf9c97e19d1462ef65c0035d7798f89988b15ab4", + "7f50d8c3cf3ec79122a876e969bdb65d939becd0" + ], + "hosts": [ + "PL3024" + ], + "user": [ + "EXAMPLE\\jdoe" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when an suspicious entry is added/modified in one of the autostart extensibility point (ASEP) in the registry.\n An attacker may achieve persistence by referencing a program with a registry run key.\n It is recommended to investigate the process that added the key as well as the target of the registry key for malicious content.", + "id": "00000000-0000-0000-0000-000000000000", + "name": "Registry Autorun Key Added" + }, + "user": { + "name": "EXAMPLE\\jdoe", + "roles": "EXAMPLE" + } + } + + ``` + + === "alert_false_positive.json" ```json