From b7d8ab74bcb27394abda3b9b5cadfe57b550322a Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 15:18:57 +0000 Subject: [PATCH] Refresh intakes documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 70 + ...f36d-cee0-4f06-b575-9e43af779f9f_sample.md | 63 + .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 12 + .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 150 ++ ...eca2-e112-4ccc-a109-c6d85b91bbcf_sample.md | 32 + .../6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md | 18 +- ...44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md | 2 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 193 ++ ...438c-f7c3-4001-9bcc-45fd108ba1be_sample.md | 85 + .../a14b1141-2d61-414b-bf79-da99b487b1af.md | 27 + ...1141-2d61-414b-bf79-da99b487b1af_sample.md | 8 + .../a9c959ac-78ec-47a4-924e-8156a77cebf5.md | 87 + ...59ac-78ec-47a4-924e-8156a77cebf5_sample.md | 127 ++ .../ab25af2e-4916-40ba-955c-34d2301c1f51.md | 8 +- ...af2e-4916-40ba-955c-34d2301c1f51_sample.md | 2 +- .../acd3374a-9738-4650-9d20-bd0a22daac40.md | 22 + .../aeb7d407-db57-44b2-90b6-7df6738d5d7f.md | 45 + ...d407-db57-44b2-90b6-7df6738d5d7f_sample.md | 8 + ...> bba2bed2-d925-440f-a0ce-dbcae04eaf26.md} | 17 +- ...ed2-d925-440f-a0ce-dbcae04eaf26_sample.md} | 0 .../e9fbba55-89c2-4b6c-ad15-9a46412dd680.md | 1661 +++++++++++++++++ ...ba55-89c2-4b6c-ad15-9a46412dd680_sample.md | 1313 +++++++++++++ 22 files changed, 3936 insertions(+), 14 deletions(-) rename _shared_content/operations_center/integrations/generated/{0825709a-5f76-441e-9dfb-2b5ea6ce551c.md => bba2bed2-d925-440f-a0ce-dbcae04eaf26.md} (99%) rename _shared_content/operations_center/integrations/generated/{0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md => bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md} (100%) create mode 100644 _shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680.md create mode 100644 _shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680_sample.md diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 0f6cd024fb..63244c9cd8 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -421,6 +421,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "address": "1.2.3.4", "ip": "1.2.3.4", + "mac": "84:fa:b1:70:bf:8e", "port": 56468 }, "host": { @@ -452,6 +453,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "source": { "address": "5.6.7.8", "ip": "5.6.7.8", + "mac": "80:95:bb:71:95:aa", "port": 443 } } @@ -481,6 +483,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "address": "1.2.3.4", "ip": "1.2.3.4", + "mac": "b0:df:72:9d:29:9b", "port": 7680 }, "host": { @@ -512,6 +515,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "source": { "address": "5.6.7.8", "ip": "5.6.7.8", + "mac": "10:9f:4b:3c:50:d7", "port": 56499 } } @@ -1121,6 +1125,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_network_connection.json" + + ```json + + { + "message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "device_network_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-30T14:00:41.934118Z", + "action": { + "type": "ConnectionAttempt" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "0a:ac:f5:b4:e6:37", + "port": 7680 + }, + "host": { + "id": "dbe5c34434fb4792bea6874dd0b1f107", + "name": "ml022" + }, + "microsoft": { + "defender": { + "report": { + "id": "21118" + } + } + }, + "network": { + "protocol": "TcpV4" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "18:e8:f8:74:c9:0d", + "port": 57410 + } + } + + ``` + + === "test_device_network_events.json" ```json @@ -2135,6 +2201,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "address": "5.6.7.8", "ip": "5.6.7.8", + "mac": "0a:ac:f5:b4:e6:37", "port": 443 }, "host": { @@ -2166,6 +2233,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "source": { "address": "1.2.3.4", "ip": "1.2.3.4", + "mac": "18:e8:f8:74:c9:0d", "port": 46112 } } @@ -2367,6 +2435,7 @@ The following table lists the fields that are extracted, normalized under the EC |`container.id` | `keyword` | Unique container id. | |`container.runtime` | `keyword` | Runtime managing this container. | |`destination.ip` | `ip` | IP address of the destination. | +|`destination.mac` | `keyword` | MAC address of the destination. | |`destination.port` | `long` | Port of the destination. | |`email.attachments` | `nested` | List of objects describing the attachments. | |`email.from.address` | `keyword` | The email address of the sender, typically from the RFC 5322 From: header field | @@ -2473,6 +2542,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.geo.city_name` | `keyword` | City name. | |`source.geo.country_iso_code` | `keyword` | Country ISO code. | |`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | |`source.port` | `long` | Port of the source. | |`threat.technique.name` | `keyword` | Threat technique name. | |`url.domain` | `keyword` | Domain of the url. | diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index 1ad2cc8355..b7e38a6507 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -861,6 +861,69 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_network_connection" + + + ```json + { + "time": "2024-09-30T14:02:12.4790551Z", + "tenantId": "d9eae684-f70a-4ac1-b304-53de40a8db56", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceNetworkEvents", + "_TimeReceivedBySvc": "2024-09-30T14:01:00.5234998Z", + "properties": { + "DeviceName": "ml022", + "DeviceId": "dbe5c34434fb4792bea6874dd0b1f107", + "ReportId": 21118, + "RemoteIP": "1.2.3.4", + "RemotePort": 57410, + "LocalIP": "5.6.7.8", + "LocalPort": 7680, + "Protocol": "TcpV4", + "RemoteUrl": null, + "InitiatingProcessCreationTime": null, + "InitiatingProcessId": 0, + "InitiatingProcessCommandLine": null, + "InitiatingProcessParentCreationTime": null, + "InitiatingProcessParentId": 0, + "InitiatingProcessParentFileName": null, + "InitiatingProcessSHA1": null, + "InitiatingProcessMD5": null, + "InitiatingProcessFolderPath": null, + "InitiatingProcessAccountName": null, + "InitiatingProcessAccountDomain": null, + "InitiatingProcessAccountSid": null, + "InitiatingProcessFileName": null, + "InitiatingProcessIntegrityLevel": null, + "InitiatingProcessTokenElevation": "None", + "AppGuardContainerId": "", + "LocalIPType": null, + "RemoteIPType": null, + "ActionType": "ConnectionAttempt", + "InitiatingProcessSHA256": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AdditionalFields": "{\"direction\":\"In\",\"Source Mac\":\"0a:ac:f5:b4:e6:37\",\"Destination Mac\":\"18:e8:f8:74:c9:0d\",\"Tcp Flags\":2,\"Packet Size\":66}", + "InitiatingProcessFileSize": null, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-09-30T14:00:41.9341182Z", + "MachineGroup": "Windows 10/11 - remediate threats automatically" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_network_events" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 5d9aa0cb0c..74f084bbd6 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -2340,11 +2340,15 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.CallerProcessName` | `keyword` | | |`action.properties.CategoryID` | `keyword` | | |`action.properties.CategoryName` | `keyword` | | +|`action.properties.CertIssuerName` | `keyword` | | +|`action.properties.CertSerialNumber` | `keyword` | | +|`action.properties.CertThumbprint` | `keyword` | | |`action.properties.ClientProcessId` | `keyword` | | |`action.properties.ClientProcessStartKey` | `keyword` | | |`action.properties.DetectionID` | `keyword` | | |`action.properties.DetectionTime` | `keyword` | | |`action.properties.DetectionUser` | `keyword` | | +|`action.properties.Domain` | `keyword` | | |`action.properties.ElevatedToken` | `keyword` | | |`action.properties.EngineVersion` | `keyword` | | |`action.properties.Engineup-to-date` | `keyword` | | @@ -2386,6 +2390,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.LogonGuid` | `keyword` | | |`action.properties.LogonProcessName` | `keyword` | | |`action.properties.LogonType` | `keyword` | | +|`action.properties.MemberName` | `keyword` | | |`action.properties.NRIengineversion` | `keyword` | | |`action.properties.NRIsecurityintelligenceversion` | `keyword` | | |`action.properties.NotValidAfter` | `keyword` | | @@ -2401,7 +2406,9 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.Platformversion` | `keyword` | | |`action.properties.PolicyBits` | `keyword` | | |`action.properties.PostCleanStatus` | `keyword` | | +|`action.properties.PreAuthType` | `keyword` | | |`action.properties.PreExecutionStatus` | `keyword` | | +|`action.properties.PrivilegeList` | `keyword` | | |`action.properties.ProcessId` | `keyword` | | |`action.properties.ProcessName` | `keyword` | | |`action.properties.ProcessNameBuffer` | `keyword` | | @@ -2426,6 +2433,8 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.ScriptBlockText` | `keyword` | | |`action.properties.SecureRequired` | `keyword` | | |`action.properties.SecurityintelligenceVersion` | `keyword` | | +|`action.properties.ServiceName` | `keyword` | | +|`action.properties.ServiceSid` | `keyword` | | |`action.properties.SeverityID` | `keyword` | | |`action.properties.SeverityName` | `keyword` | | |`action.properties.ShareLocalPath` | `keyword` | | @@ -2460,6 +2469,8 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.TaskName` | `keyword` | | |`action.properties.ThreatID` | `keyword` | | |`action.properties.ThreatName` | `keyword` | | +|`action.properties.TicketEncryptionType` | `keyword` | | +|`action.properties.TicketOptions` | `keyword` | | |`action.properties.TotalSignatureCount` | `keyword` | | |`action.properties.TransmittedServices` | `keyword` | | |`action.properties.TypeID` | `keyword` | | @@ -2470,6 +2481,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.Unused4` | `keyword` | | |`action.properties.Unused5` | `keyword` | | |`action.properties.Unused6` | `keyword` | | +|`action.properties.User` | `keyword` | | |`action.properties.ValidatedPolicy` | `keyword` | | |`action.properties.ValidatedSigningLevel` | `keyword` | | |`action.properties.VerificationError` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index eeb2943ce3..a55c7471a3 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -592,6 +592,39 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ASA_111008.json" + + ```json + + { + "message": "%ASA-5-111008: User 'admintufin' executed the 'login' command", + "event": { + "category": [ + "network" + ], + "code": "111008" + }, + "action": { + "name": "login", + "target": "network-traffic" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "user": [ + "admintufin" + ] + }, + "user": { + "name": "admintufin" + } + } + + ``` + + === "test_ASA_113004.json" ```json @@ -635,6 +668,42 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ASA_113012.json" + + ```json + + { + "message": "%ASA-6-113012: AAA user authentication Successful : local database : user = admintufin", + "event": { + "category": [ + "authentication" + ], + "code": "113012", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "user": [ + "admintufin" + ] + }, + "user": { + "name": "admintufin" + } + } + + ``` + + === "test_ASA_199019.json" ```json @@ -1312,6 +1381,87 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ASA_611101.json" + + ```json + + { + "message": "%ASA-6-611101: User authentication succeeded: IP address: 0.0.0.0, Uname: admintufin", + "event": { + "category": [ + "authentication" + ], + "code": "611101", + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "succeeded", + "target": "network-traffic" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "0.0.0.0" + ], + "user": [ + "admintufin" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "user": { + "name": "admintufin" + } + } + + ``` + + +=== "test_ASA_611103.json" + + ```json + + { + "message": "%ASA-5-611103: User logged out: Uname: admintufin", + "event": { + "category": [ + "authentication" + ], + "code": "611103", + "outcome": "success", + "type": [ + "end" + ] + }, + "action": { + "name": "logged out", + "target": "network-traffic" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "user": [ + "admintufin" + ] + }, + "user": { + "name": "admintufin" + } + } + + ``` + + === "test_ASA_716058.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md index 4dc67469a3..1abdbd7980 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf_sample.md @@ -92,6 +92,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ASA_111008" + + ``` + %ASA-5-111008: User 'admintufin' executed the 'login' command + ``` + + + === "test_ASA_113004" ``` @@ -100,6 +108,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ASA_113012" + + ``` + %ASA-6-113012: AAA user authentication Successful : local database : user = admintufin + ``` + + + === "test_ASA_199019" ``` @@ -212,6 +228,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ASA_611101" + + ``` + %ASA-6-611101: User authentication succeeded: IP address: 0.0.0.0, Uname: admintufin + ``` + + + +=== "test_ASA_611103" + + ``` + %ASA-5-611103: User logged out: Uname: admintufin + ``` + + + === "test_ASA_716058" ``` diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index 4684354d0c..2028395e6b 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -53,7 +53,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "http": { "request": { "method": "GET", - "referrer": "\"http://www.example.com/start.html\"" + "referrer": "http://www.example.com/start.html" }, "response": { "bytes": 2326, @@ -85,7 +85,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Other" }, "name": "Other", - "original": "\"Mozilla/4.08 [en] (Win98; I ;Nav)\"", + "original": "Mozilla/4.08 [en] (Win98; I ;Nav)", "os": { "name": "Windows", "version": "98" @@ -101,7 +101,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384", + "message": "mydomain:443 1.2.3.4 - - [31/Jul/2024:16:41:52 +0200] \"GET /test/integration/abcdefgh123456.js HTTP/1.1\" 200 5771 \"https://www.website.fr/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0\" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384", "event": { "category": [ "web" @@ -118,6 +118,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "timestamp": "31/Jul/2024:16:41:52 +0200" } }, + "destination": { + "address": "mydomain", + "port": 443, + "size_in_char": 0 + }, "http": { "request": { "method": "GET" @@ -130,12 +135,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "ip": [ - "24.202.202.247" + "1.2.3.4" ] }, "source": { - "address": "24.202.202.247", - "ip": "24.202.202.247" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "original": "/test/integration/abcdefgh123456.js", @@ -496,6 +501,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.ruleseverity` | `keyword` | Modsecurity rule severity | |`action.properties.timestamp` | `keyword` | Timestamp | |`action.properties.uniqueid` | `keyword` | Unique ID | +|`destination.address` | `keyword` | Destination network address. | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.port` | `long` | Port of the destination. | |`destination.size_in_char` | `number` | Size of the destination name | diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md index ea514ace69..2ceba99673 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_sample.md @@ -15,7 +15,7 @@ In this section, you will find examples of raw logs as generated natively by the === "access_extended" ``` - 24.202.202.247 - - - [31/Jul/2024:16:41:52 +0200] "GET /test/integration/abcdefgh123456.js HTTP/1.1" 200 5771 "https://www.website.fr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384 + mydomain:443 1.2.3.4 - - [31/Jul/2024:16:41:52 +0200] "GET /test/integration/abcdefgh123456.js HTTP/1.1" 200 5771 "https://www.website.fr/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/10101010 Firefox/128.0" GoAway=- (107 47us) TLSv1.3 TLS_AES_256_GCM_SHA384 ``` diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 38ffaae9a9..119f621887 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -333,6 +333,115 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "Event_4625_reason.json" + + ```json + + { + "message": "{\"Category\":\"Logon\",\"Channel\":\"Security\",\"EventID\":4625,\"EventType\":\"AUDIT_FAILURE\",\"Hostname\":\"test.test\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Advapi \",\"LogonType\":\"3\",\"Message\":\"An account failed to log on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-18\\r\\n\\tAccount Name:\\t\\tTESTACCOUNTS$\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\tLogon ID:\\t\\t0x3E7\\r\\n\\r\\nLogon Type:\\t\\t\\t3\\r\\n\\r\\nAccount For Which Logon Failed:\\r\\n\\tSecurity ID:\\t\\tS-1-0-0\\r\\n\\tAccount Name:\\t\\tTEST-USERNAME\\r\\n\\tAccount Domain:\\t\\tDOMAINNAME\\r\\n\\r\\nFailure Information:\\r\\n\\tFailure Reason:\\t\\tUnknown user name or bad password.\\r\\n\\tStatus:\\t\\t\\t0xC000006D\\r\\n\\tSub Status:\\t\\t0xC000006A\\r\\n\\r\\nProcess Information:\\r\\n\\tCaller Process ID:\\t0x25c\\r\\n\\tCaller Process Name:\\tC:\\\\Windows\\\\System32\\\\lsass.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\tTESTACCOUNTS\\r\\n\\tSource Network Address:\\t192.168.128.203\\r\\n\\tSource Port:\\t\\t41974\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tAdvapi \\r\\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\\r\\n\\r\\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe Process Information fields indicate which account and process on the system requested the logon.\\r\\n\\r\\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"ProcessID\":604,\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"Severity\":\"ERROR\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"SubjectDomainName\":\"DOMAINNAME\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserName\":\"TESTACCOUNTS$\",\"SubjectUserSid\":\"S-1-5-18\",\"TargetDomainName\":\"DOMAINNAME\",\"TargetUserName\":\"TEST-USERNAME\",\"sekoia.intake.windows\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "message": "An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTESTACCOUNTS$\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tTEST-USERNAME\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x25c\r\n\tCaller Process Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tTESTACCOUNTS\r\n\tSource Network Address:\t192.168.128.203\r\n\tSource Port:\t\t41974\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "Unknown user name or bad password.", + "type": [ + "start" + ] + }, + "action": { + "id": 4625, + "name": "An account failed to log on", + "outcome": "failure", + "properties": { + "Category": "Logon", + "EventType": "AUDIT_FAILURE", + "IpAddress": "1.2.3.4", + "LogonProcessName": "Advapi ", + "LogonType": "3", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "DOMAINNAME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "TESTACCOUNTS$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "DOMAINNAME", + "TargetUserName": "TEST-USERNAME" + }, + "type": "Security" + }, + "host": { + "hostname": "test.test", + "name": "test.test" + }, + "log": { + "hostname": "test.test", + "level": "error" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "id": 604, + "name": "lsass.exe", + "pid": 604, + "working_directory": "C:\\Windows\\System32\\" + }, + "related": { + "hosts": [ + "test.test" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "TESTACCOUNTS$" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Advapi " + } + }, + "client": { + "name": "test.test", + "os": { + "type": "windows" + } + }, + "server": { + "name": "test.test", + "os": { + "type": "windows" + } + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "DOMAINNAME", + "id": "S-1-5-18", + "name": "TESTACCOUNTS$", + "target": { + "domain": "DOMAINNAME", + "name": "TEST-USERNAME" + } + } + } + + ``` + + === "Event_4625_substatus.json" ```json @@ -1621,6 +1730,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "AuthenticationProvider": "Windows", "AuthenticationServer": "auth.example.org", "AuthenticationType": "PEAP", + "CallingStationID": "a9-7c-7d-ac-47-67", "Category": "Network Policy Server", "ClientIPAddress": "1.2.3.4", "ClientName": "ELEBEYCOBI", @@ -1701,6 +1811,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "AuthenticationProvider": "Windows", "AuthenticationServer": "auth.example.org", "AuthenticationType": "EAP", + "CallingStationID": "a9-7c-7d-ac-47-67", "Category": "Network Policy Server", "ClientIPAddress": "1.2.3.4", "ClientName": "1.2.3.4", @@ -5158,6 +5269,87 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "process_6272.json" + + ```json + + { + "message": "{\"EventTime\":\"2024-09-18 10:08:41\",\"Hostname\":\"test\",\"Keywords\":-9214364837600034816,\"EventType\":\"AUDIT_SUCCESS\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":6272,\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"ProviderGuid\":\"{000000000-0000-0000-A5BA-3E3B0328C30D}\",\"Version\":2,\"Task\":12552,\"OpcodeValue\":0,\"RecordNumber\":2324634,\"ActivityID\":\"{9481D23D-1111-1111-1111-1DD10B0E2623}\",\"ProcessID\":672,\"ThreadID\":3752,\"Channel\":\"Security\",\"Message\":\"Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. \",\"Category\":\"Network Policy Server\",\"Opcode\":\"Informations\",\"SubjectUserSid\":\"S-1-5-21-1111111111-111111111-1111111111-1111\",\"SubjectUserName\":\"testUser\",\"SubjectDomainName\":\"NT01\",\"FullyQualifiedSubjectUserName\":\"test.net/Administrateurs/ITUser/testUser\",\"SubjectMachineSID\":\"S-1-0-0\",\"SubjectMachineName\":\"-\",\"FullyQualifiedSubjectMachineName\":\"-\",\"CalledStationID\":\"1.2.3.4\",\"CallingStationID\":\"10.24.25.25\",\"NASIPv4Address\":\"1.2.3.4\",\"NASIPv6Address\":\"-\",\"NASIdentifier\":\"-\",\"NASPortType\":\"Virtuel\",\"NASPort\":\"450560\",\"ClientName\":\"FW01\",\"ClientIPAddress\":\"1.2.3.4\",\"ProxyPolicyName\":\"interface_admin_reseau\",\"NetworkPolicyName\":\"FWASA01_Admin\",\"AuthenticationProvider\":\"RADIUS distant vers le mappage utilisateur Windows\",\"AuthenticationServer\":\"1.2.3.4\",\"AuthenticationType\":\"-\",\"EAPType\":\"-\",\"AccountSessionIdentifier\":\"-\",\"LoggingResult\":\"Les informations de suivi ont ete inscrites dans le fichier journal local.\",\"EventReceivedTime\":\"2024-09-18 10:09:24\",\"SourceModuleName\":\"eventlog41\",\"SourceModuleType\":\"im_msvistalog\"}", + "event": { + "code": "6272", + "message": "Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. ", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 6272, + "name": "Network Policy Server granted access to a user", + "outcome": "success", + "properties": { + "AuthenticationProvider": "RADIUS distant vers le mappage utilisateur Windows", + "AuthenticationServer": "1.2.3.4", + "AuthenticationType": "-", + "CallingStationID": "10.24.25.25", + "Category": "Network Policy Server", + "ClientIPAddress": "1.2.3.4", + "ClientName": "FW01", + "EAPType": "-", + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600034816", + "NASIdentifier": "-", + "NASPort": "450560", + "NASPortType": "Virtuel", + "NetworkPolicyName": "FWASA01_Admin", + "OpcodeValue": 0, + "ProviderGuid": "{000000000-0000-0000-A5BA-3E3B0328C30D}", + "ProxyPolicyName": "interface_admin_reseau", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "NT01", + "SubjectUserName": "testUser", + "SubjectUserSid": "S-1-5-21-1111111111-111111111-1111111111-1111", + "Task": 12552 + }, + "record_id": 2324634, + "type": "Security" + }, + "host": { + "hostname": "test", + "name": "test" + }, + "log": { + "hostname": "test", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 672, + "pid": 672, + "thread": { + "id": 3752 + } + }, + "related": { + "hosts": [ + "test" + ], + "user": [ + "testUser" + ] + }, + "user": { + "domain": "NT01", + "id": "S-1-5-21-1111111111-111111111-1111111111-1111", + "name": "testUser" + } + } + + ``` + + === "process_7045.json" ```json @@ -7657,6 +7849,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.AdditionalActionsString` | `keyword` | | |`action.properties.Attributes` | `keyword` | | |`action.properties.BytesTotal` | `keyword` | | +|`action.properties.CallingStationID` | `keyword` | | |`action.properties.ConfigurationFile` | `keyword` | | |`action.properties.Content` | `keyword` | | |`action.properties.ContextInfo` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md index ecf947c738..6d8fd27c27 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md @@ -173,6 +173,35 @@ In this section, you will find examples of raw logs as generated natively by the +=== "Event_4625_reason" + + ``` + { + "Category": "Logon", + "Channel": "Security", + "EventID": 4625, + "EventType": "AUDIT_FAILURE", + "Hostname": "test.test", + "IpAddress": "1.2.3.4", + "LogonProcessName": "Advapi ", + "LogonType": "3", + "Message": "An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTESTACCOUNTS$\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Type:\t\t\t3\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tTEST-USERNAME\r\n\tAccount Domain:\t\tDOMAINNAME\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x25c\r\n\tCaller Process Name:\tC:\\Windows\\System32\\lsass.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tTESTACCOUNTS\r\n\tSource Network Address:\t192.168.128.203\r\n\tSource Port:\t\t41974\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "ProcessID": 604, + "ProcessName": "C:\\Windows\\System32\\lsass.exe", + "Severity": "ERROR", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "DOMAINNAME", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "TESTACCOUNTS$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "DOMAINNAME", + "TargetUserName": "TEST-USERNAME", + "sekoia.intake.windows": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + } + ``` + + + === "Event_4625_substatus" ``` @@ -2799,6 +2828,62 @@ In this section, you will find examples of raw logs as generated natively by the +=== "process_6272" + + ``` + { + "EventTime": "2024-09-18 10:08:41", + "Hostname": "test", + "Keywords": -9214364837600034816, + "EventType": "AUDIT_SUCCESS", + "SeverityValue": 2, + "Severity": "INFO", + "EventID": 6272, + "SourceName": "Microsoft-Windows-Security-Auditing", + "ProviderGuid": "{000000000-0000-0000-A5BA-3E3B0328C30D}", + "Version": 2, + "Task": 12552, + "OpcodeValue": 0, + "RecordNumber": 2324634, + "ActivityID": "{9481D23D-1111-1111-1111-1DD10B0E2623}", + "ProcessID": 672, + "ThreadID": 3752, + "Channel": "Security", + "Message": "Le serveur NPS a accorde lacces a un utilisateur. Utilisateur : ID de securite : S-1-5-21-1111111111-111111111-1111111111-1111 Nom de compte : testUser Domaine de compte : NT01 Nom de compte complet : net/Administrateurs/ITUser/testUser Ordinateur client : ID de securite : S-1-0-0 Nom de compte : - Nom de compte complet : - Identificateur de la station appelee : 1.2.3.4 Identificateur de la station appelante : 10.24.25.25 Serveur NAS : Adresse IPv4 du serveur NAS : 1.2.3.4 Adresse IPv6 du serveur NAS : - Identificateur du serveur NAS : - Type de port du serveur NAS : Virtuel Port du serveur NAS : 450560 Client RADIUS : Nom convivial du client : FW01 Adresse IP du client : 1.2.3.4 Informations detaillees sur lauthentification : Nom de strategie de demande de connexion : interface_admin_reseau Nom de strategie reseau : FWASA01_Admin Fournisseur dauthentification : RADIUS distant vers le mappage utilisateur Windows Serveur dauthentification : 1.2.3.4 Type dauthentification : - Type EAP : - Identificateur de la session du compte : - Resultats de la journalisation : Les informations de suivi ont ete inscrites dans le fichier journal local. ", + "Category": "Network Policy Server", + "Opcode": "Informations", + "SubjectUserSid": "S-1-5-21-1111111111-111111111-1111111111-1111", + "SubjectUserName": "testUser", + "SubjectDomainName": "NT01", + "FullyQualifiedSubjectUserName": "test.net/Administrateurs/ITUser/testUser", + "SubjectMachineSID": "S-1-0-0", + "SubjectMachineName": "-", + "FullyQualifiedSubjectMachineName": "-", + "CalledStationID": "1.2.3.4", + "CallingStationID": "10.24.25.25", + "NASIPv4Address": "1.2.3.4", + "NASIPv6Address": "-", + "NASIdentifier": "-", + "NASPortType": "Virtuel", + "NASPort": "450560", + "ClientName": "FW01", + "ClientIPAddress": "1.2.3.4", + "ProxyPolicyName": "interface_admin_reseau", + "NetworkPolicyName": "FWASA01_Admin", + "AuthenticationProvider": "RADIUS distant vers le mappage utilisateur Windows", + "AuthenticationServer": "1.2.3.4", + "AuthenticationType": "-", + "EAPType": "-", + "AccountSessionIdentifier": "-", + "LoggingResult": "Les informations de suivi ont ete inscrites dans le fichier journal local.", + "EventReceivedTime": "2024-09-18 10:09:24", + "SourceModuleName": "eventlog41", + "SourceModuleType": "im_msvistalog" + } + ``` + + + === "process_7045" ``` diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 3c39998c3c..2b49c63b02 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -1350,6 +1350,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_rule8.json" + + ```json + + { + "message": " Rule /Common/irule_insert_vs_name : le nom de la vs a inserer est example.com", + "event": { + "category": [ + "network" + ], + "reason": "le nom de la vs a inserer est example.com", + "type": [ + "info" + ] + }, + "os": { + "family": "linux", + "platform": "linux" + }, + "rule": { + "name": "/Common/irule_insert_vs_name" + } + } + + ``` + + === "test_sshd.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md index 1c4ff1f993..aa3eb99049 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af_sample.md @@ -203,6 +203,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_rule8" + + ``` + Rule /Common/irule_insert_vs_name : le nom de la vs a inserer est example.com + ``` + + + === "test_sshd" ``` diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md index 1f80cd9378..68e1479849 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md @@ -699,6 +699,93 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_dns_activity_3.json" + + ```json + + { + "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":62699,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726395887000,\"time_dt\":1726395887000,\"query\":{\"hostname\":\"settings-win.data.microsoft.com.\",\"type\":\"A\",\"class\":\"IN\"},\"answers\":[{\"type\":\"CNAME\",\"rdata\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"class\":\"IN\"},{\"type\":\"CNAME\",\"rdata\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"class\":\"IN\"},{\"type\":\"A\",\"rdata\":\"5.6.7.8\",\"class\":\"IN\"}],\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":0,\"rcode\":\"NoError\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"answers[].rdata\",\"value\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"answers[].rdata\",\"value\":\"5.6.7.8\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"answers[].rdata\",\"value\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"query.hostname\",\"value\":\"settings-win.data.microsoft.com.\",\"type\":\"Hostname\",\"type_id\":1}]}\n", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "kind": "event", + "severity": 1, + "type": [ + "info", + "protocol" + ] + }, + "@timestamp": "2024-09-15T10:24:47Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "eu-west-3" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "atm-settingsfe-prod-geo2.trafficmanager.net.", + "type": "CNAME" + }, + { + "class": "IN", + "data": "settings-prod-weu-2.westeurope.cloudapp.azure.com.", + "type": "CNAME" + }, + { + "class": "IN", + "data": "5.6.7.8", + "type": "A" + } + ], + "question": { + "class": [ + "IN" + ], + "name": "settings-win.data.microsoft.com.", + "registered_domain": "microsoft.com", + "subdomain": "settings-win.data", + "top_level_domain": "com", + "type": [ + "A" + ] + }, + "response_code": "NoError" + }, + "network": { + "direction": [ + "unknown" + ] + }, + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "DNS Activity", + "class_uid": 4003 + }, + "related": { + "hosts": [ + "settings-win.data.microsoft.com." + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 62699 + } + } + + ``` + + === "test_http_activity_1.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md index 6497502ea7..bf8e0c146e 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md @@ -1440,6 +1440,133 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_dns_activity_3" + + + ```json + { + "metadata": { + "product": { + "version": "1.100000", + "name": "Route 53", + "feature": { + "name": "Resolver Query Logs" + }, + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "security_control", + "datetime" + ], + "version": "1.1.0" + }, + "cloud": { + "account": { + "uid": "111111111111" + }, + "region": "eu-west-3", + "provider": "AWS" + }, + "src_endpoint": { + "vpc_uid": "vpc-11111111", + "ip": "1.2.3.4", + "port": 62699, + "instance_uid": "i-11111111111111111" + }, + "time": 1726395887000, + "time_dt": 1726395887000, + "query": { + "hostname": "settings-win.data.microsoft.com.", + "type": "A", + "class": "IN" + }, + "answers": [ + { + "type": "CNAME", + "rdata": "atm-settingsfe-prod-geo2.trafficmanager.net.", + "class": "IN" + }, + { + "type": "CNAME", + "rdata": "settings-prod-weu-2.westeurope.cloudapp.azure.com.", + "class": "IN" + }, + { + "type": "A", + "rdata": "5.6.7.8", + "class": "IN" + } + ], + "connection_info": { + "protocol_name": "UDP", + "direction": "Unknown", + "direction_id": 0 + }, + "dst_endpoint": null, + "firewall_rule": null, + "severity_id": 1, + "severity": "Informational", + "class_name": "DNS Activity", + "class_uid": 4003, + "category_name": "Network Activity", + "category_uid": 4, + "activity_id": 6, + "activity_name": "Traffic", + "type_uid": 400306, + "type_name": "DNS Activity: Traffic", + "rcode_id": 0, + "rcode": "NoError", + "disposition": "Unknown", + "action": "Unknown", + "action_id": 0, + "unmapped": null, + "accountid": null, + "region": null, + "asl_version": null, + "observables": [ + { + "name": "answers[].rdata", + "value": "settings-prod-weu-2.westeurope.cloudapp.azure.com.", + "type": "IP Address", + "type_id": 2 + }, + { + "name": "src_endpoint.instance_uid", + "value": "i-11111111111111111", + "type": "Resource UID", + "type_id": 10 + }, + { + "name": "answers[].rdata", + "value": "5.6.7.8", + "type": "IP Address", + "type_id": 2 + }, + { + "name": "src_endpoint.ip", + "value": "1.2.3.4", + "type": "IP Address", + "type_id": 2 + }, + { + "name": "answers[].rdata", + "value": "atm-settingsfe-prod-geo2.trafficmanager.net.", + "type": "IP Address", + "type_id": 2 + }, + { + "name": "query.hostname", + "value": "settings-win.data.microsoft.com.", + "type": "Hostname", + "type_id": 1 + } + ] + } + ``` + + + === "test_http_activity_1" diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index a551974302..0983fdc33e 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -157,7 +157,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\"", + "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4, 4.3.2.1\" \"0.010\" \"-/-\" \"text/plain\"", "event": { "category": [ "web" @@ -184,6 +184,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "version": "1.1" }, + "network": { + "forwarded_ip": "1.2.3.4" + }, "observer": { "product": "nginx", "type": "WEB server", @@ -255,6 +258,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "version": "1.1" }, + "network": { + "forwarded_ip": "1.2.3.4" + }, "observer": { "product": "nginx", "type": "WEB server", diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51_sample.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51_sample.md index 6101966e1b..8ad12acb05 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51_sample.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51_sample.md @@ -23,7 +23,7 @@ In this section, you will find examples of raw logs as generated natively by the === "extended" ``` - rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] "GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1" 200 2 "http://rdp.acme.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" "1.2.3.4" "0.010" "-/-" "text/plain" + rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] "GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1" 200 2 "http://rdp.acme.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" "1.2.3.4, 4.3.2.1" "0.010" "-/-" "text/plain" ``` diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md index f567f3be49..c4988d7403 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md @@ -49,6 +49,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Example account" } }, + "datadome": { + "country_count": 123456789, + "ip_count": 123456789, + "peak_speed": 0, + "requests_count": 123456789, + "ua_count": 123456789, + "url_count": 123456789 + }, "host": { "name": "WEB (default)" }, @@ -90,6 +98,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Account name" } }, + "datadome": { + "country_count": 17, + "ip_count": 393, + "peak_speed": 1457, + "requests_count": 10558, + "ua_count": 82, + "url_count": 2221 + }, "host": { "name": "Endpoint" }, @@ -118,6 +134,12 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`cloud.account.name` | `keyword` | The cloud account name. | +|`datadome.country_count` | `number` | | +|`datadome.ip_count` | `number` | | +|`datadome.peak_speed` | `number` | | +|`datadome.requests_count` | `number` | | +|`datadome.ua_count` | `number` | | +|`datadome.url_count` | `number` | | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index 874fafa104..4ad0602d22 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -48,6 +48,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "freeradius": { "outcome": "Ignoring request to auth address" }, + "host": { + "name": "default" + }, "network": { "transport": "udp" }, @@ -66,6 +69,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ignoring_request_non_default.json" + + ```json + + { + "message": "Ignoring request to auth address * port 1823 bound to server Wifi-LDAP from unknown client 1.2.2.3 port 1645 proto udp", + "event": { + "category": [ + "authentication" + ], + "dataset": "freeradius.authentication", + "type": [ + "info" + ] + }, + "destination": { + "port": 1823 + }, + "freeradius": { + "outcome": "Ignoring request to auth address" + }, + "host": { + "name": "Wifi-LDAP" + }, + "network": { + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.2.3" + ] + }, + "source": { + "address": "1.2.2.3", + "ip": "1.2.2.3", + "port": 1645 + } + } + + ``` + + === "test_invalid_user.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f_sample.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f_sample.md index 83498b7682..20b7bbb3e8 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f_sample.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f_sample.md @@ -12,6 +12,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ignoring_request_non_default" + + ``` + Ignoring request to auth address * port 1823 bound to server Wifi-LDAP from unknown client 1.2.2.3 port 1645 proto udp + ``` + + + === "test_invalid_user" ``` diff --git a/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md similarity index 99% rename from _shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md rename to _shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md index b6193b2dc5..1bced097f4 100644 --- a/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `` | +| Kind | `alert` | | Category | `malware`, `network` | | Type | `info` | @@ -100,12 +100,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2023-03-22T10:46:08.487000Z", "destination": { - "address": "2.2.2.2", + "address": "pgoadcmgqfacj.com", + "domain": "pgoadcmgqfacj.com", "ip": "2.2.2.2", - "port": 53 + "port": 53, + "registered_domain": "pgoadcmgqfacj.com", + "top_level_domain": "com" }, "gatewatcher": { - "domain_name": "pgoadcmgqfacj.com", "event_type": "dga", "flow_id": "729468278572", "gcap": "gcap-xxxxxxxx.domain.local", @@ -122,6 +124,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "version": "0.2" }, "related": { + "hosts": [ + "pgoadcmgqfacj.com" + ], "ip": [ "1.1.1.1", "2.2.2.2" @@ -361,6 +366,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "category": [ "network" ], + "kind": "alert", "module": "alert", "severity": 1 }, @@ -631,6 +637,7 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.packets` | `long` | Packets sent from the destination to the source. | |`destination.port` | `long` | Port of the destination. | @@ -640,6 +647,7 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.type` | `keyword` | The type of DNS event captured, query or answer. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.severity` | `long` | Numeric severity of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | @@ -654,7 +662,6 @@ The following table lists the fields that are extracted, normalized under the EC |`gatewatcher.description` | `text` | This field is used for retrohunt alerts | |`gatewatcher.dhcp` | `text` | This field represents the dhcp field in a network metadata (used in legacy format log) | |`gatewatcher.dnp3` | `text` | This field represents the dnp3 field in a suricata alert (used in legacy format log) | -|`gatewatcher.domain_name` | `text` | This field represents the domain name found in a dga alert | |`gatewatcher.email` | `text` | This field represents the email field | |`gatewatcher.encodings` | `text` | This field represents the encodings used in the shellcode | |`gatewatcher.event_type` | `keyword` | Type of event | diff --git a/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md similarity index 100% rename from _shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md rename to _shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md diff --git a/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680.md b/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680.md new file mode 100644 index 0000000000..cf78b2b9ef --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680.md @@ -0,0 +1,1661 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network intrusion detection system` | AIONIQ identify suspicious behaviors | +| `Network protocol analysis` | AIONIQ analyze traffic protocol | + + + + + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "beacon_event.json" + + ```json + + { + "message": "{\n \"tls\": {\n \"client\": {\n \"server_name\": \"cisco-update.com\"\n }\n },\n \"@version\": \"1\",\n \"event\": {\n \"created\": \"2024-09-09T13:02:34.254441+00:00\",\n \"end\": \"2024-09-09T11:52:25.666000+00:00\",\n \"severity\": 3,\n \"module\": \"beacon_detect\",\n \"start\": \"2024-09-09T11:47:44.012000+00:00\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"kind\": \"alert\",\n \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\",\n \"dataset\": \"alert\"\n },\n \"source\": {\n \"ip\": \"10.0.0.60\",\n \"mac\": \"60:57:18:e9:4f:5d\"\n },\n \"beacon\": {\n \"mean_time_interval\": 1,\n \"active\": true,\n \"possible_cnc\": \"not_recognized\",\n \"session_count\": 260,\n \"type\": \"constant\",\n \"id\": \"c4c886b4ad\",\n \"hostname_resolution\": \"not_analyzed\"\n },\n \"destination\": {\n \"ip\": \"157.230.93.100\",\n \"port\": 443\n },\n \"observer\": {\n \"product\": \"gcenter\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"gcap\": {\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"vendor\": \"gatewatcher\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\",\n \"url\": {\n \"domain\": \"cisco-update.com\"\n },\n \"network\": {\n \"protocol\": \"tls\",\n \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\",\n \"transport\": \"tcp\"\n }\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "beacon_detect", + "severity": 3 + }, + "@timestamp": "2024-09-09T13:02:59.354490Z", + "destination": { + "address": "157.230.93.100", + "ip": "157.230.93.100", + "port": 443 + }, + "gatewatcher": { + "beacon": { + "active": "true", + "hostname_resolution": "not_analyzed", + "mean_time_interval": "1", + "possible_cnc": "not_recognized", + "session_count": "260", + "type": "constant" + }, + "event": { + "created": "2024-09-09T13:02:34.254441Z", + "id": "5e7bb104-6493-43b2-be4d-f7c28ce79e85" + }, + "network": { + "timestamp": "2024-09-09T11:47:44.012000Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "tls": "{\"client\": {\"server_name\": \"cisco-update.com\"}}", + "version": "1" + }, + "network": { + "protocol": "tls", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "cisco-update.com", + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "10.0.0.60", + "157.230.93.100" + ] + }, + "source": { + "address": "10.0.0.60", + "ip": "10.0.0.60", + "mac": "60:57:18:e9:4f:5d" + }, + "tls": { + "client": { + "server_name": "cisco-update.com" + } + }, + "url": { + "domain": "cisco-update.com", + "registered_domain": "cisco-update.com", + "top_level_domain": "com" + } + } + + ``` + + +=== "codebreaker_powershell_alert.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"network\": {\n \"protocol\": \"unknown\",\n \"transport\": \"tcp\",\n \"timestamp\": \"2024-09-11T09:10:46.975548+0000\",\n \"flow_id\": 779924698221176\n },\n \"source\": {\n \"port\": 35444,\n \"ip\": \"10.127.0.111\"\n },\n \"destination\": {\n \"port\": 4242,\n \"ip\": \"10.127.0.222\"\n },\n \"malicious_powershell\": {\n \"proba_obfuscated\": 1,\n \"score\": 1890,\n \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\",\n \"id\": \"60b656e17bec0a97f5638790c78a3124\",\n \"score_details\": {\n \"StrReplace\": 0,\n \"StreamReader\": 0,\n \"StartBitsTransfer\": 0,\n \"InvokeRestMethod\": 0,\n \"Base64\": 1520,\n \"StreamWriter\": 0,\n \"InvokeExpression\": 0,\n \"SystemIOFile\": 0,\n \"StrJoin\": 0,\n \"StrCat\": 370,\n \"WebClientInvokation\": 0,\n \"GetContent\": 0,\n \"FmtStr\": 0,\n \"CharInt\": 0,\n \"InvokeWebRequest\": 0,\n \"AddContent\": 0,\n \"SetContent\": 0\n }\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\",\n \"@version\": \"1\",\n \"event\": {\n \"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\",\n \"kind\": \"alert\",\n \"module\": \"malicious_powershell_detect\",\n \"severity\": 1,\n \"dataset\": \"alert\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"created\": \"2024-09-11T09:11:52.735668+0000\"\n }\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "malicious_powershell_detect", + "severity": 1 + }, + "@timestamp": "2024-09-11T09:11:52.737102Z", + "destination": { + "address": "10.127.0.222", + "ip": "10.127.0.222", + "port": 4242 + }, + "gatewatcher": { + "event": { + "created": "2024-09-11T09:11:52.735668Z", + "id": "de7b5e80-a4b2-4ed6-b566-3590945e34d5" + }, + "malicious_powershell": { + "id": "60b656e17bec0a97f5638790c78a3124", + "proba_obfuscated": 1, + "sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr", + "score": 1890, + "score_details": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}" + }, + "network": { + "flow_id": 779924698221176, + "timestamp": "2024-09-11T09:10:46.975548Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "version": "1" + }, + "network": { + "protocol": "unknown", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "10.127.0.111", + "10.127.0.222" + ] + }, + "source": { + "address": "10.127.0.111", + "ip": "10.127.0.111", + "port": 35444 + } + } + + ``` + + +=== "codebreaker_shellcode_alert.json" + + ```json + + { + "message": "{\n \"network\": {\n \"protocol\": \"unknown\",\n \"timestamp\": \"2024-09-11T15:35:30.167846+0000\",\n \"transport\": \"tcp\",\n \"flow_id\": 888739207482646\n },\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"destination\": {\n \"port\": 6666,\n \"ip\": \"178.160.128.2\"\n },\n \"source\": {\n \"port\": 60078,\n \"ip\": \"80.15.17.183\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"shellcode\": {\n \"sub_type\": \"Windows_x86_32\",\n \"encodings\": [\n {\n \"name\": \"Bloxor\",\n \"count\": 4\n }\n ],\n \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\",\n \"analysis\": [\n {\n \"call\": \"kernel32_LoadLibraryA\",\n \"args\": \"{lpFileName: user32.dll}\",\n \"_id\": 0,\n \"ret\": \"0x70600000\"\n },\n {\n \"call\": \"user32_MessageBoxA\",\n \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\n \"_id\": 1,\n \"ret\": \"1\"\n },\n {\n \"call\": \"kernel32_ExitProcess\",\n \"args\": \"{uExitCode: 0}\",\n \"_id\": 2,\n \"ret\": \"0\"\n },\n {\n \"info\": \"Stop : End of shellcode (Exit)\",\n \"_id\": -1\n }\n ],\n \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"\n },\n \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\",\n \"@version\": \"1\",\n \"event\": {\n \"dataset\": \"alert\",\n \"kind\": \"alert\",\n \"module\": \"shellcode_detect\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"severity\": 1,\n \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\",\n \"created\": \"2024-09-11T15:36:36.068564+0000\"\n }\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "shellcode_detect", + "severity": 1 + }, + "@timestamp": "2024-09-11T15:36:36.071882Z", + "destination": { + "address": "178.160.128.2", + "ip": "178.160.128.2", + "port": 6666 + }, + "gatewatcher": { + "event": { + "created": "2024-09-11T15:36:36.068564Z", + "id": "8c03d100-794f-45fe-8d92-7409c925b255" + }, + "network": { + "flow_id": 888739207482646, + "timestamp": "2024-09-11T15:35:30.167846Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "shellcode": { + "analysis": [ + "{\"_id\": -1, \"info\": \"Stop : End of shellcode (Exit)\"}", + "{\"_id\": 0, \"args\": \"{lpFileName: user32.dll}\", \"call\": \"kernel32_LoadLibraryA\", \"ret\": \"0x70600000\"}", + "{\"_id\": 1, \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\", \"call\": \"user32_MessageBoxA\", \"ret\": \"1\"}", + "{\"_id\": 2, \"args\": \"{uExitCode: 0}\", \"call\": \"kernel32_ExitProcess\", \"ret\": \"0\"}" + ], + "encodings": [ + "{\"count\": 4, \"name\": \"Bloxor\"}" + ], + "id": "790a2aa742e1da23e14c9b7270ee81a1", + "sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr", + "sub_type": "Windows_x86_32" + }, + "version": "1" + }, + "network": { + "protocol": "unknown", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "178.160.128.2", + "80.15.17.183" + ] + }, + "source": { + "address": "80.15.17.183", + "ip": "80.15.17.183", + "port": 60078 + } + } + + ``` + + +=== "dga_event.json" + + ```json + + { + "message": "{\n \"network\": {\n \"protocol\": \"dns\",\n \"transport\": \"udp\",\n \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\",\n \"flow_id\": 1434780527372168\n },\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"source\": {\n \"ip\": \"27.0.0.227\"\n },\n \"destination\": {\n \"port\": 53,\n \"ip\": \"202.129.215.23\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"dga\": {\n \"dga_count\": 35,\n \"dga_ratio\": 0.97,\n \"malware_behavior_confidence\": 50,\n \"nx_domain_count\": 36,\n \"top_DGA\": [\n \"zmhaoyukbol6a.com\",\n \"ppyblaohb.com\",\n \"khllpmpmare.com\",\n \"lttulzaiaoctpa7.com\",\n \"jetuergatod.com\",\n \"riaaiysk.com\",\n \"anxsmqyfy.com\",\n \"tqjhvylf.com\",\n \"vdunsygwoktx.com\",\n \"jhghrlufoh.com\"\n ]\n },\n \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\",\n \"@version\": \"1\",\n \"event\": {\n \"created\": \"2024-09-11T09:16:33.194964+00:00\",\n \"end\": \"2024-09-11T09:15:27.858000+00:00\",\n \"kind\": \"alert\",\n \"module\": \"dga_detect\",\n \"start\": \"2024-09-11T09:15:22.995000+00:00\",\n \"severity\": 1,\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"dataset\": \"alert\",\n \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"\n }\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "dga_detect", + "severity": 1 + }, + "@timestamp": "2024-09-11T09:16:33.314331Z", + "destination": { + "address": "202.129.215.23", + "ip": "202.129.215.23", + "port": 53 + }, + "gatewatcher": { + "dga": { + "dga_count": "35", + "dga_ratio": "0.97", + "malware_behavior_confidence": "50", + "nx_domain_count": "36", + "top_DGA": [ + "anxsmqyfy.com", + "jetuergatod.com", + "jhghrlufoh.com", + "khllpmpmare.com", + "lttulzaiaoctpa7.com", + "ppyblaohb.com", + "riaaiysk.com", + "tqjhvylf.com", + "vdunsygwoktx.com", + "zmhaoyukbol6a.com" + ] + }, + "event": { + "created": "2024-09-11T09:16:33.194964Z", + "id": "0ec85c0d-68b6-4602-b26e-d0966d5e1b9d" + }, + "network": { + "flow_id": 1434780527372168, + "timestamp": "2024-09-11T09:15:25.886786Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "version": "1" + }, + "network": { + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "202.129.215.23", + "27.0.0.227" + ] + }, + "source": { + "address": "27.0.0.227", + "ip": "27.0.0.227" + } + } + + ``` + + +=== "history.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n \"product\": \"gcenter\",\n \"version\": \"2.5.3.103\",\n \"vendor\": \"gatewatcher\",\n \"log_format_version\": \"1.0.0\"\n },\n \"event\": {\n \"kind\": \"event\",\n \"dataset\": \"administration\",\n \"category\": [\n \"host\"\n ],\n \"module\": \"history\",\n \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"history\": {\n \"type\": \"user\",\n \"name\": \"pierre.pocry\",\n \"id\": 18,\n \"ip\": \"192.192.32.12\",\n \"content\": {},\n \"method\": \"POST\",\n \"endpoint\": \"/gum/configuration\",\n \"code\": \"200\"\n },\n \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}", + "event": { + "category": [ + "host" + ], + "dataset": "administration", + "kind": "event", + "module": "history" + }, + "@timestamp": "2022-09-01T16:06:51.664000Z", + "gatewatcher": { + "event": { + "id": "8223b432-7e97-4570-a29d-254f41dbb9db" + }, + "history": { + "code": 200, + "content": "{}", + "endpoint": "/gum/configuration", + "id": 18, + "ip": "192.192.32.12", + "method": "POST", + "name": "pierre.pocry", + "type": "user" + }, + "observer": { + "log_format_version": "1.0.0" + } + }, + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-interne-rd-56.gatewatcher.com" + ] + } + } + + ``` + + +=== "ioc.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"product\": \"lastinfosec\",\n \"vendor\": \"gatewatcher\",\n \"log_format_version\": \"1.0.0\"\n },\n \"event\": {\n \"kind\": \"enrichment\",\n \"dataset\": \"ioc\",\n \"category\": [\n \"network\",\n \"threat\"\n ],\n \"module\": \"ioc\",\n \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n \"created\": \"2019-10-23T05:33:54+00:00\",\n \"severity\": 2,\n \"severity_human\": \"High suspicious\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"ioc\": {\n \"tlp\": \"green\",\n \"type\": \"SHA256\",\n \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\",\n \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\",\n \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\",\n \"relations\": [\n \"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\",\n \"b57f419e-8b12-49d3-886b-145383725dcd\"\n ],\n \"ttp\": [],\n \"families\": [\n \"PLEAD\"\n ],\n \"campaigns\": [],\n \"categories\": [\n \"malware\",\n \"trojan\"\n ],\n \"threat_actor\": [\n \"BlackTech\"\n ],\n \"targeted_sectors\": [],\n \"targeted_organizations\": [],\n \"targeted_platforms\": [],\n \"targeted_countries\": [],\n \"vulnerabilities\": [],\n \"kill_chain_phases\": [],\n \"meta_data\": {\n \"cwe\": [],\n \"descriptions\": [],\n \"usageMode\": \"detection\"\n },\n \"usage_mode\": \"detection\",\n \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\",\n \"updated_date\": \"2023-04-07T04:10:34+00:00\",\n \"package_date\": \"2023-04-07T05:00:02.362356+0000\",\n \"creation_date\": \"2019-10-23T05:33:54+00:00\",\n \"tags\": [\n \"troj_fr.df33c1bd\",\n \"trojan.plead.win32.33\",\n \"gen:variant.graftor.598952 (b)\",\n \"generic backdoor.gy\",\n \"win32/plead.au trojan\",\n \"trojan/plead!exyhr4fe\",\n \"trojan.win32.plead.fqunov\",\n \"tr/plead.mysge\",\n \"trojan.win32.plead\",\n \"trojan ( 0055a46c1 )\",\n \"malware\",\n \"trojan.win32.plead.aa\",\n \"trojan/win32.plead\"\n ],\n \"external_links\": [\n {\n \"source_name\": \"Twitter\",\n \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n },\n {\n \"source_name\": \"Twitter\",\n \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n },\n {\n \"source_name\": \"Twitter\",\n \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"\n },\n {\n \"source_name\": \"Twitter\",\n \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"\n },\n {\n \"source_name\": \"any.run_report\",\n \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"\n }\n ]\n }\n}", + "event": { + "category": [ + "network", + "threat" + ], + "dataset": "ioc", + "kind": "enrichment", + "module": "ioc", + "severity": 2 + }, + "gatewatcher": { + "event": { + "created": "2019-10-23T05:33:54Z", + "id": "3713d994-1db4-40ff-abe9-2f43bac7b5fa" + }, + "ioc": { + "campaigns": [], + "case_id": "21615052-7cf3-48cd-9aff-36a61e45528c", + "categories": [ + "malware", + "trojan" + ], + "creation_date": "2019-10-23T05:33:54Z", + "description": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\nWe advised to use this IoC in detection mode.", + "external_links": [ + "{\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}", + "{\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}", + "{\"source_name\": \"Twitter\", \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}", + "{\"source_name\": \"Twitter\", \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"}", + "{\"source_name\": \"any.run_report\", \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"}" + ], + "families": [ + "PLEAD" + ], + "kill_chain_phases": [], + "meta_data": { + "cwe": [], + "descriptions": [], + "usageMode": "detection" + }, + "package_date": "2023-04-07T05:00:02.362356Z", + "relations": [ + "6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", + "b57f419e-8b12-49d3-886b-145383725dcd" + ], + "signature": "SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa", + "tags": [ + "gen:variant.graftor.598952 (b)", + "generic backdoor.gy", + "malware", + "tr/plead.mysge", + "troj_fr.df33c1bd", + "trojan ( 0055a46c1 )", + "trojan.plead.win32.33", + "trojan.win32.plead", + "trojan.win32.plead.aa", + "trojan.win32.plead.fqunov", + "trojan/plead!exyhr4fe", + "trojan/win32.plead", + "win32/plead.au trojan" + ], + "targeted_countries": [], + "targeted_organizations": [], + "targeted_platforms": [], + "targeted_sectors": [], + "threat_actor": [ + "BlackTech" + ], + "updated_date": "2023-04-07T04:10:34Z", + "usage_mode": "detection" + }, + "observer": { + "log_format_version": "1.0.0" + } + }, + "observer": { + "product": "lastinfosec", + "vendor": "gatewatcher" + }, + "threat": { + "indicator": { + "marking": { + "tlp": "green" + }, + "name": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4", + "type": "SHA256" + } + } + } + + ``` + + +=== "malcore_event.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"source\": {\n \"port\": 80,\n \"ip\": \"202.129.215.251\"\n },\n \"file\": {\n \"magic\": \"Macromedia Flash data (compressed), version 13\",\n \"sid\": [\n 1100020\n ],\n \"hash\": {\n \"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"\n },\n \"name\": \"/\",\n \"file_id\": 219,\n \"tx_id\": 2,\n \"state\": \"CLOSED\",\n \"gaps\": false,\n \"size\": 55351,\n \"stored\": true\n },\n \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\",\n \"malcore\": {\n \"file_type\": \"application/x-shockwave-flash\",\n \"analyzers_up\": 16,\n \"analyzed_clean\": 9,\n \"engines_last_update_date\": \"2024-09-03T17:15:00Z\",\n \"state\": \"Infected\",\n \"total_found\": \"3/16\",\n \"detail_scan_time\": 373,\n \"reporting_token\": \"\",\n \"analyzed_infected\": 3,\n \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\",\n \"analyzed_suspicious\": 0,\n \"analyzed_error\": 0,\n \"processing_time\": 1576,\n \"engine_id\": {\n \"5\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"c18ab9n\"\n },\n \"8\": {\n \"scan_result\": \"INFECTED\",\n \"threat_details\": \"Exploit.Flash\",\n \"id\": \"ib54e9s\"\n },\n \"4\": {\n \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n \"threat_details\": \"\",\n \"id\": \"c10195e\"\n },\n \"14\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"t3114fn\"\n },\n \"13\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"sde882s\"\n },\n \"9\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"kfb8487\"\n },\n \"12\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"qb9308l\"\n },\n \"10\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"mb2b5fe\"\n },\n \"0\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"a32935b\"\n },\n \"15\": {\n \"scan_result\": \"UNSUPPORTED_FILE_TYPE\",\n \"threat_details\": \"\",\n \"id\": \"we9a17t\"\n },\n \"6\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"c81e55c\"\n },\n \"7\": {\n \"scan_result\": \"NOT_SCANNED\",\n \"threat_details\": \"\",\n \"id\": \"e83bf1t\"\n },\n \"3\": {\n \"scan_result\": \"CLEAN\",\n \"threat_details\": \"\",\n \"id\": \"b557a5r\"\n },\n \"1\": {\n \"scan_result\": \"INFECTED\",\n \"threat_details\": \"EXP/Flash.EB.502\",\n \"id\": \"acf9bba\"\n },\n \"11\": {\n \"scan_result\": \"NOT_SCANNED\",\n \"threat_details\": \"Unavailable (permanently_failed)\",\n \"id\": \"n00000e\"\n },\n \"2\": {\n \"scan_result\": \"INFECTED\",\n \"threat_details\": \"SWF/Exploit\",\n \"id\": \"af7872b\"\n }\n },\n \"detail_wait_time\": 660,\n \"file_type_description\": \"Macromedia Flash Player\",\n \"code\": 1,\n \"magic_details\": \"Macromedia Flash data (compressed), version 13\",\n \"analyzed_other\": 4\n },\n \"@version\": \"1\",\n \"network\": {\n \"protocol\": \"http\",\n \"timestamp\": \"2024-09-11T09:15:23.329615+0000\",\n \"transport\": \"tcp\",\n \"flow_id\": 1779492455056060\n },\n \"destination\": {\n \"port\": 47858,\n \"ip\": \"27.0.0.144\"\n },\n \"url\": {\n \"domain\": \"chunky.enchantingweddingsandevents.co.uk\",\n \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"\n },\n \"user_agent\": {\n \"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"http\": {\n \"request\": {\n \"method\": \"GET\"\n },\n \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\",\n \"version\": \"HTTP/1.1\",\n \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\",\n \"response\": {\n \"status\": 200,\n \"mime_type\": \"application/x-shockwave-flash\",\n \"bytes\": 55351\n }\n },\n \"event\": {\n \"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\",\n \"kind\": \"alert\",\n \"module\": \"malcore\",\n \"severity\": 1,\n \"category\": [\n \"network\",\n \"file\"\n ],\n \"created\": \"2024-09-11T09:15:23.329615+0000\",\n \"dataset\": \"alert\"\n }\n}", + "event": { + "category": [ + "file", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "malcore", + "severity": 1 + }, + "@timestamp": "2024-09-11T09:31:00.111583Z", + "destination": { + "address": "27.0.0.144", + "ip": "27.0.0.144", + "port": 47858 + }, + "file": { + "hash": { + "sha256": "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b" + }, + "name": "/", + "size": 55351 + }, + "gatewatcher": { + "event": { + "created": "2024-09-11T09:15:23.329615Z", + "id": "7c4e2a77-3481-4201-8247-889fe0718ed8" + }, + "file": { + "file_id": 219, + "gaps": false, + "magic": "Macromedia Flash data (compressed), version 13", + "sid": [ + "1100020" + ], + "state": "CLOSED", + "stored": true, + "tx_id": 2 + }, + "http": { + "hostname": "chunky.enchantingweddingsandevents.co.uk", + "http_refer": "http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/" + }, + "malcore": { + "analyzed_clean": 9, + "analyzed_error": 0, + "analyzed_infected": 3, + "analyzed_other": 4, + "analyzed_suspicious": 0, + "analyzers_up": 16, + "code": 1, + "detail_scan_time": 373, + "detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash", + "detail_wait_time": 660, + "engine_id": "{\"0\": {\"id\": \"a32935b\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"1\": {\"id\": \"acf9bba\", \"scan_result\": \"INFECTED\", \"threat_details\": \"EXP/Flash.EB.502\"}, \"10\": {\"id\": \"mb2b5fe\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"11\": {\"id\": \"n00000e\", \"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"Unavailable (permanently_failed)\"}, \"12\": {\"id\": \"qb9308l\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"13\": {\"id\": \"sde882s\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"14\": {\"id\": \"t3114fn\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"15\": {\"id\": \"we9a17t\", \"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\"}, \"2\": {\"id\": \"af7872b\", \"scan_result\": \"INFECTED\", \"threat_details\": \"SWF/Exploit\"}, \"3\": {\"id\": \"b557a5r\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"4\": {\"id\": \"c10195e\", \"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\"}, \"5\": {\"id\": \"c18ab9n\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"6\": {\"id\": \"c81e55c\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}, \"7\": {\"id\": \"e83bf1t\", \"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"\"}, \"8\": {\"id\": \"ib54e9s\", \"scan_result\": \"INFECTED\", \"threat_details\": \"Exploit.Flash\"}, \"9\": {\"id\": \"kfb8487\", \"scan_result\": \"CLEAN\", \"threat_details\": \"\"}}", + "engines_last_update_date": "2024-09-03T17:15:00Z", + "file_type": "application/x-shockwave-flash", + "file_type_description": "Macromedia Flash Player", + "magic_details": "Macromedia Flash data (compressed), version 13", + "processing_time": 1576, + "state": "Infected", + "total_found": "3/16" + }, + "network": { + "flow_id": 1779492455056060, + "timestamp": "2024-09-11T09:15:23.329615Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "version": "1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 55351, + "mime_type": "application/x-shockwave-flash", + "status_code": 200 + }, + "version": "HTTP/1.1" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hash": [ + "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b" + ], + "hosts": [ + "chunky.enchantingweddingsandevents.co.uk", + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "202.129.215.251", + "27.0.0.144" + ] + }, + "source": { + "address": "202.129.215.251", + "ip": "202.129.215.251", + "port": 80 + }, + "url": { + "domain": "chunky.enchantingweddingsandevents.co.uk", + "path": "/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs", + "registered_domain": "enchantingweddingsandevents.co.uk", + "subdomain": "chunky", + "top_level_domain": "co.uk" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "11.0" + } + } + + ``` + + +=== "metadata.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"source\": {\n \"mac\": \"00:50:56:91:85:03\",\n \"port\": 56098,\n \"ip\": \"10.2.19.131\"\n },\n \"metadata\": {\n \"flowbits\": [\n \"min.gethttp\",\n \"exe.no.referer\",\n \"ET.http.binary\"\n ]\n },\n \"@timestamp\": \"2024-09-12T13:24:51.231Z\",\n \"@version\": \"1\",\n \"network\": {\n \"protocol\": \"http\",\n \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\",\n \"timestamp\": \"2024-09-12T13:24:15.978904+0000\",\n \"transport\": \"tcp\",\n \"tx_id\": 6,\n \"flow_id\": 803295979358070\n },\n \"destination\": {\n \"mac\": \"00:09:0f:09:00:12\",\n \"port\": 80,\n \"ip\": \"10.2.10.205\"\n },\n \"url\": {\n \"path\": \"/FireInstaller4.exe\"\n },\n \"user_agent\": {\n \"original\": \"nghttp2/1.43.0\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"http\": {\n \"request_headers\": [\n {\n \"name\": \":method\",\n \"value\": \"GET\"\n },\n {\n \"name\": \":path\",\n \"value\": \"/FireInstaller4.exe\"\n },\n {\n \"name\": \":scheme\",\n \"value\": \"http\"\n },\n {\n \"name\": \":authority\",\n \"value\": \"10.2.10.205\"\n },\n {\n \"name\": \"accept\",\n \"value\": \"*/*\"\n },\n {\n \"name\": \"accept-encoding\",\n \"value\": \"gzip, deflate\"\n },\n {\n \"name\": \"user-agent\",\n \"value\": \"nghttp2/1.43.0\"\n }\n ],\n \"http2\": {\n \"request\": {\n \"priority\": 15\n },\n \"stream_id\": 13,\n \"response\": {}\n },\n \"request\": {\n \"method\": \"GET\"\n },\n \"response_headers\": [\n {\n \"name\": \":status\",\n \"value\": \"200\"\n },\n {\n \"name\": \"server\",\n \"value\": \"nginx/1.25.2\"\n },\n {\n \"name\": \"date\",\n \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"\n },\n {\n \"name\": \"content-type\",\n \"value\": \"text/plain\"\n },\n {\n \"name\": \"content-length\",\n \"value\": \"319824\"\n },\n {\n \"name\": \"last-modified\",\n \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"\n },\n {\n \"name\": \"etag\",\n \"value\": \"\\\"659c12e8-4e150\\\"\"\n },\n {\n \"name\": \"accept-ranges\",\n \"value\": \"bytes\"\n }\n ],\n \"version\": \"2\",\n \"response\": {\n \"status\": 200,\n \"bytes\": 319824\n }\n },\n \"event\": {\n \"kind\": \"event\",\n \"module\": \"sigflow_http\",\n \"category\": [\n \"network\"\n ],\n \"created\": \"2024-09-12T13:24:15.978904+0000\",\n \"dataset\": \"network_metadata\",\n \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"\n }\n}", + "event": { + "category": [ + "network" + ], + "dataset": "network_metadata", + "kind": "event", + "module": "sigflow_http" + }, + "@timestamp": "2024-09-12T13:24:51.231000Z", + "destination": { + "address": "10.2.10.205", + "ip": "10.2.10.205", + "mac": "00:09:0f:09:00:12", + "port": 80 + }, + "gatewatcher": { + "event": { + "created": "2024-09-12T13:24:15.978904Z", + "id": "78681613-57af-4e10-b732-58f5d2e0ae12" + }, + "http": { + "http2": "{\"request\": {\"priority\": 15}, \"response\": {}, \"stream_id\": 13}" + }, + "metadata": { + "flowbits": [ + "ET.http.binary", + "exe.no.referer", + "min.gethttp" + ] + }, + "network": { + "flow_id": 803295979358070, + "timestamp": "2024-09-12T13:24:15.978904Z", + "tx_id": 6 + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "version": "1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 319824, + "status_code": 200 + }, + "version": "2" + }, + "network": { + "community_id": "1:X+96B6BxVtmLT4rsbtdZeemyV0M=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "10.2.10.205", + "10.2.19.131" + ] + }, + "source": { + "address": "10.2.19.131", + "ip": "10.2.19.131", + "mac": "00:50:56:91:85:03", + "port": 56098 + }, + "url": { + "path": "/FireInstaller4.exe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "nghttp2/1.43.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "metadata_fileinfo.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"vendor\": \"gatewatcher\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\",\n \"version\": \"2.5.4.0-rc1\"\n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"source\": {\n \"port\": 80,\n \"ip\": \"56.53.117.115\"\n },\n \"file\": {\n \"magic\": \"PDF document, version 1.5\",\n \"sid\": [\n 1100008\n ],\n \"hash\": {\n \"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"\n },\n \"name\": \"/malcore_10KB_clean.pdf\",\n \"file_id\": 224,\n \"tx_id\": 0,\n \"state\": \"CLOSED\",\n \"gaps\": false,\n \"size\": 10456,\n \"stored\": true\n },\n \"@timestamp\": \"2024-09-11T13:56:19.010Z\",\n \"@version\": \"1\",\n \"network\": {\n \"protocol\": \"http\",\n \"timestamp\": \"2024-09-11T13:55:51.326090+0000\",\n \"transport\": \"tcp\",\n \"flow_id\": 1331841998458539\n },\n \"destination\": {\n \"port\": 62832,\n \"ip\": \"65.100.113.120\"\n },\n \"url\": {\n \"domain\": \"56.53.117.115\",\n \"path\": \"/malcore_10KB_clean.pdf\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"http\": {\n \"request\": {\n \"method\": \"GET\"\n },\n \"hostname\": \"56.53.117.115\",\n \"version\": \"HTTP/1.1\",\n \"response\": {\n \"status\": 200,\n \"mime_type\": \"application/pdf\",\n \"bytes\": 10456\n }\n },\n \"event\": {\n \"kind\": \"event\",\n \"module\": \"sigflow_file\",\n \"category\": [\n \"network\",\n \"file\"\n ],\n \"created\": \"2024-09-11T13:55:51.326090+0000\",\n \"dataset\": \"network_metadata\",\n \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"\n }\n}", + "event": { + "category": [ + "file", + "network" + ], + "dataset": "network_metadata", + "kind": "event", + "module": "sigflow_file" + }, + "@timestamp": "2024-09-11T13:56:19.010000Z", + "destination": { + "address": "65.100.113.120", + "ip": "65.100.113.120", + "port": 62832 + }, + "file": { + "hash": { + "sha256": "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703" + }, + "name": "/malcore_10KB_clean.pdf", + "size": 10456 + }, + "gatewatcher": { + "event": { + "created": "2024-09-11T13:55:51.326090Z", + "id": "d66539e6-825e-4516-8c8c-2778dd6d9358" + }, + "file": { + "file_id": 224, + "gaps": false, + "magic": "PDF document, version 1.5", + "sid": [ + "1100008" + ], + "state": "CLOSED", + "stored": true, + "tx_id": 0 + }, + "http": { + "hostname": "56.53.117.115" + }, + "network": { + "flow_id": 1331841998458539, + "timestamp": "2024-09-11T13:55:51.326090Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "version": "1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 10456, + "mime_type": "application/pdf", + "status_code": 200 + }, + "version": "HTTP/1.1" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hash": [ + "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703" + ], + "hosts": [ + "56.53.117.115", + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "56.53.117.115", + "65.100.113.120" + ] + }, + "source": { + "address": "56.53.117.115", + "ip": "56.53.117.115", + "port": 80 + }, + "url": { + "domain": "56.53.117.115", + "path": "/malcore_10KB_clean.pdf" + } + } + + ``` + + +=== "nba.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n \"product\": \"gcenter\",\n \"version\": \"2.5.3.103\",\n \"vendor\": \"gatewatcher\",\n \"gcap\": {\n \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n \"version\": \"2.5.3.107\",\n \"ingress\": {\n \"interface\": {\n \"name\": \"mon0\"\n }\n }\n },\n \"log_format_version\": \"1.0.0\"\n },\n \"event\": {\n \"kind\": \"alert\",\n \"dataset\": \"alert\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"module\": \"network_behavior_analytics\",\n \"created\": \"2022-09-01T16:06:15.605Z\",\n \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\",\n \"severity\": 2\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"network\": {\n \"transport\": \"tcp\",\n \"protocol\": \"http\",\n \"flow_id\": 2071994639527866,\n \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\",\n \"timestamp\": \"2022-09-01T16:06:15.605Z\",\n \"tx_id\": 0\n },\n \"source\": {\n \"ip\": \"10.2.6.250\",\n \"port\": 50886,\n \"mac\": \"00:50:56:91:73:14\"\n },\n \"destination\": {\n \"ip\": \"13.107.4.52\",\n \"port\": 80,\n \"mac\": \"00:08:e3:ff:fc:28\"\n },\n \"nba\": {\n \"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\",\n \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\",\n \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n \"signature_id\": 2031071,\n \"gid\": 1,\n \"category\": \"Network Behavior Analytics\",\n \"action\": \"allowed\",\n \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\",\n \"metadata\": {\n \"performance_impact\": [\n \"High\"\n ],\n \"signature_severity\": [\n \"CRITICAL\"\n ]\n },\n \"rev\": 1,\n \"stream\": 1\n },\n \"http\": {\n \"url\": \"/connecttest.txt\",\n \"http_user_agent\": \"Microsoft NCSI\",\n \"version\": \"HTTP/1.1\",\n \"hostname\": \"www.msftconnecttest.com\",\n \"request\": {\n \"method\": \"GET\"\n },\n \"response\": {\n \"bytes\": 22,\n \"status_code\": 200,\n \"mime_type\": \"text/plain\"\n }\n },\n \"url\": {\n \"domain\": \"www.msftconnecttest.com\",\n \"path\": \"/connecttest.txt\"\n },\n \"user_agent\": {\n \"original\": \"Microsoft NCSI\"\n },\n \"packet_info\": {\n \"linktype\": 1\n },\n \"flow\": {\n \"bytes_toclient\": 700,\n \"pkts_toclient\": 3,\n \"bytes_toserver\": 407,\n \"pkts_toserver\": 4,\n \"start\": \"2022-09-01T16:06:15.602042+0000\"\n },\n \"@version\": \"1\",\n \"@timestamp\": \"2022-09-01T16:06:51.664Z\"\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "network_behavior_analytics", + "severity": 2 + }, + "@timestamp": "2022-09-01T16:06:51.664000Z", + "destination": { + "address": "13.107.4.52", + "ip": "13.107.4.52", + "mac": "00:08:e3:ff:fc:28", + "port": 80 + }, + "gatewatcher": { + "event": { + "created": "2022-09-01T16:06:15.605000Z", + "id": "730a47f1-f7b1-4faa-9d61-8a41d7b138ed" + }, + "flow": { + "bytes_toclient": 700, + "bytes_toserver": 407, + "pkts_toclient": 3, + "pkts_toserver": 4, + "start": "2022-09-01T16:06:15.602042Z" + }, + "http": { + "hostname": "www.msftconnecttest.com" + }, + "nba": { + "action": "allowed", + "category": "Network Behavior Analytics", + "gid": "1", + "metadata": { + "performance_impact": [ + "High" + ], + "signature_severity": [ + "CRITICAL" + ] + }, + "packet": "AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA", + "payload": "R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K", + "payload_printable": "GET /connecttest.txt HTTP/1.1\r\nPragma: no-cache\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftconnecttest.com\r\nCache-Control: no-cache\r\nConnection: keep-alive\r\n\r\n", + "rev": "1", + "signature": "NBA C&C tracker : cobalt strike tcp initialization", + "signature_id": "2031071", + "stream": "1" + }, + "network": { + "flow_id": 2071994639527866, + "timestamp": "2022-09-01T16:06:15.605000Z", + "tx_id": 0 + }, + "observer": { + "gcap": { + "hostname": "gcap-interne-rd-55.gatewatcher.com", + "ingress": { + "interface": { + "name": "mon0" + } + }, + "version": "2.5.3.107" + }, + "log_format_version": "1.0.0" + }, + "version": "1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 22, + "mime_type": "text/plain" + }, + "version": "HTTP/1.1" + }, + "network": { + "community_id": "1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-interne-rd-56.gatewatcher.com", + "www.msftconnecttest.com" + ], + "ip": [ + "10.2.6.250", + "13.107.4.52" + ] + }, + "source": { + "address": "10.2.6.250", + "ip": "10.2.6.250", + "mac": "00:50:56:91:73:14", + "port": 50886 + }, + "url": { + "domain": "www.msftconnecttest.com", + "path": "/connecttest.txt", + "registered_domain": "msftconnecttest.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Microsoft NCSI", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "ransomware.json" + + ```json + + { + "message": "{\n \"source\": {\n \"ip\": \"172.31.47.105\",\n \"port\": 50066\n },\n \"event\": {\n \"created\": \"2024-09-13T09:11:20.223813+00:00\",\n \"dataset\": \"alert\",\n \"end\": \"2024-09-13T09:09:11.988000\",\n \"module\": \"ransomware_detect\",\n \"kind\": \"alert\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"start\": \"2024-09-13T09:08:51.988000\",\n \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\",\n \"severity\": 1\n },\n \"observer\": {\n \"product\": \"gcenter\",\n \"log_format_version\": \"1.0.0\",\n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\",\n \"vendor\": \"gatewatcher\",\n \"gcap\": {\n \"ingress\": {\n \"interface\": {\n \"name\": \"monvirt\"\n }\n },\n \"version\": \"2.5.4.0-rc1\",\n \"hostname\": \"gcap-clement-l.gatewatcher.fr\"\n },\n \"version\": \"2.5.3.103\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"\n },\n \"destination\": {\n \"ip\": \"172.31.33.0\",\n \"port\": 445\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"ransomware\": {\n \"alert_threshold\": 648,\n \"malicious_behavior_confidence\": 80,\n \"session_score\": 37\n },\n \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\",\n \"smb\": {\n \"session_id\": 593737889611873\n },\n \"network\": {\n \"protocol\": \"smb\",\n \"flow_id\": 1465670492342121,\n \"transport\": \"tcp\",\n \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\",\n \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"\n },\n \"@version\": \"1\"\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "ransomware_detect", + "severity": 1 + }, + "@timestamp": "2024-09-13T09:11:39.629080Z", + "destination": { + "address": "172.31.33.0", + "ip": "172.31.33.0", + "port": 445 + }, + "gatewatcher": { + "event": { + "created": "2024-09-13T09:11:20.223813Z", + "id": "f357f7d1-e322-4f67-b798-50d05f54204b" + }, + "network": { + "flow_id": 1465670492342121, + "timestamp": "2024-09-13T09:08:44.877000Z" + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "ransomware": { + "alert_threshold": "648", + "malicious_behavior_confidence": "80", + "session_score": "37" + }, + "smb": { + "session_id": 593737889611873 + }, + "version": "1" + }, + "network": { + "community_id": "1:RA5iYDlaiu3WMutFLj5r//rbk34=", + "protocol": "smb", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "172.31.33.0", + "172.31.47.105" + ] + }, + "source": { + "address": "172.31.47.105", + "ip": "172.31.47.105", + "port": 50066 + } + } + + ``` + + +=== "retrohunt.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"id\": \"\"\n },\n \"event\": {\n \"kind\": \"alert\",\n \"dataset\": \"alert\",\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"module\": \"retrohunt\",\n \"created\": \"2022-12-14T09:51:30.455Z\",\n \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\",\n \"severity\": 2\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"network\": {\n \"ether\": \"\"\n },\n \"source\": {\n \"ip\": \"127.0.0.1\",\n \"port\": \"80\"\n },\n \"destination\": {\n \"ip\": \"127.0.0.1\",\n \"port\": \"8080\"\n },\n \"matched_event\": {\n \"id\": \"1\"\n },\n \"ioc\": {\n \"id\": \"1\"\n },\n \"@timestamp\": \"2022-09-01T12:49:07.749Z\"\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "retrohunt", + "severity": 2 + }, + "@timestamp": "2022-09-01T12:49:07.749000Z", + "destination": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 8080 + }, + "gatewatcher": { + "event": { + "created": "2022-12-14T09:51:30.455000Z", + "id": "8223b432-7e97-4570-a29d-254f41dbb9db" + }, + "matched_event": { + "id": "1" + } + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1", + "port": 80 + } + } + + ``` + + +=== "sigflow_alert.json" + + ```json + + { + "message": "{ \n \"observer\": { \n \"vendor\": \"gatewatcher\", \n \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \n \"gcap\": { \n \"ingress\": { \n \"interface\": { \n \"name\": \"monvirt\" \n } \n }, \n \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \n \"version\": \"2.5.4.0-rc1\" \n },\n \"version\": \"2.5.3.103\",\n \"log_format_version\": \"1.0.0\",\n \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\",\n \"product\": \"gcenter\"\n },\n \"source\": {\n \"mac\": \"00:6f:37:76:51:45\",\n \"port\": 62832,\n \"ip\": \"65.100.113.120\"\n },\n \"metadata\": {\n \"flowbits\": [\n \"http.dottedquadhost.pdf\"\n ]\n },\n \"@timestamp\": \"2024-09-11T13:55:34.006Z\",\n \"@version\": \"1\",\n \"network\": {\n \"protocol\": \"http\",\n \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\",\n \"timestamp\": \"2024-09-11T13:55:01.080901+0000\",\n \"transport\": \"tcp\",\n \"tx_id\": 0,\n \"flow_id\": 1331841998337663\n },\n \"destination\": {\n \"mac\": \"00:43:70:57:75:55\",\n \"port\": 80,\n \"ip\": \"56.53.117.115\"\n },\n \"flow\": {\n \"bytes_toclient\": 1362,\n \"bytes_toserver\": 358,\n \"pkts_toclient\": 3,\n \"start\": \"2024-09-11T13:55:01.079487+0000\",\n \"pkts_toserver\": 4\n },\n \"url\": {\n \"domain\": \"56.53.117.115\",\n \"path\": \"/malcore_10KB_clean.pdf\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"http\": {\n \"request\": {\n \"method\": \"GET\"\n },\n \"hostname\": \"56.53.117.115\",\n \"version\": \"HTTP/1.1\",\n \"response\": {\n \"status\": 200,\n \"mime_type\": \"application/pdf\",\n \"bytes\": 1135\n }\n },\n \"sigflow\": {\n \"action\": \"allowed\",\n \"metadata\": {\n \"signature_severity\": [\n \"Informational\"\n ],\n \"attack_target\": [\n \"Client_Endpoint\"\n ],\n \"created_at\": [\n \"2019_04_23\"\n ],\n \"deployment\": [\n \"Perimeter\"\n ],\n \"performance_impact\": [\n \"Significant\"\n ],\n \"updated_at\": [\n \"2022_11_21\"\n ]\n },\n \"signature\": \"ET INFO Dotted Quad Host PDF Request\",\n \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\",\n \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\",\n \"stream\": 1,\n \"signature_id\": 2027265,\n \"rev\": 4,\n \"category\": \"Potentially Bad Traffic\",\n \"gid\": 1,\n \"packet_info\": {\n \"linktype\": 1\n },\n \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"\n },\n \"event\": {\n \"dataset\": \"alert\",\n \"kind\": \"alert\",\n \"module\": \"sigflow_alert\",\n \"severity\": 2,\n \"category\": [\n \"network\",\n \"intrusion_detection\"\n ],\n \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\",\n \"created\": \"2024-09-11T13:55:01.080901+0000\"\n }\n}", + "event": { + "category": [ + "intrusion_detection", + "network" + ], + "dataset": "alert", + "kind": "alert", + "module": "sigflow_alert", + "severity": 2 + }, + "@timestamp": "2024-09-11T13:55:34.006000Z", + "destination": { + "address": "56.53.117.115", + "ip": "56.53.117.115", + "mac": "00:43:70:57:75:55", + "port": 80 + }, + "gatewatcher": { + "event": { + "created": "2024-09-11T13:55:01.080901Z", + "id": "58c28570-6c90-4ba9-b9b5-f72867d5fa08" + }, + "flow": { + "bytes_toclient": 1362, + "bytes_toserver": 358, + "pkts_toclient": 3, + "pkts_toserver": 4, + "start": "2024-09-11T13:55:01.079487Z" + }, + "http": { + "hostname": "56.53.117.115" + }, + "metadata": { + "flowbits": [ + "http.dottedquadhost.pdf" + ] + }, + "network": { + "flow_id": 1331841998337663, + "timestamp": "2024-09-11T13:55:01.080901Z", + "tx_id": 0 + }, + "observer": { + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1" + }, + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f" + }, + "sigflow": { + "action": "allowed", + "category": "Potentially Bad Traffic", + "gid": 1, + "metadata": "{\"attack_target\": [\"Client_Endpoint\"], \"created_at\": [\"2019_04_23\"], \"deployment\": [\"Perimeter\"], \"performance_impact\": [\"Significant\"], \"signature_severity\": [\"Informational\"], \"updated_at\": [\"2022_11_21\"]}", + "packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA", + "packet_info": "{\"linktype\": 1}", + "payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==", + "payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n", + "rev": 4, + "signature": "ET INFO Dotted Quad Host PDF Request", + "signature_id": 2027265, + "stream": 1 + }, + "version": "1" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1135, + "mime_type": "application/pdf", + "status_code": 200 + }, + "version": "HTTP/1.1" + }, + "network": { + "community_id": "1:8T6+TppVoaMkXwi+BTjnzAYozVc=", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "56.53.117.115", + "gcenter-clelyo-01.gatewatcher.com" + ], + "ip": [ + "56.53.117.115", + "65.100.113.120" + ] + }, + "source": { + "address": "65.100.113.120", + "ip": "65.100.113.120", + "mac": "00:6f:37:76:51:45", + "port": 62832 + }, + "url": { + "domain": "56.53.117.115", + "path": "/malcore_10KB_clean.pdf" + } + } + + ``` + + +=== "sigflow_stats.json" + + ```json + + { + "message": "{\n \"observer\": {\n \"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\",\n \"product\": \"gcenter\",\n \"version\": \"2.5.3.103\",\n \"vendor\": \"gatewatcher\",\n \"gcap\": {\n \"hostname\": \"gcap-interne-rd-55.gatewatcher.com\",\n \"version\": \"2.5.3.107\"\n },\n \"log_format_version\": \"1.0.0\"\n },\n \"event\": {\n \"kind\": \"metric\",\n \"dataset\": \"system_metrics\",\n \"category\": [\n \"host\"\n ],\n \"module\": \"sigflow_stats\",\n \"created\": \"2022-12-14T09:51:30.455Z\",\n \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"\n },\n \"ecs\": {\n \"version\": \"8.6.0\"\n },\n \"stats\": {\n \"app_layer\": {},\n \"tcp\": {},\n \"uptime\": 443637,\n \"ftp\": {},\n \"flow_bypassed\": {},\n \"decoder\": {},\n \"detect\": {},\n \"defrag\": {},\n \"flow\": {},\n \"capture\": {},\n \"http\": {},\n \"file_store\": {}\n },\n \"@version\": \"1\",\n \"@timestamp\": \"2022-09-01T10:49:46.643Z\"\n}", + "event": { + "category": [ + "host" + ], + "dataset": "system_metrics", + "kind": "metric", + "module": "sigflow_stats" + }, + "@timestamp": "2022-09-01T10:49:46.643000Z", + "gatewatcher": { + "event": { + "created": "2022-12-14T09:51:30.455000Z", + "id": "f14ab432-7e97-4570-a29d-254f41dbb9db" + }, + "observer": { + "gcap": { + "hostname": "gcap-interne-rd-55.gatewatcher.com", + "version": "2.5.3.107" + }, + "log_format_version": "1.0.0" + }, + "version": "1" + }, + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "vendor": "gatewatcher", + "version": "2.5.3.103" + }, + "related": { + "hosts": [ + "gcenter-interne-rd-56.gatewatcher.com" + ] + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.mac` | `keyword` | MAC address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers.data` | `keyword` | The data describing the resource. | +|`dns.answers.type` | `keyword` | The type of data contained in this resource record. | +|`dns.response_code` | `keyword` | The DNS response code. | +|`ecs.version` | `text` | version of ECS used (mandatory field) | +|`email.attachments` | `nested` | List of objects describing the attachments. | +|`email.from.address` | `keyword` | The sender's email address. | +|`email.message_id` | `wildcard` | Value from the Message-ID header. | +|`email.subject` | `keyword` | The subject of the email message. | +|`email.to.address` | `keyword` | Email address of recipient | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.module` | `keyword` | Name of the module this data is coming from. | +|`event.severity` | `long` | Numeric severity of the event. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha1` | `keyword` | SHA1 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.size` | `long` | File size in bytes. | +|`gatewatcher.beacon.active` | `text` | beacon active field | +|`gatewatcher.beacon.hostname_resolution` | `text` | beacon hostname_resolution field | +|`gatewatcher.beacon.id` | `text` | beacon id field | +|`gatewatcher.beacon.mean_time_interval` | `text` | beacon mean_time_interval | +|`gatewatcher.beacon.possible_cnc` | `text` | beaocn possible_cnc field | +|`gatewatcher.beacon.session_count` | `text` | beacon session_count field | +|`gatewatcher.beacon.type` | `text` | beacon type field | +|`gatewatcher.dcerpc.call_id` | `number` | dcerpc call_id field | +|`gatewatcher.dcerpc.interfaces` | `text` | dcerpc interfaces field | +|`gatewatcher.dcerpc.req` | `text` | dcerpc req field | +|`gatewatcher.dcerpc.request` | `text` | dcerpc request field | +|`gatewatcher.dcerpc.res` | `text` | dcerpc res field | +|`gatewatcher.dcerpc.response` | `text` | dcerpc response field | +|`gatewatcher.dcerpc.rpc_version` | `text` | dcerpc rpc_version field | +|`gatewatcher.dga.dga_count` | `text` | dga dga_count field | +|`gatewatcher.dga.dga_ratio` | `text` | dga dga_ratio field | +|`gatewatcher.dga.malware_behavior_confidence` | `text` | dga malware_behavior_confidence field | +|`gatewatcher.dga.nx_domain_count` | `text` | dga nx_domain_count field | +|`gatewatcher.dga.top_DGA` | `text` | dga top_DGA field | +|`gatewatcher.dhcp.assigned_ip` | `ip` | dhcp assigned_ip field | +|`gatewatcher.dhcp.client_ip` | `ip` | dhcp client_ip field | +|`gatewatcher.dhcp.client_mac` | `text` | dhcp client_mac field | +|`gatewatcher.dhcp.dhcp_type` | `text` | dhcp dhcp_type field | +|`gatewatcher.dhcp.dns_servers` | `text` | dhcp dns_servers field | +|`gatewatcher.dhcp.hostname` | `text` | dhcp hostname field | +|`gatewatcher.dhcp.id` | `number` | dhcp id field | +|`gatewatcher.dhcp.lease_time` | `number` | dhcp lease_time field | +|`gatewatcher.dhcp.next_server_ip` | `ip` | dhcp next_server_ip field | +|`gatewatcher.dhcp.relay_ip` | `ip` | dhcp relay_ip field | +|`gatewatcher.dhcp.routers` | `text` | dhcp routers field | +|`gatewatcher.dhcp.subnet_mask` | `ip` | dhcp subnet_mask field | +|`gatewatcher.dhcp.type` | `text` | dhcp type field | +|`gatewatcher.dnp3.application` | `text` | dnp3 application field | +|`gatewatcher.dnp3.control` | `text` | dnp3 control field | +|`gatewatcher.dnp3.dst` | `number` | dnp3 dst field | +|`gatewatcher.dnp3.iin` | `text` | dnp3 iin field | +|`gatewatcher.dnp3.src` | `text` | dnp3 src field | +|`gatewatcher.dnp3.type` | `text` | dnp3 type field | +|`gatewatcher.dns` | `text` | dns metadata field | +|`gatewatcher.email.body_md5` | `text` | smtp email subject_md5 field | +|`gatewatcher.email.status` | `text` | email status field | +|`gatewatcher.email.subject_md5` | `text` | smtp subject_md5 field | +|`gatewatcher.event.created` | `datetime` | Event created field | +|`gatewatcher.event.id` | `text` | Event id field | +|`gatewatcher.file.file_id` | `number` | file file_id field | +|`gatewatcher.file.gaps` | `boolean` | file gaps field | +|`gatewatcher.file.magic` | `text` | File magic field | +|`gatewatcher.file.sid` | `text` | file sid array field | +|`gatewatcher.file.state` | `text` | File state field | +|`gatewatcher.file.stored` | `boolean` | File stored field | +|`gatewatcher.file.tx_id` | `number` | file tx_id field | +|`gatewatcher.files` | `text` | files field | +|`gatewatcher.flow.bytes_toclient` | `number` | flow bytes_toclient field | +|`gatewatcher.flow.bytes_toserver` | `number` | flow bytes_toserver field | +|`gatewatcher.flow.pkts_toclient` | `number` | flow pkts_toclient field | +|`gatewatcher.flow.pkts_toserver` | `number` | flow pkts_toserver field | +|`gatewatcher.flow.start` | `datetime` | flow start field | +|`gatewatcher.ftp.completion_code` | `text` | ftp completion_code field | +|`gatewatcher.ftp.reply` | `text` | ftp reply field | +|`gatewatcher.ftp.reply_received` | `text` | ftp reply_received field | +|`gatewatcher.ftp.reply_truncated` | `boolean` | ftp reply_truncated field | +|`gatewatcher.ftp_data.command` | `text` | ftp_data command field | +|`gatewatcher.ftp_data.filename` | `text` | ftp_data filename field | +|`gatewatcher.history.code` | `number` | history code field | +|`gatewatcher.history.content` | `text` | history content field | +|`gatewatcher.history.endpoint` | `text` | history endpoint field | +|`gatewatcher.history.id` | `number` | history id field | +|`gatewatcher.history.ip` | `ip` | history ip field | +|`gatewatcher.history.method` | `text` | history method field | +|`gatewatcher.history.name` | `text` | history name field | +|`gatewatcher.history.type` | `text` | history type field | +|`gatewatcher.http.accept` | `text` | http accept metadata field | +|`gatewatcher.http.accept_language` | `text` | http accept language field | +|`gatewatcher.http.hostname` | `text` | http hostname field metadata | +|`gatewatcher.http.http2` | `text` | http http2 field | +|`gatewatcher.http.http_refer` | `text` | http_refer field | +|`gatewatcher.ikev2.errors` | `number` | ikev2 errors field | +|`gatewatcher.ikev2.exchange_type` | `number` | ikev2 exchange_type field | +|`gatewatcher.ikev2.init_spi` | `text` | ikev2 init_spi field | +|`gatewatcher.ikev2.message_id` | `number` | ikev2 message_id field | +|`gatewatcher.ikev2.notify` | `text` | ikev2 notify field | +|`gatewatcher.ikev2.payload` | `text` | ikev2 payload field | +|`gatewatcher.ikev2.resp_spi` | `text` | ikev2 resp_spi field | +|`gatewatcher.ikev2.role` | `text` | ikev2 role field | +|`gatewatcher.ikev2.version_major` | `number` | ikev2 version_major field | +|`gatewatcher.ikev2.version_minor` | `number` | ikev2 version_minor field | +|`gatewatcher.ioc.campaigns` | `text` | ioc campaigns field | +|`gatewatcher.ioc.case_id` | `text` | ioc case_id field | +|`gatewatcher.ioc.categories` | `text` | ioc categories field | +|`gatewatcher.ioc.creation_date` | `datetime` | ioc creation_date field | +|`gatewatcher.ioc.description` | `text` | ioc description field | +|`gatewatcher.ioc.external_links` | `text` | ioc external_links field | +|`gatewatcher.ioc.families` | `text` | ioc families field | +|`gatewatcher.ioc.kill_chain_phases` | `text` | ioc kill_chain_phases field | +|`gatewatcher.ioc.meta_data.cwe` | `text` | ioc meta_data cwe field | +|`gatewatcher.ioc.meta_data.descriptions` | `text` | ioc meta_data descriptions field | +|`gatewatcher.ioc.meta_data.usageMode` | `text` | ioc meta_data usageMode field | +|`gatewatcher.ioc.package_date` | `datetime` | ioc package_date field | +|`gatewatcher.ioc.relations` | `text` | ioc relations field | +|`gatewatcher.ioc.signature` | `text` | ioc signature field | +|`gatewatcher.ioc.tags` | `text` | ioc tags field | +|`gatewatcher.ioc.targeted_countries` | `text` | ioc targeted_countires field | +|`gatewatcher.ioc.targeted_organizations` | `text` | ioc targeted_organizations field | +|`gatewatcher.ioc.targeted_platforms` | `text` | ioc targeted_platforms field | +|`gatewatcher.ioc.targeted_sectors` | `text` | ioc targeted_sectors field | +|`gatewatcher.ioc.threat_actor` | `text` | ioc threat_actor field | +|`gatewatcher.ioc.updated_date` | `datetime` | ioc updated_date field | +|`gatewatcher.ioc.usage_mode` | `text` | ioc usage_mode field | +|`gatewatcher.krb5.cname` | `text` | krb5 cname field | +|`gatewatcher.krb5.encryption` | `text` | krb5 encryption field | +|`gatewatcher.krb5.error_code` | `text` | krb5 error_code field | +|`gatewatcher.krb5.failed_request` | `text` | krb5 failed_request field | +|`gatewatcher.krb5.msg_type` | `text` | krb5 msg_type field | +|`gatewatcher.krb5.realm` | `text` | krb5 realm field | +|`gatewatcher.krb5.sname` | `text` | krb5 sname field | +|`gatewatcher.krb5.weak_encryption` | `boolean` | krb5 weak_encryption field | +|`gatewatcher.malcore.analyzed_clean` | `number` | malcore analyzed_clean field | +|`gatewatcher.malcore.analyzed_error` | `number` | malcore analyzed_error field | +|`gatewatcher.malcore.analyzed_infected` | `number` | malcore analyzed_infected field | +|`gatewatcher.malcore.analyzed_other` | `number` | malcore analyzed_other field | +|`gatewatcher.malcore.analyzed_suspicious` | `number` | malcore analyzed_suspicious field | +|`gatewatcher.malcore.analyzers_up` | `number` | malcore analyzers_up field | +|`gatewatcher.malcore.code` | `number` | malcore code field | +|`gatewatcher.malcore.detail_scan_time` | `number` | malcore detail_scan_time field | +|`gatewatcher.malcore.detail_threat_found` | `text` | malcore detail_threat_found field | +|`gatewatcher.malcore.detail_wait_time` | `number` | malcore detail_wait_time field | +|`gatewatcher.malcore.engine_id` | `text` | malcore engine_id field | +|`gatewatcher.malcore.engines_last_update_date` | `datetime` | malcore engines_last_update_date field | +|`gatewatcher.malcore.file_type` | `text` | malcore file_type field | +|`gatewatcher.malcore.file_type_description` | `text` | malcore file_type_description field | +|`gatewatcher.malcore.magic_details` | `text` | malcore magic_details field | +|`gatewatcher.malcore.processing_time` | `number` | malcore processing_time field | +|`gatewatcher.malcore.reporting_token` | `text` | malcore reporting_token field | +|`gatewatcher.malcore.state` | `text` | malcore state field | +|`gatewatcher.malcore.total_found` | `text` | malcore total_found field | +|`gatewatcher.malicious_powershell.id` | `text` | malicious_powershell id field | +|`gatewatcher.malicious_powershell.proba_obfuscated` | `number` | malicious_powershell proba_obfuscated field | +|`gatewatcher.malicious_powershell.sample_id` | `text` | malicious_powershell sample_id field | +|`gatewatcher.malicious_powershell.score` | `number` | malicious_powershell score field | +|`gatewatcher.malicious_powershell.score_details` | `text` | malicious_powershell score_details field | +|`gatewatcher.matched_event.file.gaps` | `text` | matched_event file gaps field | +|`gatewatcher.matched_event.file.hash.md5` | `text` | matched_event file hash md5 field | +|`gatewatcher.matched_event.file.hash.sha256` | `text` | matched_event file hash sha256 field | +|`gatewatcher.matched_event.file.magic` | `text` | matched_event file magic field | +|`gatewatcher.matched_event.file.name` | `text` | matched_event file name field | +|`gatewatcher.matched_event.file.sid` | `text` | matched_event file sid field | +|`gatewatcher.matched_event.file.size` | `text` | matched_event file size field | +|`gatewatcher.matched_event.file.state` | `text` | matched_event file state field | +|`gatewatcher.matched_event.file.stored` | `text` | matched_event file stored field | +|`gatewatcher.matched_event.file.tx_id` | `text` | matched_event file tx_id field | +|`gatewatcher.matched_event.id` | `text` | matched_event id field | +|`gatewatcher.metadata.flowbits` | `text` | metadata flowbits field | +|`gatewatcher.mqtt.connack` | `text` | mqtt connack field | +|`gatewatcher.nba.action` | `text` | nba action field | +|`gatewatcher.nba.category` | `text` | nba category field | +|`gatewatcher.nba.gid` | `text` | nba gid field | +|`gatewatcher.nba.metadata.performance_impact` | `text` | nba metadata performance_impact field | +|`gatewatcher.nba.metadata.signature_severity` | `text` | nba metadata signature_severity field | +|`gatewatcher.nba.packet` | `text` | nba packet field | +|`gatewatcher.nba.payload` | `text` | nba payload field | +|`gatewatcher.nba.payload_printable` | `text` | nba payload_printable field | +|`gatewatcher.nba.rev` | `text` | nba rev field | +|`gatewatcher.nba.signature` | `text` | nba signature field | +|`gatewatcher.nba.signature_id` | `text` | nba signature_id field | +|`gatewatcher.nba.stream` | `text` | nba stream field | +|`gatewatcher.network.flow_id` | `number` | Gatewatcher specific flow_id for network part | +|`gatewatcher.network.timestamp` | `datetime` | Network timestamp field | +|`gatewatcher.network.tx_id` | `number` | tx_id network field | +|`gatewatcher.nfs.file_tx` | `boolean` | nfs file_tx field | +|`gatewatcher.nfs.filename` | `text` | nfs filename field | +|`gatewatcher.nfs.hhash` | `text` | nfs hhash field | +|`gatewatcher.nfs.id` | `number` | nfs id field | +|`gatewatcher.nfs.procedure` | `text` | nfs procedure field | +|`gatewatcher.nfs.status` | `text` | nfs status field | +|`gatewatcher.nfs.type` | `text` | nfs type field | +|`gatewatcher.nfs.version` | `number` | nfs version field | +|`gatewatcher.notification.component` | `text` | notification component field | +|`gatewatcher.notification.description` | `text` | notification description field | +|`gatewatcher.notification.details` | `text` | notification details field | +|`gatewatcher.notification.external_redirection` | `text` | notification external_redirection field | +|`gatewatcher.notification.internal_redirection` | `text` | notification internal_redirection field | +|`gatewatcher.notification.resolution` | `text` | notification resolution field | +|`gatewatcher.notification.risk` | `number` | notification risk field | +|`gatewatcher.notification.title` | `text` | notification title field | +|`gatewatcher.observer.gcap.hostname` | `text` | GCap hostname field | +|`gatewatcher.observer.gcap.ingress.interface.name` | `text` | Gatewatcher ingress interface name | +|`gatewatcher.observer.gcap.version` | `text` | GCap version observer field | +|`gatewatcher.observer.log_format_version` | `text` | Observer log format version field | +|`gatewatcher.observer.uuid` | `text` | Observer UUID field | +|`gatewatcher.ransomware.alert_threshold` | `text` | ransomware alert_threshold field | +|`gatewatcher.ransomware.malicious_behavior_confidence` | `text` | ransomware malicious_behavior_confidence field | +|`gatewatcher.ransomware.session_score` | `text` | ransomware session_score field | +|`gatewatcher.rdp.channels` | `text` | rdp channels field | +|`gatewatcher.rdp.client` | `text` | rdp client field | +|`gatewatcher.rdp.cookie` | `text` | rdp cookie field | +|`gatewatcher.rdp.event_type` | `text` | rdp event_type field | +|`gatewatcher.rdp.protocol` | `text` | rdp protocol field | +|`gatewatcher.rdp.server_supports` | `text` | rdp server_supports field | +|`gatewatcher.rdp.tx_id` | `number` | rdp tx_id field | +|`gatewatcher.rfb.authentication` | `text` | rfb authentication field | +|`gatewatcher.rfb.client_protocol_version` | `text` | rfb client_protocol_version field | +|`gatewatcher.rfb.server_protocol_version` | `text` | rfb server_protocol_version field | +|`gatewatcher.rfb.server_security_failure_reason` | `text` | rfb server_security_failure_reason field | +|`gatewatcher.shellcode.analysis` | `text` | shellcode analysis field | +|`gatewatcher.shellcode.encodings` | `text` | shellcode encodings field | +|`gatewatcher.shellcode.id` | `text` | shellcode id field | +|`gatewatcher.shellcode.sample_id` | `text` | shellcode sample_id field | +|`gatewatcher.shellcode.sub_type` | `text` | shellcode sub_type field | +|`gatewatcher.sigflow.action` | `text` | sigflow action field | +|`gatewatcher.sigflow.category` | `text` | sigflow category field | +|`gatewatcher.sigflow.gid` | `number` | sigflow gid field | +|`gatewatcher.sigflow.metadata` | `text` | sigflow metadata field | +|`gatewatcher.sigflow.packet` | `text` | sigflow packet field | +|`gatewatcher.sigflow.packet_info` | `text` | sigflow packet_info field | +|`gatewatcher.sigflow.payload` | `text` | sigflow payload field | +|`gatewatcher.sigflow.payload_printable` | `text` | sigflow payload_printable field | +|`gatewatcher.sigflow.rev` | `number` | sigflow rev field | +|`gatewatcher.sigflow.signature` | `text` | sigflow signature field | +|`gatewatcher.sigflow.signature_id` | `number` | sigflow signature_id field | +|`gatewatcher.sigflow.stream` | `number` | sigflow stream field | +|`gatewatcher.sip.method` | `text` | sip method field | +|`gatewatcher.sip.request_line` | `text` | sip request_line field | +|`gatewatcher.sip.uri` | `text` | sip uri field | +|`gatewatcher.sip.version` | `text` | sip version field | +|`gatewatcher.smb.command` | `text` | smb command field | +|`gatewatcher.smb.dialect` | `text` | smb dialect field | +|`gatewatcher.smb.id` | `number` | smb id field | +|`gatewatcher.smb.session_id` | `number` | smb session id field | +|`gatewatcher.smb.status` | `text` | smb status field | +|`gatewatcher.smb.status_code` | `text` | smb status_code field | +|`gatewatcher.smb.tree_id` | `number` | smb tree_id field | +|`gatewatcher.smtp.helo` | `text` | smtp helo field | +|`gatewatcher.smtp.mail_from` | `text` | smtp mail from field | +|`gatewatcher.smtp.rcpt_to` | `text` | smtp recipients field | +|`gatewatcher.snmp.community` | `text` | snmp community field | +|`gatewatcher.snmp.pdu_type` | `text` | snmp pdu_type field | +|`gatewatcher.snmp.vars` | `text` | snmp vars field | +|`gatewatcher.snmp.version` | `number` | snmp version field | +|`gatewatcher.ssh.client.hassh` | `text` | ssh client hassh field | +|`gatewatcher.ssh.client.proto_version` | `text` | ssh client proto_version field | +|`gatewatcher.ssh.client.software_version` | `text` | ssh client software_version field | +|`gatewatcher.ssh.server.hassh` | `text` | ssh server hassh field | +|`gatewatcher.ssh.server.proto_version` | `text` | ssh server proto_version field | +|`gatewatcher.ssh.server.software_version` | `text` | ssh server software_version field | +|`gatewatcher.syslog.facility.code` | `text` | syslog facility code field | +|`gatewatcher.syslog.facility.name` | `text` | syslog facility name field | +|`gatewatcher.syslog.message` | `text` | syslog message field | +|`gatewatcher.syslog.priority` | `text` | syslog priority field | +|`gatewatcher.syslog.severity.name` | `text` | syslog severity name field | +|`gatewatcher.tftp.file` | `text` | tftp file field | +|`gatewatcher.tftp.mode` | `text` | tftp mode field | +|`gatewatcher.tftp.packet` | `text` | tftp packet field | +|`gatewatcher.tls` | `text` | TLS meta data field | +|`gatewatcher.user_agent.major` | `text` | user_agent major field | +|`gatewatcher.user_agent.minor` | `text` | user_agent minor field | +|`gatewatcher.user_agent.os.major` | `text` | user_agent os major field | +|`gatewatcher.user_agent.patch` | `text` | user_agent patch field | +|`gatewatcher.version` | `text` | @version field | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.mime_type` | `keyword` | Mime type of the body of the request. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.mime_type` | `keyword` | Mime type of the body of the response. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`network.application` | `keyword` | Application level protocol name. | +|`network.community_id` | `keyword` | A hash of source and destination IPs and ports. | +|`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`network.vlan.id` | `keyword` | VLAN ID as reported by the observer. | +|`network.vlan.name` | `keyword` | Optional VLAN name as reported by the observer. | +|`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | +|`source.port` | `long` | Port of the source. | +|`threat.indicator.marking.tlp` | `keyword` | Indicator TLP marking | +|`threat.indicator.type` | `keyword` | Type of indicator | +|`tls.client.server_name` | `keyword` | Hostname the client is trying to connect to. Also called the SNI. | +|`tls.server.certificate` | `keyword` | PEM-encoded stand-alone certificate offered by the server. | +|`tls.server.certificate_chain` | `keyword` | Array of PEM-encoded certificates that make up the certificate chain offered by the server. | +|`tls.server.hash.md5` | `keyword` | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. | +|`tls.server.hash.sha1` | `keyword` | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. | +|`tls.server.hash.sha256` | `keyword` | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. | +|`tls.server.issuer` | `keyword` | Subject of the issuer of the x.509 certificate presented by the server. | +|`tls.server.subject` | `keyword` | Subject of the x.509 certificate presented by the server. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`url.domain` | `keyword` | Domain of the url. | +|`url.full` | `wildcard` | Full unparsed URL. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user_agent.device.name` | `keyword` | Name of the device. | +|`user_agent.name` | `keyword` | Name of the user agent. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | +|`user_agent.os.family` | `keyword` | OS family (such as redhat, debian, freebsd, windows). | +|`user_agent.os.name` | `keyword` | Operating system name, without the version. | +|`user_agent.os.version` | `keyword` | Operating system version as a raw string. | +|`user_agent.version` | `keyword` | Version of the user agent. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/GateWatcher/aioniq_ecs). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680_sample.md b/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680_sample.md new file mode 100644 index 0000000000..2c1ea6e2db --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/e9fbba55-89c2-4b6c-ad15-9a46412dd680_sample.md @@ -0,0 +1,1313 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "beacon_event" + + + ```json + { + "tls": { + "client": { + "server_name": "cisco-update.com" + } + }, + "@version": "1", + "event": { + "created": "2024-09-09T13:02:34.254441+00:00", + "end": "2024-09-09T11:52:25.666000+00:00", + "severity": 3, + "module": "beacon_detect", + "start": "2024-09-09T11:47:44.012000+00:00", + "category": [ + "network", + "intrusion_detection" + ], + "kind": "alert", + "id": "5e7bb104-6493-43b2-be4d-f7c28ce79e85", + "dataset": "alert" + }, + "source": { + "ip": "10.0.0.60", + "mac": "60:57:18:e9:4f:5d" + }, + "beacon": { + "mean_time_interval": 1, + "active": true, + "possible_cnc": "not_recognized", + "session_count": 260, + "type": "constant", + "id": "c4c886b4ad", + "hostname_resolution": "not_analyzed" + }, + "destination": { + "ip": "157.230.93.100", + "port": 443 + }, + "observer": { + "product": "gcenter", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "vendor": "gatewatcher" + }, + "ecs": { + "version": "8.6.0" + }, + "@timestamp": "2024-09-09T13:02:59.354490664Z", + "url": { + "domain": "cisco-update.com" + }, + "network": { + "protocol": "tls", + "timestamp": "2024-09-09T11:47:44.012000+00:00", + "transport": "tcp" + } + } + ``` + + + +=== "codebreaker_powershell_alert" + + + ```json + { + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "network": { + "protocol": "unknown", + "transport": "tcp", + "timestamp": "2024-09-11T09:10:46.975548+0000", + "flow_id": 779924698221176 + }, + "source": { + "port": 35444, + "ip": "10.127.0.111" + }, + "destination": { + "port": 4242, + "ip": "10.127.0.222" + }, + "malicious_powershell": { + "proba_obfuscated": 1, + "score": 1890, + "sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr", + "id": "60b656e17bec0a97f5638790c78a3124", + "score_details": { + "StrReplace": 0, + "StreamReader": 0, + "StartBitsTransfer": 0, + "InvokeRestMethod": 0, + "Base64": 1520, + "StreamWriter": 0, + "InvokeExpression": 0, + "SystemIOFile": 0, + "StrJoin": 0, + "StrCat": 370, + "WebClientInvokation": 0, + "GetContent": 0, + "FmtStr": 0, + "CharInt": 0, + "InvokeWebRequest": 0, + "AddContent": 0, + "SetContent": 0 + } + }, + "ecs": { + "version": "8.6.0" + }, + "@timestamp": "2024-09-11T09:11:52.737102768Z", + "@version": "1", + "event": { + "id": "de7b5e80-a4b2-4ed6-b566-3590945e34d5", + "kind": "alert", + "module": "malicious_powershell_detect", + "severity": 1, + "dataset": "alert", + "category": [ + "network", + "intrusion_detection" + ], + "created": "2024-09-11T09:11:52.735668+0000" + } + } + ``` + + + +=== "codebreaker_shellcode_alert" + + + ```json + { + "network": { + "protocol": "unknown", + "timestamp": "2024-09-11T15:35:30.167846+0000", + "transport": "tcp", + "flow_id": 888739207482646 + }, + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "destination": { + "port": 6666, + "ip": "178.160.128.2" + }, + "source": { + "port": 60078, + "ip": "80.15.17.183" + }, + "ecs": { + "version": "8.6.0" + }, + "shellcode": { + "sub_type": "Windows_x86_32", + "encodings": [ + { + "name": "Bloxor", + "count": 4 + } + ], + "sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr", + "analysis": [ + { + "call": "kernel32_LoadLibraryA", + "args": "{lpFileName: user32.dll}", + "_id": 0, + "ret": "0x70600000" + }, + { + "call": "user32_MessageBoxA", + "args": "{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}", + "_id": 1, + "ret": "1" + }, + { + "call": "kernel32_ExitProcess", + "args": "{uExitCode: 0}", + "_id": 2, + "ret": "0" + }, + { + "info": "Stop : End of shellcode (Exit)", + "_id": -1 + } + ], + "id": "790a2aa742e1da23e14c9b7270ee81a1" + }, + "@timestamp": "2024-09-11T15:36:36.071882055Z", + "@version": "1", + "event": { + "dataset": "alert", + "kind": "alert", + "module": "shellcode_detect", + "category": [ + "network", + "intrusion_detection" + ], + "severity": 1, + "id": "8c03d100-794f-45fe-8d92-7409c925b255", + "created": "2024-09-11T15:36:36.068564+0000" + } + } + ``` + + + +=== "dga_event" + + + ```json + { + "network": { + "protocol": "dns", + "transport": "udp", + "timestamp": "2024-09-11T09:15:25.886786+00:00", + "flow_id": 1434780527372168 + }, + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "source": { + "ip": "27.0.0.227" + }, + "destination": { + "port": 53, + "ip": "202.129.215.23" + }, + "ecs": { + "version": "8.6.0" + }, + "dga": { + "dga_count": 35, + "dga_ratio": 0.97, + "malware_behavior_confidence": 50, + "nx_domain_count": 36, + "top_DGA": [ + "zmhaoyukbol6a.com", + "ppyblaohb.com", + "khllpmpmare.com", + "lttulzaiaoctpa7.com", + "jetuergatod.com", + "riaaiysk.com", + "anxsmqyfy.com", + "tqjhvylf.com", + "vdunsygwoktx.com", + "jhghrlufoh.com" + ] + }, + "@timestamp": "2024-09-11T09:16:33.314331057Z", + "@version": "1", + "event": { + "created": "2024-09-11T09:16:33.194964+00:00", + "end": "2024-09-11T09:15:27.858000+00:00", + "kind": "alert", + "module": "dga_detect", + "start": "2024-09-11T09:15:22.995000+00:00", + "severity": 1, + "category": [ + "network", + "intrusion_detection" + ], + "dataset": "alert", + "id": "0ec85c0d-68b6-4602-b26e-d0966d5e1b9d" + } + } + ``` + + + +=== "history" + + + ```json + { + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "version": "2.5.3.103", + "vendor": "gatewatcher", + "log_format_version": "1.0.0" + }, + "event": { + "kind": "event", + "dataset": "administration", + "category": [ + "host" + ], + "module": "history", + "id": "8223b432-7e97-4570-a29d-254f41dbb9db" + }, + "ecs": { + "version": "8.6.0" + }, + "history": { + "type": "user", + "name": "pierre.pocry", + "id": 18, + "ip": "192.192.32.12", + "content": {}, + "method": "POST", + "endpoint": "/gum/configuration", + "code": "200" + }, + "@timestamp": "2022-09-01T16:06:51.664Z" + } + ``` + + + +=== "ioc" + + + ```json + { + "observer": { + "product": "lastinfosec", + "vendor": "gatewatcher", + "log_format_version": "1.0.0" + }, + "event": { + "kind": "enrichment", + "dataset": "ioc", + "category": [ + "network", + "threat" + ], + "module": "ioc", + "id": "3713d994-1db4-40ff-abe9-2f43bac7b5fa", + "created": "2019-10-23T05:33:54+00:00", + "severity": 2, + "severity_human": "High suspicious" + }, + "ecs": { + "version": "8.6.0" + }, + "ioc": { + "tlp": "green", + "type": "SHA256", + "value": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4", + "signature": "SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa", + "description": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\nWe advised to use this IoC in detection mode.", + "relations": [ + "6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", + "b57f419e-8b12-49d3-886b-145383725dcd" + ], + "ttp": [], + "families": [ + "PLEAD" + ], + "campaigns": [], + "categories": [ + "malware", + "trojan" + ], + "threat_actor": [ + "BlackTech" + ], + "targeted_sectors": [], + "targeted_organizations": [], + "targeted_platforms": [], + "targeted_countries": [], + "vulnerabilities": [], + "kill_chain_phases": [], + "meta_data": { + "cwe": [], + "descriptions": [], + "usageMode": "detection" + }, + "usage_mode": "detection", + "case_id": "21615052-7cf3-48cd-9aff-36a61e45528c", + "updated_date": "2023-04-07T04:10:34+00:00", + "package_date": "2023-04-07T05:00:02.362356+0000", + "creation_date": "2019-10-23T05:33:54+00:00", + "tags": [ + "troj_fr.df33c1bd", + "trojan.plead.win32.33", + "gen:variant.graftor.598952 (b)", + "generic backdoor.gy", + "win32/plead.au trojan", + "trojan/plead!exyhr4fe", + "trojan.win32.plead.fqunov", + "tr/plead.mysge", + "trojan.win32.plead", + "trojan ( 0055a46c1 )", + "malware", + "trojan.win32.plead.aa", + "trojan/win32.plead" + ], + "external_links": [ + { + "source_name": "Twitter", + "url": "http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" + }, + { + "source_name": "Twitter", + "url": "http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" + }, + { + "source_name": "Twitter", + "url": "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" + }, + { + "source_name": "Twitter", + "url": "https://twitter.com/i/web/status/1186877625295196160" + }, + { + "source_name": "any.run_report", + "url": "https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4" + } + ] + } + } + ``` + + + +=== "malcore_event" + + + ```json + { + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "source": { + "port": 80, + "ip": "202.129.215.251" + }, + "file": { + "magic": "Macromedia Flash data (compressed), version 13", + "sid": [ + 1100020 + ], + "hash": { + "sha256": "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b" + }, + "name": "/", + "file_id": 219, + "tx_id": 2, + "state": "CLOSED", + "gaps": false, + "size": 55351, + "stored": true + }, + "@timestamp": "2024-09-11T09:31:00.111583612Z", + "malcore": { + "file_type": "application/x-shockwave-flash", + "analyzers_up": 16, + "analyzed_clean": 9, + "engines_last_update_date": "2024-09-03T17:15:00Z", + "state": "Infected", + "total_found": "3/16", + "detail_scan_time": 373, + "reporting_token": "", + "analyzed_infected": 3, + "detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash", + "analyzed_suspicious": 0, + "analyzed_error": 0, + "processing_time": 1576, + "engine_id": { + "5": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "c18ab9n" + }, + "8": { + "scan_result": "INFECTED", + "threat_details": "Exploit.Flash", + "id": "ib54e9s" + }, + "4": { + "scan_result": "UNSUPPORTED_FILE_TYPE", + "threat_details": "", + "id": "c10195e" + }, + "14": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "t3114fn" + }, + "13": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "sde882s" + }, + "9": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "kfb8487" + }, + "12": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "qb9308l" + }, + "10": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "mb2b5fe" + }, + "0": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "a32935b" + }, + "15": { + "scan_result": "UNSUPPORTED_FILE_TYPE", + "threat_details": "", + "id": "we9a17t" + }, + "6": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "c81e55c" + }, + "7": { + "scan_result": "NOT_SCANNED", + "threat_details": "", + "id": "e83bf1t" + }, + "3": { + "scan_result": "CLEAN", + "threat_details": "", + "id": "b557a5r" + }, + "1": { + "scan_result": "INFECTED", + "threat_details": "EXP/Flash.EB.502", + "id": "acf9bba" + }, + "11": { + "scan_result": "NOT_SCANNED", + "threat_details": "Unavailable (permanently_failed)", + "id": "n00000e" + }, + "2": { + "scan_result": "INFECTED", + "threat_details": "SWF/Exploit", + "id": "af7872b" + } + }, + "detail_wait_time": 660, + "file_type_description": "Macromedia Flash Player", + "code": 1, + "magic_details": "Macromedia Flash data (compressed), version 13", + "analyzed_other": 4 + }, + "@version": "1", + "network": { + "protocol": "http", + "timestamp": "2024-09-11T09:15:23.329615+0000", + "transport": "tcp", + "flow_id": 1779492455056060 + }, + "destination": { + "port": 47858, + "ip": "27.0.0.144" + }, + "url": { + "domain": "chunky.enchantingweddingsandevents.co.uk", + "path": "/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs" + }, + "user_agent": { + "original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" + }, + "ecs": { + "version": "8.6.0" + }, + "http": { + "request": { + "method": "GET" + }, + "hostname": "chunky.enchantingweddingsandevents.co.uk", + "version": "HTTP/1.1", + "http_refer": "http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/", + "response": { + "status": 200, + "mime_type": "application/x-shockwave-flash", + "bytes": 55351 + } + }, + "event": { + "id": "7c4e2a77-3481-4201-8247-889fe0718ed8", + "kind": "alert", + "module": "malcore", + "severity": 1, + "category": [ + "network", + "file" + ], + "created": "2024-09-11T09:15:23.329615+0000", + "dataset": "alert" + } + } + ``` + + + +=== "metadata" + + + ```json + { + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "source": { + "mac": "00:50:56:91:85:03", + "port": 56098, + "ip": "10.2.19.131" + }, + "metadata": { + "flowbits": [ + "min.gethttp", + "exe.no.referer", + "ET.http.binary" + ] + }, + "@timestamp": "2024-09-12T13:24:51.231Z", + "@version": "1", + "network": { + "protocol": "http", + "community_id": "1:X+96B6BxVtmLT4rsbtdZeemyV0M=", + "timestamp": "2024-09-12T13:24:15.978904+0000", + "transport": "tcp", + "tx_id": 6, + "flow_id": 803295979358070 + }, + "destination": { + "mac": "00:09:0f:09:00:12", + "port": 80, + "ip": "10.2.10.205" + }, + "url": { + "path": "/FireInstaller4.exe" + }, + "user_agent": { + "original": "nghttp2/1.43.0" + }, + "ecs": { + "version": "8.6.0" + }, + "http": { + "request_headers": [ + { + "name": ":method", + "value": "GET" + }, + { + "name": ":path", + "value": "/FireInstaller4.exe" + }, + { + "name": ":scheme", + "value": "http" + }, + { + "name": ":authority", + "value": "10.2.10.205" + }, + { + "name": "accept", + "value": "*/*" + }, + { + "name": "accept-encoding", + "value": "gzip, deflate" + }, + { + "name": "user-agent", + "value": "nghttp2/1.43.0" + } + ], + "http2": { + "request": { + "priority": 15 + }, + "stream_id": 13, + "response": {} + }, + "request": { + "method": "GET" + }, + "response_headers": [ + { + "name": ":status", + "value": "200" + }, + { + "name": "server", + "value": "nginx/1.25.2" + }, + { + "name": "date", + "value": "Mon, 08 Jan 2024 15:27:20 GMT" + }, + { + "name": "content-type", + "value": "text/plain" + }, + { + "name": "content-length", + "value": "319824" + }, + { + "name": "last-modified", + "value": "Mon, 08 Jan 2024 15:21:12 GMT" + }, + { + "name": "etag", + "value": "\"659c12e8-4e150\"" + }, + { + "name": "accept-ranges", + "value": "bytes" + } + ], + "version": "2", + "response": { + "status": 200, + "bytes": 319824 + } + }, + "event": { + "kind": "event", + "module": "sigflow_http", + "category": [ + "network" + ], + "created": "2024-09-12T13:24:15.978904+0000", + "dataset": "network_metadata", + "id": "78681613-57af-4e10-b732-58f5d2e0ae12" + } + } + ``` + + + +=== "metadata_fileinfo" + + + ```json + { + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "source": { + "port": 80, + "ip": "56.53.117.115" + }, + "file": { + "magic": "PDF document, version 1.5", + "sid": [ + 1100008 + ], + "hash": { + "sha256": "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703" + }, + "name": "/malcore_10KB_clean.pdf", + "file_id": 224, + "tx_id": 0, + "state": "CLOSED", + "gaps": false, + "size": 10456, + "stored": true + }, + "@timestamp": "2024-09-11T13:56:19.010Z", + "@version": "1", + "network": { + "protocol": "http", + "timestamp": "2024-09-11T13:55:51.326090+0000", + "transport": "tcp", + "flow_id": 1331841998458539 + }, + "destination": { + "port": 62832, + "ip": "65.100.113.120" + }, + "url": { + "domain": "56.53.117.115", + "path": "/malcore_10KB_clean.pdf" + }, + "ecs": { + "version": "8.6.0" + }, + "http": { + "request": { + "method": "GET" + }, + "hostname": "56.53.117.115", + "version": "HTTP/1.1", + "response": { + "status": 200, + "mime_type": "application/pdf", + "bytes": 10456 + } + }, + "event": { + "kind": "event", + "module": "sigflow_file", + "category": [ + "network", + "file" + ], + "created": "2024-09-11T13:55:51.326090+0000", + "dataset": "network_metadata", + "id": "d66539e6-825e-4516-8c8c-2778dd6d9358" + } + } + ``` + + + +=== "nba" + + + ```json + { + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "version": "2.5.3.103", + "vendor": "gatewatcher", + "gcap": { + "hostname": "gcap-interne-rd-55.gatewatcher.com", + "version": "2.5.3.107", + "ingress": { + "interface": { + "name": "mon0" + } + } + }, + "log_format_version": "1.0.0" + }, + "event": { + "kind": "alert", + "dataset": "alert", + "category": [ + "network", + "intrusion_detection" + ], + "module": "network_behavior_analytics", + "created": "2022-09-01T16:06:15.605Z", + "id": "730a47f1-f7b1-4faa-9d61-8a41d7b138ed", + "severity": 2 + }, + "ecs": { + "version": "8.6.0" + }, + "network": { + "transport": "tcp", + "protocol": "http", + "flow_id": 2071994639527866, + "community_id": "1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=", + "timestamp": "2022-09-01T16:06:15.605Z", + "tx_id": 0 + }, + "source": { + "ip": "10.2.6.250", + "port": 50886, + "mac": "00:50:56:91:73:14" + }, + "destination": { + "ip": "13.107.4.52", + "port": 80, + "mac": "00:08:e3:ff:fc:28" + }, + "nba": { + "packet": "AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA", + "payload": "R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K", + "payload_printable": "GET /connecttest.txt HTTP/1.1\r\nPragma: no-cache\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftconnecttest.com\r\nCache-Control: no-cache\r\nConnection: keep-alive\r\n\r\n", + "signature_id": 2031071, + "gid": 1, + "category": "Network Behavior Analytics", + "action": "allowed", + "signature": "NBA C&C tracker : cobalt strike tcp initialization", + "metadata": { + "performance_impact": [ + "High" + ], + "signature_severity": [ + "CRITICAL" + ] + }, + "rev": 1, + "stream": 1 + }, + "http": { + "url": "/connecttest.txt", + "http_user_agent": "Microsoft NCSI", + "version": "HTTP/1.1", + "hostname": "www.msftconnecttest.com", + "request": { + "method": "GET" + }, + "response": { + "bytes": 22, + "status_code": 200, + "mime_type": "text/plain" + } + }, + "url": { + "domain": "www.msftconnecttest.com", + "path": "/connecttest.txt" + }, + "user_agent": { + "original": "Microsoft NCSI" + }, + "packet_info": { + "linktype": 1 + }, + "flow": { + "bytes_toclient": 700, + "pkts_toclient": 3, + "bytes_toserver": 407, + "pkts_toserver": 4, + "start": "2022-09-01T16:06:15.602042+0000" + }, + "@version": "1", + "@timestamp": "2022-09-01T16:06:51.664Z" + } + ``` + + + +=== "ransomware" + + + ```json + { + "source": { + "ip": "172.31.47.105", + "port": 50066 + }, + "event": { + "created": "2024-09-13T09:11:20.223813+00:00", + "dataset": "alert", + "end": "2024-09-13T09:09:11.988000", + "module": "ransomware_detect", + "kind": "alert", + "category": [ + "network", + "intrusion_detection" + ], + "start": "2024-09-13T09:08:51.988000", + "id": "f357f7d1-e322-4f67-b798-50d05f54204b", + "severity": 1 + }, + "observer": { + "product": "gcenter", + "log_format_version": "1.0.0", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "vendor": "gatewatcher", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "version": "2.5.4.0-rc1", + "hostname": "gcap-clement-l.gatewatcher.fr" + }, + "version": "2.5.3.103", + "hostname": "gcenter-clelyo-01.gatewatcher.com" + }, + "destination": { + "ip": "172.31.33.0", + "port": 445 + }, + "ecs": { + "version": "8.6.0" + }, + "ransomware": { + "alert_threshold": 648, + "malicious_behavior_confidence": 80, + "session_score": 37 + }, + "@timestamp": "2024-09-13T09:11:39.629080222Z", + "smb": { + "session_id": 593737889611873 + }, + "network": { + "protocol": "smb", + "flow_id": 1465670492342121, + "transport": "tcp", + "timestamp": "2024-09-13T09:08:44.877000+00:00", + "community_id": "1:RA5iYDlaiu3WMutFLj5r//rbk34=" + }, + "@version": "1" + } + ``` + + + +=== "retrohunt" + + + ```json + { + "observer": { + "id": "" + }, + "event": { + "kind": "alert", + "dataset": "alert", + "category": [ + "network", + "intrusion_detection" + ], + "module": "retrohunt", + "created": "2022-12-14T09:51:30.455Z", + "id": "8223b432-7e97-4570-a29d-254f41dbb9db", + "severity": 2 + }, + "ecs": { + "version": "8.6.0" + }, + "network": { + "ether": "" + }, + "source": { + "ip": "127.0.0.1", + "port": "80" + }, + "destination": { + "ip": "127.0.0.1", + "port": "8080" + }, + "matched_event": { + "id": "1" + }, + "ioc": { + "id": "1" + }, + "@timestamp": "2022-09-01T12:49:07.749Z" + } + ``` + + + +=== "sigflow_alert" + + + ```json + { + "observer": { + "vendor": "gatewatcher", + "uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f", + "gcap": { + "ingress": { + "interface": { + "name": "monvirt" + } + }, + "hostname": "gcap-clement-l.gatewatcher.fr", + "version": "2.5.4.0-rc1" + }, + "version": "2.5.3.103", + "log_format_version": "1.0.0", + "hostname": "gcenter-clelyo-01.gatewatcher.com", + "product": "gcenter" + }, + "source": { + "mac": "00:6f:37:76:51:45", + "port": 62832, + "ip": "65.100.113.120" + }, + "metadata": { + "flowbits": [ + "http.dottedquadhost.pdf" + ] + }, + "@timestamp": "2024-09-11T13:55:34.006Z", + "@version": "1", + "network": { + "protocol": "http", + "community_id": "1:8T6+TppVoaMkXwi+BTjnzAYozVc=", + "timestamp": "2024-09-11T13:55:01.080901+0000", + "transport": "tcp", + "tx_id": 0, + "flow_id": 1331841998337663 + }, + "destination": { + "mac": "00:43:70:57:75:55", + "port": 80, + "ip": "56.53.117.115" + }, + "flow": { + "bytes_toclient": 1362, + "bytes_toserver": 358, + "pkts_toclient": 3, + "start": "2024-09-11T13:55:01.079487+0000", + "pkts_toserver": 4 + }, + "url": { + "domain": "56.53.117.115", + "path": "/malcore_10KB_clean.pdf" + }, + "ecs": { + "version": "8.6.0" + }, + "http": { + "request": { + "method": "GET" + }, + "hostname": "56.53.117.115", + "version": "HTTP/1.1", + "response": { + "status": 200, + "mime_type": "application/pdf", + "bytes": 1135 + } + }, + "sigflow": { + "action": "allowed", + "metadata": { + "signature_severity": [ + "Informational" + ], + "attack_target": [ + "Client_Endpoint" + ], + "created_at": [ + "2019_04_23" + ], + "deployment": [ + "Perimeter" + ], + "performance_impact": [ + "Significant" + ], + "updated_at": [ + "2022_11_21" + ] + }, + "signature": "ET INFO Dotted Quad Host PDF Request", + "payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n", + "packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA", + "stream": 1, + "signature_id": 2027265, + "rev": 4, + "category": "Potentially Bad Traffic", + "gid": 1, + "packet_info": { + "linktype": 1 + }, + "payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==" + }, + "event": { + "dataset": "alert", + "kind": "alert", + "module": "sigflow_alert", + "severity": 2, + "category": [ + "network", + "intrusion_detection" + ], + "id": "58c28570-6c90-4ba9-b9b5-f72867d5fa08", + "created": "2024-09-11T13:55:01.080901+0000" + } + } + ``` + + + +=== "sigflow_stats" + + + ```json + { + "observer": { + "hostname": "gcenter-interne-rd-56.gatewatcher.com", + "product": "gcenter", + "version": "2.5.3.103", + "vendor": "gatewatcher", + "gcap": { + "hostname": "gcap-interne-rd-55.gatewatcher.com", + "version": "2.5.3.107" + }, + "log_format_version": "1.0.0" + }, + "event": { + "kind": "metric", + "dataset": "system_metrics", + "category": [ + "host" + ], + "module": "sigflow_stats", + "created": "2022-12-14T09:51:30.455Z", + "id": "f14ab432-7e97-4570-a29d-254f41dbb9db" + }, + "ecs": { + "version": "8.6.0" + }, + "stats": { + "app_layer": {}, + "tcp": {}, + "uptime": 443637, + "ftp": {}, + "flow_bypassed": {}, + "decoder": {}, + "detect": {}, + "defrag": {}, + "flow": {}, + "capture": {}, + "http": {}, + "file_store": {} + }, + "@version": "1", + "@timestamp": "2022-09-01T10:49:46.643Z" + } + ``` + + +