Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

ACNCD_Custom_DataConnector_v2 (#729) 

* 3 custom data connector

* error corrections - locale

* resolve conflicts

* error corrections

* remove -- from CarbonBlack json

* Update WorkbooksMetadata.json

line 747

* Update WorkbookMetadata.json

Updated connect Dependencies to remove spaces and match connector ID

* Update Connector ID, exclude spaces

* Update Connector ID, exclude spaces

* Analytic Rule Corrections

* Retroactive changes to Analytics Rules

* typo in WorkbooksMedidata

* Post-Review Corrections

* QualysVM correction
This commit is contained in:
chicduong 2020-06-19 14:00:16 -07:00 коммит произвёл GitHub
Родитель e73c6247b2
Коммит 1ccee11bfc
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
52 изменённых файлов: 75420 добавлений и 11 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
DataConnectors/Proofpoint TAP/AzureFunctionProofpointTAP.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

11
DataConnectors/Proofpoint TAP/AzureFunctionProofpointTAP/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"bindings": [
{
"type": "timerTrigger",
"name": "Timer",
"schedule": "0 */5 * * * *",
"direction": "in"
}
],
"disabled": false
}

115
DataConnectors/Proofpoint TAP/AzureFunctionProofpointTAP/run.ps1 Normal file
Просмотреть файл

@ -0,0 +1,115 @@
<#
Title: Proofpoint Targeted Attack Project (TAP) Data Connector
Language: PowerShell
Version: 1.0
Author(s): Microsoft
Last Modified: 5/12/2020
Comment: Inital Release
DESCRIPTION
This Function App calls the Proofpoint Targeted Attack Protection (TAP) API (https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API) to pull the Proofpoint
Message Blocked, Message Delivered, Clicks Blocked, and Clicks Permitted logs. The response from the Proofpoint API is recieved in JSON format. This function will build the signature and authorization header
needed to post the data to the Log Analytics workspace via the HTTP Data Connector API. The Function App will post each log type to their individual tables in Log Analytics, for example,
ProofPointMessageBlocked_CL, ProofPointMessageDelivered_CL, ProofPointClicksPermitted_CL, ProofPointClicksBlocked_CL.
#>
# Input bindings are passed in via param block.
param($Timer)
# Get the current universal time in the default string format
$currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late! $($Timer.ScheduledStatus.Last)"
}
# Define the different ProofPoint Log Types. These values are set by the ProofPoint API and required to seperate the log types into the respective Log Analytics tables
$ProofPointlogTypes = @(
"ClicksBlocked",
"ClicksPermitted",
"MessagesBlocked",
"MessagesDelivered")
# Build the headers for the ProofPoint API request
$username = $env:apiUserName
$password = $env:apiPassword
$uri = $env:uri
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("au", "")
$headers.Add("Authorization", "Basic " + $base64AuthInfo)
# Invoke the API Request and assign the response to a variable ($response)
$response = Invoke-RestMethod $uri -Method 'GET' -Headers $headers
# Define the Log Analytics Workspace ID and Key
$CustomerId = $env:workspaceId
$SharedKey = $env:workspaceKey
$TimeStampField = "DateValue"
# Function to build the Authorization signature for the Log Analytics Data Connector API
Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
{
$xHeaders = "x-ms-date:" + $date
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
$keyBytes = [Convert]::FromBase64String($sharedKey)
$sha256 = New-Object System.Security.Cryptography.HMACSHA256
$sha256.Key = $keyBytes
$calculatedHash = $sha256.ComputeHash($bytesToHash)
$encodedHash = [Convert]::ToBase64String($calculatedHash)
$authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
# Dispose SHA256 from heap before return.
$sha256.Dispose()
return $authorization
}
# Function to create and invoke an API POST request to the Log Analytics Data Connector API
Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
{
$method = "POST"
$contentType = "application/json"
$resource = "/api/logs"
$rfc1123date = [DateTime]::UtcNow.ToString("r")
$contentLength = $body.Length
$signature = Build-Signature `
-customerId $customerId `
-sharedKey $sharedKey `
-date $rfc1123date `
-contentLength $contentLength `
-method $method `
-contentType $contentType `
-resource $resource
$uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
$headers = @{
"Authorization" = $signature;
"Log-Type" = $logType;
"x-ms-date" = $rfc1123date;
"time-generated-field" = $TimeStampField;
}
$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
return $response.StatusCode
}
# Iterate through the ProofPoint API response and if there are log events present, POST the events to the Log Analytics API into the respective tables.
ForEach ($PPLogType in $ProofpointLogTypes) {
if ($response.$PPLogType.Length -eq 0 ){
Write-Host ("ProofPointTAP$($PPLogType) reported no new logs for the time interval configured.")
}
else {
if($response.$PPLogType -eq $null) { # if the log entry is a null, this occurs on the last line of each LogType. Should only be one per log type
Write-Host ("ProofPointTAP$($PPLogType) null line excluded") # exclude it from being posted
} else {
$json = $response.$PPLogType | ConvertTo-Json -Depth 3 # convert each log entry and post each entry to the Log Analytics API
Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType "ProofPointTAP$($PPLogType)"
}
}
}
# Write an information log with the current time.
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

150
DataConnectors/Proofpoint TAP/ProofpointTAP_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,150 @@
{
"id": "ProofpointTAP",
"title": "Proofpoint TAP (Preview)",
"publisher": "Proofpoint",
"descriptionMarkdown": "The [Proofpoint Targeted Attack Protection (TAP)](https://www.proofpoint.com/us/products/advanced-threat-protection/targeted-attack-protection) connector provides the capability to ingest Proofpoint TAP logs and events into Azure Sentinel. The connector provides visibility into Message and Click events in Azure Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Proofpoint TAP Logs",
"baseQuery": "union ProofPointTAPMessagesBlocked_CL, ProofPointTAPMessagesDelivered_CL, ProofPointTAPClicksBlocked_CL, ProofPointTAPClicksPermitted_CL"
}
],
"sampleQueries": [
{
"description" : "Malware click events permitted",
"query": "ProofPointTAPClicksPermitted_CL\n | where classification_s == \"malware\" \n | take 10"
},
{
"description" : "Phishing click events blocked",
"query": "ProofPointTAPClicksBlocked_CL\n | where classification_s == \"phish\" \n | take 10"
},
{
"description" : "Malware messages events delivered",
"query": "ProofPointTAPMessagesDelivered_CL\n | mv-expand todynamic(threatsInfoMap_s)\n | extend classification = tostring(threatsInfoMap_s.classification)\n | where classification == \"malware\" \n | take 10"
},
{
"description" : "Phishing message events blocked",
"query": "ProofPointTAPMessagesBlocked_CL\n | mv-expand todynamic(threatsInfoMap_s)\n | extend classification = tostring(threatsInfoMap_s.classification)\n | where classification == \"phish\""
}
],
"dataTypes": [
{
"name": "ProofPointTAPClicksPermitted_CL",
"lastDataReceivedQuery": "ProofPointTAPClicksPermitted_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ProofPointTAPClicksBlocked_CL",
"lastDataReceivedQuery": "ProofPointTAPClicksBlocked_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ProofPointTAPMessagesDelivered_CL",
"lastDataReceivedQuery": "ProofPointTAPMessagesDelivered_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ProofPointTAPMessagesBlocked_CL",
"lastDataReceivedQuery": "ProofPointTAPMessagesBlocked_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ProofPointTAPMessagesBlocked_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider":"Microsoft.Web/sites",
"permissionsDisplayText":"read and write permissions to Azure Functions to create a Function App. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).",
"providerDisplayName":"Azure Functions",
"scope":"Azure Functions",
"requiredPermissions":{
"read": true,
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Proofpoint TAP API Key",
"description": "A Proofpoint TAP API username and password is required. [See the documentation to learn more about Proofpoint SIEM API](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API)."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to Proofpoint TAP to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the Proofpoint TAP API**\n\n1. Log into the Proofpoint TAP console \n2. Navigate to **Connect Applications** and select **Service Principal**\n3. Create a **Service Principal** (API Authorization Key)"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Proofpoint TAP connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Proofpoint TAP API Authorization Key(s), readily available.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Proofpoint TAP connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelproofpointtapazuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, and validate the **Uri**.\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "This method provides the step-by-step instructions to deploy the Proofpoint TAP connector manually with Azure Function."
},
{
"title": "",
"description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelproofpointtapazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
},
{
"title": "",
"description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following five (5) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapipassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n> - Set the `uri` value to: `https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300`\n> - The default URI is pulling data for the last 300 seconds (5 minutes) to correspond with the default Function App Timer trigger of 5 minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**."
}
]
}

235
DataConnectors/Proofpoint TAP/azuredeploy_ProofpointTAP_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,235 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ProofpointTAPIngestion",
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<workspaceKey>"
},
"APIUsername": {
"type": "string",
"defaultValue": "<apiUsername>"
},
"APIPassword": {
"type": "string",
"defaultValue": "<apiPassword>"
},
"Uri": {
"type": "string",
"defaultValue": "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=300"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[parameters('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(parameters('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
],
"ipRules": [
],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"kind": "functionapp",
"properties": {
"name": "[parameters('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]",
"[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[parameters('FunctionName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', parameters('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]",
"workspaceID": "[parameters('WorkspaceID')]",
"workspaceKey": "[parameters('WorkspaceKey')]",
"apiUsername": "[parameters('APIUsername')]",
"apiPassword": "[parameters('APIPassword')]",
"uri": "[parameters('Uri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinelproofpointtapazurefunctionzip"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('FunctionName'), '/', parameters('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]"
],
"properties": {
"siteName": "[parameters('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

Двоичные данные
DataConnectors/Qualys VM/AzureFunctionQualysVM.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

11
DataConnectors/Qualys VM/AzureFunctionQualysVM/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"bindings": [
{
"type": "timerTrigger",
"name": "Timer",
"schedule": "0 */5 * * * *",
"direction": "in"
}
],
"disabled": false
}

214
DataConnectors/Qualys VM/AzureFunctionQualysVM/run.ps1 Normal file
Просмотреть файл

@ -0,0 +1,214 @@
<#
Title: Qualys Vulnerability Management (VM) Host Detection Data Connector
Language: PowerShell
Version: 1.0
Author(s): Microsoft
Last Modified: 6/02/2020
Comment: Inital Release
DESCRIPTION
This Function App calls the Qualys Vulnerability Management (VM) API (https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf) specifically for Host List Detection data (/api/2.0/fo/asset/host/vm/detection/).
The response from the Qualys API is recieved in XML format. This function will parse the XML into JSON format, build the signature and authorization header needed to post the data
to the Log Analytics workspace via the HTTP Data Connector API. The Function App will omit API responses that with an empty host list, which indicates there were no records for that
time interval. Often, there are Hosts with numerous scan detections, which causes the record submitted to the Data Connector API to be truncated and improperly ingested, The Function App
will also identify those records greater than the 32Kb limit per record and seperate them into individual records.
#>
# Input bindings are passed in via param block
param($Timer)
# Get the current Universal Time
$currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than was originally scheduled
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late!"
}
# Define the Log Analytics Workspace ID and Key and Custom Table Name
$CustomerId = $env:workspaceId
$SharedKey = $env:workspaceKey
$TimeStampField = "DateValue"
$TableName = "QualysHostDetection"
# Build the headers for the Qualys API request
$username = $env:apiUserName
$password = $env:apiPassword
$hdrs = @{"X-Requested-With"="PowerShell"}
$uri = $env:uri
$time = $env:timeInterval
$base = [regex]::matches($uri, '(https:\/\/[\w\.]+\/api\/\d\.\d\/fo)').captures.groups[1].value
$body = "action=login&username=$($username)&password=$($password)"
Invoke-RestMethod -Headers $hdrs -Uri "$base/session/" -Method Post -Body $body -SessionVariable LogonSession
# ISO:8601-compliant DateTime required.
$startDate = [System.DateTime]::UtcNow.AddMinutes(-$($time))
# Invoke the API Request and assign the response to a variable ($response)
$response = (Invoke-RestMethod -Headers $hdrs -Uri "$uri$($startDate.ToString('yyyy-MM-ddTHH:mm:ssZ'))" -WebSession $LogonSession)
# Iterate through each detection recieved from the API call and assign the variables (Column Names in LA) to each XML variable
if (-not ($response.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST -eq $null))
{
$customObjects = @()
$response.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST | ForEach-Object {
$customObject = New-Object -TypeName PSObject
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "Id" -Value $_.ID
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "IpAddress" -Value $_.IP
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "TrackingMethod" -Value $_.TRACKING_METHOD
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "OperatingSystem" -Value $_.OS."#cdata-section"
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "DnsName" -Value $_.DNS."#cdata-section"
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "NetBios" -Value $_.NETBIOS."#cdata-section"
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "QGHostId" -Value $_.QG_HOSTID."#cdata-section"
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "LastScanDateTime" -Value $_.LAST_SCAN_DATETIME
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "LastVMScannedDateTime" -Value $_.LAST_VM_SCANNED_DATE
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "LastVMAuthScannedDateTime" -Value $_.LAST_VM_AUTH_SCANNED_DATE
$detections = @()
foreach($detection in $_.DETECTION_LIST.DETECTION)
{
$customSubObject = New-Object -TypeName PSObject
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "QID" -Value $detection.QID
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Type" -Value $detection.TYPE
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Severity" -Value $detection.SEVERITY
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "SSL" -Value $detection.SSL
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Results" -Value $detection.RESULTS.'#cdata-section'
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Status" -Value $detection.STATUS
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "TimesFound" -Value $detection.TIMES_FOUND
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "FirstFound" -Value $detection.FIRST_FOUND_DATETIME
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "LastFixed" -Value $detection.LAST_FIXED_DATETIME
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "LastFound" -Value $detection.LAST_FOUND_DATETIME
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "LastProcessed" -Value $detection.LAST_PROCESSED_DATETIME
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "LastUpdate" -Value $detection.LAST_UPDATE_DATETIME
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Ignored" -Value $detection.IS_IGNORED
Add-Member -InputObject $customSubObject -MemberType NoteProperty -Name "Disabled" -Value $detection.IS_DISABLED
$detections += $customSubObject
}
# Add the custom object as a child object to the parent
Add-Member -InputObject $customObject -MemberType NoteProperty -Name "Detections" -Value $detections
$customObjects += $customObject
}
# Dispose of the session
Invoke-RestMethod -Headers $hdrs -Uri "$($base)/session/" -Method Post -Body "action=logout" -WebSession $LogonSession
# Function to build the Authorization signature for the Log Analytics Data Connector API
Function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
{
$xHeaders = "x-ms-date:" + $date
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
$keyBytes = [Convert]::FromBase64String($sharedKey)
$sha256 = New-Object System.Security.Cryptography.HMACSHA256
$sha256.Key = $keyBytes
$calculatedHash = $sha256.ComputeHash($bytesToHash)
$encodedHash = [Convert]::ToBase64String($calculatedHash)
$authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash
# Dispose SHA256 from heap before return
$sha256.Dispose()
return $authorization
}
# Function to create and invoke an API POST request to the Log Analytics Data Connector API
Function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
{
$method = "POST"
$contentType = "application/json"
$resource = "/api/logs"
$rfc1123date = [DateTime]::UtcNow.ToString("r")
$contentLength = $body.Length
$signature = Build-Signature `
-customerId $customerId `
-sharedKey $sharedKey `
-date $rfc1123date `
-contentLength $contentLength `
-method $method `
-contentType $contentType `
-resource $resource
$uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
$headers = @{
"Authorization" = $signature;
"Log-Type" = $logType;
"x-ms-date" = $rfc1123date;
"time-generated-field" = $TimeStampField;
}
$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
return $response.StatusCode
}
# Convert to JSON and API POST to Log Analytics Workspace
$customObjects | ForEach-Object {
$json = $_ | ConvertTo-Json -Compress -Depth 3
# Calculate the kbytes/record
$kbytes = ([System.Text.Encoding]::UTF8.GetBytes($json)).Count/1024
# If the record is greater than 30kb (Azure HTTP Data Connector field size limit-32kb), create a new object. Record size surpasses this limit due to large amounts of detections per host
if ($kbytes -gt 30){
$newcustomObjects = @()
$newObject = @()
# The new object will consist of only a single detection with all the parent/host record information
ForEach ($QID in $_.Detections){
$newObject = New-Object -TypeName PSObject
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "Id" -Value $_.ID
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "IpAddress" -Value $_.IpAddress
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "TrackingMethod" -Value $_.TrackingMethod
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "OperatingSystem" -Value $_.OperatingSystem
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "DnsName" -Value $_.DnsName
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "NetBios" -Value $_.NetBios
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "QGHostId" -Value $_.QGHostId
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "LastScanDateTime" -Value $_.LastScanDateTime
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "LastVMScannedDateTime" -Value $_.LastVMScannedDateTime
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "LastVMAuthScannedDateTime" -Value $_.LastVMAuthScannedDateTime
$subdetection = @()
$QID | ForEach-Object {
$newSubObject = New-Object -TypeName PSObject
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "QID" -Value $QID.QID
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Type" -Value $QID.Type
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Severity" -Value $QID.Severity
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "SSL" -Value $QID.SSL
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Results" -Value $QID.Results
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Status" -Value $QID.Status
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "TimesFound" -Value $QID.TimesFound
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "FirstFound" -Value $QID.FirstFound
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "LastFixed" -Value $QID.FirstFound
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "LastFound" -Value $QID.LastFound
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "LastProcessed" -Value $QID.LastProcessed
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "LastUpdate" -Value $LastUpdate
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Ignored" -Value $QID.Ignored
Add-Member -InputObject $newSubObject -MemberType NoteProperty -Name "Disabled" -Value $QID.Disabled
$subdetection += $newSubObject
}
# Add the custom object as a child object to the parent
Add-Member -InputObject $newObject -MemberType NoteProperty -Name "Detections" -Value $subdetection
# Add it to the array that contains all the records parent information / individual detection to be posted
$newcustomObjects += $newObject
}
}
else {
# The record is less than 30kb, add to the array to be posted
$newcustomObjects += $_
}
}
# Convert the array containing all the records to JSON and API POST to Log Analytics Workspace
$json = $newcustomObjects | ConvertTo-Json -Compress -Depth 3
Post-LogAnalyticsData -customerId $customerId -sharedKey $sharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($json)) -logType $TableName
Write-Output $json
}
else
{
# If the response from the Qualys API is null or empty, dispose of the session
Invoke-RestMethod -Headers $hdrs -Uri "$($base)/session/" -Method Post -Body "action=logout" -WebSession $LogonSession
Write-Host "No new results found for this interval"
}
# Write an information log with the current time.
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

126
DataConnectors/Qualys VM/QualysVM_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,126 @@
{
"id": "QualysVulnerabilityManagement",
"title": "Qualys Vulnerability Management (Preview)",
"publisher": "Qualys",
"descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "QualysHostDetection_CL",
"baseQuery": "QualysHostDetection_CL"
}
],
"sampleQueries": [
{
"description" : "Top 10 Vulerabilities detected",
"query": "QualysHostDetection_CL\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "QualysHostDetection_CL",
"lastDataReceivedQuery": "QualysHostDetection_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"QualysHostDetection_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider":"Microsoft.Web/sites",
"permissionsDisplayText":"read and write permissions to Azure Functions to create a Function App. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).",
"providerDisplayName":"Azure Functions",
"scope":"Azure Functions",
"requiredPermissions":{
"read": true,
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Qualys API Key",
"description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes."
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , and update the **URI**.\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions."
},
{
"title": "",
"description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5ss. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
},
{
"title": "",
"description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following six (6) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https://<API Server>/api/2.0/fo/asset/host/vm/detection?action=list&published_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**."
}
]
}

239
DataConnectors/Qualys VM/azuredeploy_QualysVM_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,239 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "QualysVMIngestion",
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<workspaceKey>"
},
"APIUsername": {
"type": "string",
"defaultValue": "<apiUsername>"
},
"APIPassword": {
"type": "string",
"defaultValue": "<apiPassword>"
},
"Uri": {
"type": "string",
"defaultValue": "https://<API Server URL>/api/2.0/fo/asset/host/vm/detection?action=list&published_after="
},
"TimeInterval": {
"type": "string",
"defaultValue": "5"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[parameters('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(parameters('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
],
"ipRules": [
],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"kind": "functionapp",
"properties": {
"name": "[parameters('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]",
"[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[parameters('FunctionName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', parameters('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]",
"workspaceID": "[parameters('WorkspaceID')]",
"workspaceKey": "[parameters('WorkspaceKey')]",
"apiUsername": "[parameters('APIUsername')]",
"apiPassword": "[parameters('APIPassword')]",
"uri": "[parameters('Uri')]",
"timeInterval": "[parameters('TimeInterval')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinelqualysvmazurefunctionzip"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('FunctionName'), '/', parameters('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]"
],
"properties": {
"siteName": "[parameters('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

Двоичные данные
DataConnectors/VMware Carbon Black/AzureFunctionVMwareCarbonBlack.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

11
DataConnectors/VMware Carbon Black/AzureFunctionVMwareCarbonBlack/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"bindings": [
{
"type": "timerTrigger",
"name": "Timer",
"schedule": "0 */5 * * * *",
"direction": "in"
}
],
"disabled": false
}

139
DataConnectors/VMware Carbon Black/AzureFunctionVMwareCarbonBlack/run.ps1 Normal file
Просмотреть файл

@ -0,0 +1,139 @@
<#
Title: VMware Carbon Black Cloud - Endpoint Standard Data Connector
Language: PowerShell
Version: 1.0
Author: Microsoft
Last Modified: 5/19/2020
Comment: Inital Release
DESCRIPTION
This Function App calls the VMware Carbon Black Cloud - Endpoint Standard (formerly CB Defense) REST API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/) to pull the Carbon Black
Audit, Notification and Event logs. The response from the CarbonBlack API is recieved in JSON format. This function will build the signature and authorization header
needed to post the data to the Log Analytics workspace via the HTTP Data Connector API. The Function App will post each log type to their individual tables in Log Analytics, for example,
CarbonBlackAuditLogs_CL, CarbonBlackNotifications_CL and CarbonBlackEvents_CL.
#>
# Input bindings are passed in via param block.
param($Timer)
# Get the current universal time in the default string format
$currentUTCtime = (Get-Date).ToUniversalTime()
# The 'IsPastDue' property is 'true' when the current function invocation is later than scheduled.
if ($Timer.IsPastDue) {
Write-Host "PowerShell timer is running late!"
}
# The function will call the Carbon Black API and retrieve the Audit, Event, and Notifications Logs
function CarbonBlackAPI()
{
$workspaceId = $env:workspaceId
$workspaceSharedKey = $env:workspaceKey
$hostName = $env:uri
$apiSecretKey = $env:apiKey
$apiId = $env:apiId
$SIEMapiKey = $env:SIEMapiKey
$SIEMapiId = $env:SIEMapiId
$time = $env:timeInterval
$AuditLogTable = "CarbonBlackAuditLogs"
$EventLogTable = "CarbonBlackEvents"
$NotificationTable = "CarbonBlackNotifications"
$startTime = [System.DateTime]::UtcNow.AddMinutes(-$($time)).ToString("yyyy-MM-ddTHH:mm:ssZ")
$now = [System.DateTime]::UtcNow.ToString("yyyy-MM-ddTHH:mm:ssZ")
$authHeaders = @{
"X-Auth-Token" = "$($apiSecretKey)/$($apiId)"
}
$auditLogsResult = Invoke-RestMethod -Headers $authHeaders -Uri ([System.Uri]::new("$($hostName)/integrationServices/v3/auditlogs"))
$eventsResult = Invoke-RestMethod -Headers $authHeaders -Uri ([System.Uri]::new("$($hostName)/integrationServices/v3/event?startTime=$($startTime)&endTime=$($now)"))
if ($auditLogsResult.success -eq $true)
{
$AuditLogsJSON = $auditLogsResult.notifications | ConvertTo-Json -Depth 5
if (-not([string]::IsNullOrWhiteSpace($AuditLogsJSON)))
{
Post-LogAnalyticsData -customerId $workspaceId -sharedKey $workspaceSharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($AuditLogsJSON)) -logType $AuditLogTable;
}
else
{
Write-Host "No new Carbon Black Audit Events as of $([DateTime]::UtcNow)"
}
}
if ($eventsResult.success -eq $true)
{
$EventLogsJSON = $eventsResult.results | ConvertTo-Json -Depth 5
if (-not([string]::IsNullOrWhiteSpace($EventLogsJSON)))
{
Post-LogAnalyticsData -customerId $workspaceId -sharedKey $workspaceSharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($EventLogsJSON)) -logType $EventLogTable;
}
else
{
Write-Host "No new Carbon Black Events as of $([DateTime]::UtcNow)"
}
}
if($SIEMapiKey -eq '<Optional>' -or $SIEMapiId -eq '<Optional>' -or [string]::IsNullOrWhitespace($SIEMapiKey) -or [string]::IsNullOrWhitespace($SIEMapiId))
{
Write-Host "No SIEM API ID and/or Key value was defined."
}
else
{
$authHeaders = @{"X-Auth-Token" = "$($SIEMapiKey)/$($SIEMapiId)"}
$notifications = Invoke-RestMethod -Headers $authHeaders -Uri ([System.Uri]::new("$($hostName)/integrationServices/v3/notification"))
if ($notifications.success -eq $true)
{
$NotifLogJson = $notifications.notifications | ConvertTo-Json -Depth 5
if (-not([string]::IsNullOrWhiteSpace($NotifLogJson)))
{
Post-LogAnalyticsData -customerId $workspaceId -sharedKey $workspaceSharedKey -body ([System.Text.Encoding]::UTF8.GetBytes($NotifLogJson)) -logType $NotificationTable;
}
else
{
Write-Host "No new Carbon Black Notifications as of $([DateTime]::UtcNow)"
}
}
}
}
# Create the function to create the authorization signature
function Build-Signature ($customerId, $sharedKey, $date, $contentLength, $method, $contentType, $resource)
{
$xHeaders = "x-ms-date:" + $date;
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource;
$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash);
$keyBytes = [Convert]::FromBase64String($sharedKey);
$sha256 = New-Object System.Security.Cryptography.HMACSHA256;
$sha256.Key = $keyBytes;
$calculatedHash = $sha256.ComputeHash($bytesToHash);
$encodedHash = [Convert]::ToBase64String($calculatedHash);
$authorization = 'SharedKey {0}:{1}' -f $customerId,$encodedHash;
return $authorization;
}
# Create the function to create and post the request
function Post-LogAnalyticsData($customerId, $sharedKey, $body, $logType)
{
$TimeStampField = "DateValue"
$method = "POST";
$contentType = "application/json";
$resource = "/api/logs";
$rfc1123date = [DateTime]::UtcNow.ToString("r");
$contentLength = $body.Length;
$signature = Build-Signature -customerId $customerId -sharedKey $sharedKey -date $rfc1123date -contentLength $contentLength -method $method -contentType $contentType -resource $resource;
$uri = "https://$($customerId).ods.opinsights.azure.com$($resource)?api-version=2016-04-01";
$headers = @{
"Authorization" = $signature;
"Log-Type" = $logType;
"x-ms-date" = $rfc1123date;
"time-generated-field" = $TimeStampField;
};
$response = Invoke-WebRequest -Body $body -Uri $uri -Method $method -ContentType $contentType -Headers $headers -UseBasicParsing
return $response.StatusCode
}
# Execute the Function to Pull CarbonBlack data and Post to the Log Analytics Workspace
CarbonBlackAPI
# Write an information log with the current time.
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"

143
DataConnectors/VMware Carbon Black/VMwareCarbonBlack_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,143 @@
{
"id": "VMwareCarbonBlack",
"title": "VMware Carbon Black Endpoint Standard (Preview)",
"publisher": "VMware",
"descriptionMarkdown": "The [VMware Carbon Black - Endpoint Standard](https://www.carbonblack.com/products/endpoint-standard/) connector provides the capability to ingest Carbon Black - Endpoint Standard data into Azure Sentinel. The connector provides visibility into Audit, Notification and Event logs in Azure Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "VMware Carbon Black Logs",
"baseQuery": "union CarbonBlackAuditLogs_CL, CarbonBlackNotifications_CL, CarbonBlackEvents_CL"
}
],
"sampleQueries": [
{
"description" : "Top 10 Event Generating Endpoints",
"query": "CarbonBlackEvents_CL\n | summarize count() by deviceDetails_deviceName_s \n| top 10 by count_"
},
{
"description" : "Top 10 User Console Logins",
"query": "CarbonBlackAuditLogs_CL\n | summarize count() by loginName_s \n| top 10 by count_"
},
{
"description" : "Top 10 Threats",
"query": "CarbonBlackNotifications_CL\n | summarize count() by threatHunterInfo_reportName_s \n| top 10 by count_"
}
],
"dataTypes": [
{
"name": "CarbonBlackEvents_CL",
"lastDataReceivedQuery": "CarbonBlackEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CarbonBlackAuditLogs_CL",
"lastDataReceivedQuery": "CarbonBlackAuditLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CarbonBlackNotifications_CL",
"lastDataReceivedQuery": "CarbonBlackNotifications_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CarbonBlackEvents_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider":"Microsoft.Web/sites",
"permissionsDisplayText":"read and write permissions to Azure Functions to create a Function App. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).",
"providerDisplayName":"Azure Functions",
"scope":"Azure Functions",
"requiredPermissions":{
"read": true,
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "VMware Carbon Black API Key(s)",
"description": "Carbon Black API and/or SIEM Level API Key(s) are required. See the documentation to learn more about the [Carbon Black API](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).\n - A Carbon Black **API** access level API ID and Key is required for [Audit](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#audit-log-events) and [Event](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#events) logs. \n - A Carbon Black **SIEM** access level API ID and Key is required for [Notification](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#notifications) events."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to VMware Carbon Black to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the VMware Carbon Black API**\n\n [Follow these instructions](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key) to create an API Key."
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the VMware Carbon Black connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the VMware Carbon Black API Authorization Key(s), readily available.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "This method provides an automated deployment of the VMware Carbon Black connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelcarbonblackazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API ID(s)**, **API Key(s)**, and validate the **URI**.\n> - Enter the URI that corresponds to your region. The complete list of API URLs can be [found here](https://community.carbonblack.com/t5/Knowledge-Base/PSC-What-URLs-are-used-to-access-the-APIs/ta-p/67346)\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n - Carbon Black requires a seperate set of API ID/Keys to ingest Notification events. Enter the SIEM API ID/Key values or leave blank, if not required. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the VMware Carbon Black connector manually with Azure Functions."
},
{
"title": "",
"description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelcarbonblackazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**."
},
{
"title": "",
"description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following six to eight (6-8) application settings individually, with their respective string values (case-sensitive): \n\t\tapiId\n\t\tapiKey\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\ttimeInterval\n\t\tSIEMapiId (Optional)\n\t\tSIEMapiKey (Optional)\n> - Enter the URI that corresponds to your region. The complete list of API URLs can be [found here](https://community.carbonblack.com/t5/Knowledge-Base/PSC-What-URLs-are-used-to-access-the-APIs/ta-p/67346). The `uri` value must follow the following schema: `https://<API URL>.conferdeploy.net` - There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Carbon Black requires a seperate set of API ID/Keys to ingest Notification events. Enter the `SIEMapiId` and `SIEMapiKey` values, if needed, or omit, if not required. \n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Once all application settings have been entered, click **Save**."
}
]
}

250
DataConnectors/VMware Carbon Black/azuredeploy_VMwareCarbonBlack_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,250 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "CarbonBlackCloudAPI",
"type": "string"
},
"WorkspaceId": {
"type": "string",
"defaultValue": "<workspaceId>"
},
"WorkspaceKey": {
"type": "string",
"defaultValue": "<workspaceKey>"
},
"APIKey": {
"type": "string",
"defaultValue": "<apiKey>"
},
"APIId": {
"type": "string",
"defaultValue": "<apiId>"
},
"Uri": {
"type": "string",
"defaultValue": "https://<API URL>"
},
"SIEMApiKey": {
"type": "string",
"defaultValue": "<Optional>"
},
"SIEMApiID": {
"type": "string",
"defaultValue": "<Optional>"
},
"TimeInterval": {
"type": "string",
"defaultValue": "5"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[parameters('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(parameters('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [
],
"ipRules": [
],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"kind": "functionapp",
"properties": {
"name": "[parameters('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": [
]
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]",
"[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]"
],
"kind": "functionapp",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[parameters('FunctionName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('FunctionName'))]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', parameters('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]",
"workspaceId": "[parameters('WorkspaceId')]",
"workspaceKey": "[parameters('WorkspaceKey')]",
"apiKey": "[parameters('APIKey')]",
"apiId": "[parameters('APIId')]",
"uri": "[parameters('Uri')]",
"timeInterval": "[parameters('TimeInterval')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinelcarbonblackazurefunctionzip",
"SIEMapiKey":"[parameters('SIEMapiKey')]",
"SIEMapiId":"[parameters('SIEMapiId')]"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(parameters('FunctionName'), '/', parameters('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]"
],
"properties": {
"siteName": "[parameters('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

28
Detections/CarbonBlack/CriticalThreatDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 2ca4e7fc-c61a-49e5-9736-5da8035c47e0
name: Critical Threat Detected
description: |
'This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.'
severity: Medium
requiredDataConnectors:
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackNotifications_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
-
relevantTechniques:
-
query: |
let timeframe = ago(1h);
let threshold = 8;
CarbonBlackNotifications_CL
| where TimeGenerated > timeframe
| where threatHunterInfo_score_d >= threshold
| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d
| project-away count_
| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP

26
Detections/CarbonBlack/KnownMalwareDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,26 @@
id: 9f86885f-f31f-4e66-a39d-352771ee789e
name: Known Malware Detected
description: |
'This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.'
severity: Medium
requiredDataConnectors:
- connectorId: VMwareCarbonBlack
dataTypes:
- CarbonBlackEvents_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1204
query: |
let timeframe = ago(1h);
CarbonBlackEvents_CL
| where TimeGenerated > timeframe
| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec
| where targetApp_effectiveReputation_s =~ "KNOWN_MALWARE"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s
| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s

5
Detections/InfobloxNIOS/ExcessiveNXDOMAINDNSQueries.yaml
Просмотреть файл

@ -19,11 +19,12 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 200;
InfobloxNIOS
| where TimeGenerated >= timeframe
| where LogType =~ "named" and Type =~ "client"
| where isnotempty(ResponseCode)
| where ResponseCode =~ "NXDOMAIN"
| summarize count() by Client_IP, bin(TimeGenerated,15m)
| where count_ > 200
| extend timestamp = bin_TimeGenerated, extend IPCustomEntity = Client_IP
| where count_ > threshold
| extend timestamp = TimeGenerated, extend IPCustomEntity = Client_IP

5
Detections/InfobloxNIOS/PotentialDHCPStarvationAttack.yaml
Просмотреть файл

@ -18,9 +18,10 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 1000;
InfobloxNIOS
| where TimeGenerated >= timeframe
| where LogType =~ "dhcpd" and Type =~ "DHCPREQUEST"
| summarize count() by ServerIP, bin(TimeGenerated,5m)
| where count_ > 1000
| extend timestamp = bin_TimeGenerated, HostCustomEntity = ServerIP
| where count_ > threshold
| extend timestamp = TimeGenerated, HostCustomEntity = ServerIP

29
Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: 0558155e-4556-447e-9a22-828f2a7de06b
name: Malware attachment delivered
description: |
'Creates an incident in the event a message containing a malware attachment was delivered.'
severity: Medium
requiredDataConnectors:
- connectorId: ProofpointTAP
dataTypes:
- ProofpointTAPMessagesDelivered_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitalAccess
relevantTechniques:
- T1193
query: |
let timeframe = ago(1h);
ProofPointTAPMessagesDelivered_CL
| where TimeGenerated >= timeframe
| mv-expand todynamic(threatsInfoMap_s)
| mv-expand todynamic(messageParts_s)
| extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)
| extend filename = tostring(messageParts_s.filename)
| where threatType =~ "attachment" and classification =~ "malware"
| summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s
| extend timestamp = StartTime, extend AccountCustomEntity = Sender, IPCustomEntity = SenderIPAddress

25
Detections/ProofpointTAP/MalwareLinkClicked.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 8675dd7a-795e-4d56-a79c-fc848c5ee61c
name: Malware Link Clicked
description: |
'Creates an incident in the event a user clicks on an email link that is classified as a malware.'
severity: Medium
requiredDataConnectors:
- connectorId: ProofpointTAP
dataTypes:
- ProofpointTAPClicksPermitted_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitalAccess
relevantTechniques:
- T1192
query: |
let timeframe = ago(1h);
ProofPointTAPClicksPermitted_CL
| where TimeGenerated >= timeframe
| where classification_s =~ "malware"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s
| extend timestamp = StartTime, AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress, URLCustomEntity = URLClicked

5
Detections/PulseConnectSecure/LargeNumberofDistinctFailedUserLogins.yaml
Просмотреть файл

@ -21,9 +21,10 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 100;
PulseConnectSecure
| where TimeGenerated >= timeframe
| where Messages startswith "Login failed"
| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
| where dcount_User > 100
| extend timestamp = bin_TimeGenerated, HostCustomEntity = Computer
| where dcount_User > threshold
| extend timestamp = TimeGenerated, HostCustomEntity = Computer

3
Detections/PulseConnectSecure/MultipleFailedVPNUserLogins.yaml
Просмотреть файл

@ -18,9 +18,10 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 20;
PulseConnectSecure
| where TimeGenerated >= timeframe
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > 20
| where count_ > threshold
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP

28
Detections/QualysVM/HighNumberofVulnDetected.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: be52662c-3b23-435a-a6fa-f39bdfc849e6
name: High Number of Urgent Vulnerabilities Detected
description: |
'This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.'
severity: Medium
requiredDataConnectors:
- connectorId: QualysVulnerabilityManagement
dataTypes:
- QualysHostDetection_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let timeframe = ago(1h);
let threshold = 10;
QualysHostDetection_CL
| where TimeGenerated >= timeframe
| mv-expand todynamic(Detections_s)
| where Detections_s.Severity == "5"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress
| where count_ >= threshold
| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress

29
Detections/QualysVM/NewHighSeverityVulnDetectedAcrossMulitpleHosts.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: 84cf1d59-f620-4fee-b569-68daf7008b7b
name: New High Severity Vulnerability Detected Across Multiple Hosts
description: |
'This creates an incident when a new high severity vulnerability is detected across multilple hosts'
severity: Medium
requiredDataConnectors:
- connectorId: QualysVulnerabilityManagement
dataTypes:
- QualysHostDetection_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let timeframe = ago(1h);
let threshold = 10;
QualysHostDetection_CL
| where TimeGenerated >= timeframe
| mv-expand todynamic(Detections_s)
| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)
| where Status =~ "New" and Severity == "5"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)
| where dcount_NetBios_s >= threshold
| extend timestamp = StartTime

3
Detections/SymantecProxySG/ExcessiveDeniedProxyTraffic.yaml
Просмотреть файл

@ -18,9 +18,10 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 100;
SymantecProxySG
| where TimeGenerated >= timeframe
| where sc_filter_result =~ "DENIED"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host
| where count_ > 100
| where count_ > threshold
| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip

4
Detections/SymantecProxySG/UserAccessedSuspiciousURLCategories.yaml
Просмотреть файл

@ -11,6 +11,10 @@ queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1192
query: |
let timeframe = ago(1h);

5
Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml
Просмотреть файл

@ -18,10 +18,11 @@ relevantTechniques:
query: |
let timeframe = ago(1h);
let threshold = 15;
SymantecVIP
| where TimeGenerated > timeframe
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > 15
| extend timestamp = bin_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User
| where Total > threshold
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User

42
Logos/proofpointlogo.svg Normal file
Просмотреть файл

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
<style type="text/css">
.st0{fill:#231F20;}
</style>
<g id="Layer_2">
<g id="Layer_1-2">
<path class="st0" d="M597.7,352.5v-12.8h-4.4c-4.8,0-5.9-0.7-5.9-4.1v-35.2h10.4v-11.9h-10.4v-17.3h-17.8v17.3h-8.9v11.9h8.9v34.3
c0,13.3,3.2,18.1,18,18.1C589.4,352.9,592.8,352.6,597.7,352.5"/>
<path class="st0" d="M495.5,352.1h18v-37.7c0-8.4,5.4-13.4,13.8-13.4c7.7,0,10.4,4.1,10.4,12.7v38.4h18v-43.3
c0-14.6-7.3-21.9-22.1-21.9c-8.5,0-15.3,3.1-20.4,9.2v-7.5h-17.6V352.1z"/>
<rect x="466.5" y="266.1" class="st0" width="18" height="15.4"/>
<rect x="466.5" y="288.5" class="st0" width="18" height="63.5"/>
<path class="st0" d="M409.7,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
S409.7,332.9,409.7,320.2 M391.5,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34c0-21.2-12.9-34-34-34S391.5,299,391.5,320.2"/>
<path class="st0" d="M367.9,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7
C362.4,301,367.9,307.8,367.9,320.7 M320.8,377.5h17.5v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2
c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8v-8.6h-17.1V377.5z"/>
<path class="st0" d="M284.3,352.1h17.6v-51.6H313v-11.9h-11.3v-4.4c0-4.1,1.6-4.8,6.6-4.8h4.7v-13.5c-3.2-0.2-5.9-0.4-8.6-0.4
c-13.8,0-20.1,5.3-20.1,17.2v5.9h-9.6v11.9h9.6L284.3,352.1z"/>
<path class="st0" d="M223.8,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
C229.6,340,223.8,332.9,223.8,320.2 M205.6,320.2c0,21.2,12.9,34,34,34c21.1,0,34-12.8,34-34c0-21.2-12.9-34-34-34
C218.4,286.3,205.5,299.1,205.6,320.2"/>
<path class="st0" d="M151.6,320.2c0-12.7,5.8-19.6,15.8-19.6s15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
S151.6,332.9,151.6,320.2 M133.4,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34s-12.9-34-34-34S133.4,299.1,133.4,320.2"/>
<path class="st0" d="M92.7,352.1h18v-33.6c0-9.6,5.1-14.4,14.8-14.4h5.9v-17.2c-0.9-0.1-1.8-0.1-2.7-0.1
c-8.6,0-14.7,3.9-19.4,12.7v-10.9H92.7V352.1z"/>
<path class="st0" d="M67.6,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7S67.7,307.8,67.6,320.7
M20.6,377.5H38v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8
v-8.6H20.6V377.5z"/>
<path class="st0" d="M620.6,346.8c0.1,3.9-2.9,7.1-6.8,7.2c-3.9,0.1-7.1-2.9-7.2-6.8c-0.1-3.9,2.9-7.1,6.8-7.2c0.1,0,0.2,0,0.3,0
C617.4,339.9,620.5,343,620.6,346.8C620.6,346.8,620.6,346.8,620.6,346.8z M608.3,346.8c-0.1,2.9,2.2,5.4,5.1,5.5
c0.1,0,0.1,0,0.2,0c2.9,0,5.2-2.4,5.2-5.2c0-0.1,0-0.1,0-0.2c0.1-2.9-2.1-5.4-5-5.5c-2.9-0.1-5.4,2.1-5.5,5
C608.3,346.5,608.3,346.7,608.3,346.8L608.3,346.8z M612.5,350.4h-1.6v-6.8c0.9-0.2,1.7-0.2,2.6-0.2c0.8-0.1,1.6,0.1,2.4,0.5
c0.4,0.4,0.7,0.9,0.7,1.5c-0.1,0.8-0.6,1.4-1.4,1.6v0.1c0.7,0.3,1.2,0.9,1.2,1.6c0.1,0.6,0.2,1.2,0.5,1.7h-1.7
c-0.3-0.5-0.4-1.1-0.5-1.7c-0.1-0.8-0.5-1.1-1.4-1.1h-0.8L612.5,350.4z M612.5,346.5h0.8c0.9,0,1.6-0.3,1.6-1s-0.5-1-1.5-1
c-0.3,0-0.6,0-0.9,0.1V346.5z"/>
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.3 KiB

1
Logos/qualys_logo.svg Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 50 KiB

39
Logos/vmwarecarbonblack_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
<style type="text/css">
.st0{fill:#0A0A0A;}
</style>
<path class="st0" d="M620,339.1h-10.2l-5.1,8.8l5.1,8.8H620l5.1-8.8L620,339.1 M598.5,308.2h-12.7l-8.9,15.3c-1.1,1.6-1.5,2.6-4,2.7
h-6.1v-33.9h-11.4v64.4h11.4v-20.1h5c2.4,0.1,2.9,1,3.8,2.5l10.1,17.6h12.8l-14-24.3L598.5,308.2z M547.1,312.8
c-1.8-1.4-3.7-2.6-5.8-3.5c-3.2-1.4-6.6-2.1-10.1-2.1c-4.5,0-9,1.2-12.9,3.5c-3.9,2.2-7.2,5.4-9.5,9.3c-2.3,3.8-3.6,8.1-3.6,12.5
c0,4.4,1.2,8.8,3.6,12.6c2.3,3.9,5.6,7.1,9.5,9.3c7.1,4.1,15.7,4.6,23.2,1.3c2-0.9,4-2.1,5.7-3.5l-5.1-8.9c-1.4,1.5-3,2.7-4.8,3.5
c-1.9,0.9-4,1.4-6,1.4c-2.6,0-5.1-0.7-7.3-2.1c-2.2-1.4-4.1-3.4-5.3-5.7c-1.3-2.4-2-5.1-2-7.8c0-2.7,0.7-5.4,2-7.7
c1.2-2.3,3.1-4.3,5.3-5.7c2.2-1.4,4.7-2.1,7.3-2.1c4.1,0,8,1.8,10.7,4.8l3.9-6.8L547.1,312.8z M476.8,307.1
c-6.1,0-12.5,1.7-19.3,5.1l4.4,7.7c4-1.9,8.2-3.4,12.6-3.4c8.1,0,11.1,4.2,11.6,9.7h-13.3c-10.9,0-19.8,6.6-19.8,16.1
c0,9.4,7.8,15.5,18.1,15.5c5.6,0,11.4-2.1,15-6.6v5.5h11.5v-29.1C497.6,315.3,489.6,307.1,476.8,307.1L476.8,307.1z M486.1,340.1
c0,4.6-4.6,9.4-12.4,9.4c-5.4,0-9.5-2.9-9.5-7.5c0-4.6,4.6-7.6,10.3-7.6h11.6L486.1,340.1z M433.2,292.3h11.4v64.4h-11.4V292.3z
M412.5,322.7c6-3.2,9.1-8,9.1-14.2c0-2.9-0.8-5.8-2.4-8.3c-1.7-2.5-4-4.5-6.7-5.8c-2.9-1.4-6.1-2.1-9.8-2h-31.3v64.3h32.5
c3.9-0.1,7.5-0.8,10.6-2.3c3-1.4,5.5-3.5,7.3-6.2c1.8-2.7,2.7-5.8,2.6-9c0-3.4-1.1-6.7-3.1-9.5C419.1,326.8,416.2,324.5,412.5,322.7
L412.5,322.7z M382.6,302.5h17.1c2.9,0,5.2,0.7,7.1,2.2c1.8,1.3,2.8,3.5,2.8,5.7c0,2.2-0.9,4.1-2.8,5.6s-4.2,2.2-7.1,2.2h-17.1
V302.5z M409.2,344c-2,1.7-4.6,2.6-7.8,2.6h-18.8v-18.3h18.8c3.2,0,5.8,0.9,7.8,2.6c3.6,3.1,4.1,8.6,1,12.2
C410,343.3,409.6,343.7,409.2,344L409.2,344z M327.6,309.6c-2.8-1.6-6.1-2.4-9.3-2.4c-3,0-6,0.7-8.7,2.1c-2.5,1.3-4.7,3.2-6.3,5.5
v-6.6h-11.4v48.5h11.4v-30.6c0.4-2.6,1.8-5,3.9-6.5c2.2-1.8,5-2.7,7.8-2.6c3,0,5.4,1,7.3,3.1s2.9,4.8,2.8,8.1v28.6h11v-30.8
c0.1-3.4-0.7-6.7-2.3-9.7C332.5,313.4,330.3,311.1,327.6,309.6z M272.2,310.7c-8-4.6-17.8-4.6-25.7,0c-3.9,2.2-7.2,5.4-9.5,9.3
c-2.3,3.8-3.6,8.1-3.6,12.5c0,4.4,1.2,8.8,3.6,12.6c2.3,3.9,5.6,7.1,9.5,9.3c8,4.6,17.8,4.6,25.7,0c3.9-2.3,7.2-5.5,9.5-9.3
c2.3-3.8,3.6-8.1,3.6-12.6c0-4.4-1.2-8.8-3.6-12.5C279.4,316.1,276.1,312.9,272.2,310.7L272.2,310.7z M272,340.3
c-1.3,2.3-3.1,4.3-5.4,5.7c-2.2,1.4-4.7,2.1-7.3,2.1c-2.6,0-5.1-0.7-7.3-2.1c-2.3-1.4-4.1-3.4-5.4-5.7c-1.3-2.4-2-5.1-2-7.8
c0-2.7,0.7-5.4,2-7.7c1.3-2.3,3.2-4.3,5.4-5.7c2.2-1.4,4.7-2.1,7.3-2.1c2.6,0,5.1,0.7,7.3,2.1c4.6,2.9,7.4,8,7.4,13.4
C274.1,335.2,273.4,337.9,272,340.3L272,340.3z M216.6,310.4c-3.4-2.2-7.4-3.3-11.4-3.2c-6.7-0.1-13.1,3.2-16.8,8.8v-23.6h-11.4
v64.4h11.4V349c3.7,5.6,10.1,8.9,16.8,8.8c4,0.1,8-1.1,11.4-3.2c3.4-2.2,6.2-5.3,7.9-9c2-4.1,3-8.6,3-13.1c0-4.5-1-9-3-13
C222.8,315.8,220,312.6,216.6,310.4L216.6,310.4z M212.1,343.7c-2.6,2.9-6,4.4-10,4.4c-4,0-7.3-1.5-9.8-4.4
c-2.6-2.9-3.9-6.7-3.9-11.2s1.4-8.3,3.9-11.2c2.5-2.9,5.8-4.4,9.8-4.4c4.1,0,7.4,1.5,10,4.4c2.6,2.9,3.9,6.6,3.9,11.2
C216.1,337,214.7,340.8,212.1,343.7L212.1,343.7z M151.1,316.1v-7.8h-11.4v48.5h11.4v-23.4c0-4.6,1.6-8.3,4.8-11.1
c3.2-2.8,7.4-3.9,12.5-3.9v-10.1C163.2,308.2,154.6,312,151.1,316.1L151.1,316.1z M110.4,307.1c-6.1,0-12.5,1.7-19.3,5.1l4.4,7.7
c4-1.9,8.2-3.4,12.6-3.4c8.1,0,11.1,4.2,11.6,9.7h-13.3c-10.9,0-19.8,6.6-19.8,16.1c0,9.4,7.8,15.5,18.1,15.5c5.6,0,11.4-2.1,15-6.6
v5.5h11.5v-29.1C131.2,315.3,123.2,307.1,110.4,307.1L110.4,307.1z M119.7,340.1c0,4.6-4.6,9.4-12.4,9.4c-5.4,0-9.5-2.9-9.5-7.5
c0-4.6,4.6-7.6,10.3-7.6h11.6L119.7,340.1z M74.9,340.1c-8.6,8.8-22.7,9.1-31.5,0.5c-8.8-8.6-9.1-22.7-0.5-31.5
c8.6-8.8,22.7-9.1,31.5-0.5c0.2,0.2,0.3,0.3,0.5,0.5l5.6-9.7c-6.1-5.2-13.9-8.1-21.9-8.1c-18.5,0-33.5,14.9-33.5,33.3
s15,33.3,33.5,33.3c8,0,15.8-2.8,21.9-8L74.9,340.1z"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.9 KiB

2402
Sample Data/Custom/CarbonBlackAuditLogs_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

65002
Sample Data/Custom/CarbonBlackEvents_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

377
Sample Data/Custom/CarbonBlackNotifications_CL.json Normal file
Просмотреть файл

@ -0,0 +1,377 @@
[
{
"TenantId": "a123456z-a123-1234-1234-1234aabbcc56",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-05-27T20:35:04.366Z",
"Computer": "",
"RawData": "",
"threatHunterInfo_incidentId_s": "NE2F3D55-013a6074-000013b0-00000000-1d634654ecf865f-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b",
"threatHunterInfo_score_d": "6",
"threatHunterInfo_summary_s": "Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_time_d": "1.59061E+12",
"threatHunterInfo_indicators_s": "[\r\n {\r\n \"sha256Hash\": \"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\r\n \"applicationName\": \"powershell.exe\",\r\n \"indicatorName\": \"6e5ae551-1cbb-45b3-b7a1-1569c0458f6b-0\"\r\n }\r\n]",
"threatHunterInfo_watchLists_s": "[\r\n {\r\n \"id\": \"0uJ17G2S2WjMkYgynqQ\",\r\n \"name\": \"Carbon Black Endpoint Visibility\",\r\n \"alert\": true\r\n }\r\n]",
"threatHunterInfo_iocId_s": "6e5ae551-1cbb-45b3-b7a1-1569c0458f6b-0",
"threatHunterInfo_count_d": "0",
"threatHunterInfo_dismissed_b": "FALSE",
"threatHunterInfo_documentGuid_s": "zQdPTwoTT_aKQkQU5NK3Tg",
"threatHunterInfo_firstActivityTime_d": "1.59061E+12",
"threatHunterInfo_md5_g": "cda48fc7-5952-ad12-d99e-526d0b6bf70a",
"threatHunterInfo_policyId_d": "88633",
"threatHunterInfo_processGuid_s": "NE2F3D55-013a6074-000013b0-00000000-1d634654ecf865f",
"threatHunterInfo_processPath_s": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"threatHunterInfo_reportName_s": "Execution - Powershell Execution With Unrestriced or Bypass Flags Detected",
"threatHunterInfo_reportId_s": "GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b",
"threatHunterInfo_reputation_s": "COMMON_WHITE_LIST",
"threatHunterInfo_responseAlarmId_g": "92429d80-2543-74ff-7548-50a4273f59d8",
"threatHunterInfo_responseSeverity_d": "6",
"threatHunterInfo_runState_s": "RAN",
"threatHunterInfo_sha256_s": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threatHunterInfo_status_s": "UNRESOLVED",
"threatHunterInfo_targetPriority_s": "HIGH",
"threatHunterInfo_threatCause_reputation_s": "COMMON_WHITE_LIST",
"threatHunterInfo_threatCause_actor_s": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threatHunterInfo_threatCause_actorName_s": "powershell.exe",
"threatHunterInfo_threatCause_reason_s": "Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_threatCause_threatCategory_s": "RESPONSE_WATCHLIST",
"threatHunterInfo_threatCause_originSourceType_s": "UNKNOWN",
"threatHunterInfo_threatId_g": "48938b89-de6a-76a9-1717-6b2c629d4acc",
"threatHunterInfo_lastUpdatedTime_d": "1.59061E+12",
"threatHunterInfo_orgId_d": "12261",
"threatInfo_incidentId_s": "",
"threatInfo_score_d": "null",
"threatInfo_summary_s": "",
"threatInfo_time_d": "null",
"threatInfo_indicators_s": "",
"threatInfo_threatCause_reputation_s": "",
"threatInfo_threatCause_actor_s": "",
"threatInfo_threatCause_reason_s": "",
"threatInfo_threatCause_threatCategory_s": "",
"threatInfo_threatCause_actorProcessPPid_s": "",
"threatInfo_threatCause_causeEventId_g": "",
"threatInfo_threatCause_originSourceType_s": "",
"url_s": "https://defense-prod05.conferdeploy.net/cb/investigate/processes?query=process_guid:NE2F3D55-013a6074-000013b0-00000000-1d634654ecf865f%20AND%20device_id:20602996%20AND%20report_id:GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b&searchWindow=ALL",
"eventTime_d": "1.59061E+12",
"eventDescription_s": "[AzureSentinel] [Carbon Black has detected a threat against your company.] [https://defense-prod05.conferdeploy.net#device/20602996/incident/NE2F3D55-013a6074-000013b0-00000000-1d634654ecf865f-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b] [Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"] [Incident id: NE2F3D55-013a6074-000013b0-00000000-1d634654ecf865f-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b] [Threat score: 6] [Group: Standard] [Email: ajay.x.ku@accenture.com] [Name: Endpoint2] [Type and OS: WINDOWS pscr-sensor] [Severity: 6]\n",
"deviceInfo_deviceId_d": "20602996",
"deviceInfo_deviceName_s": "Endpoint2",
"deviceInfo_groupName_s": "Standard",
"deviceInfo_email_s": "user100@abccompany.com",
"deviceInfo_deviceType_s": "WINDOWS",
"deviceInfo_deviceVersion_s": "pscr-sensor",
"deviceInfo_targetPriorityType_s": "HIGH",
"deviceInfo_targetPriorityCode_d": "0",
"deviceInfo_uemId_s": "",
"deviceInfo_internalIpAddress_s": "10.10.10.10",
"deviceInfo_externalIpAddress_s": "166.166.166.166",
"ruleName_s": "AzureSentinel",
"type_s": "THREAT_HUNTER",
"notifications_s": "",
"success_b": "null",
"Message": "",
"Type": "CarbonBlackNotifications_CL",
"_ResourceId": ""
},
{
"TenantId": "a123456z-a123-1234-1234-1234aabbcc56",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-05-27T22:35:03.124Z",
"Computer": "",
"RawData": "",
"threatHunterInfo_incidentId_s": "NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-13d6501c-8ea5-497d-b043-6de9fb53c4d6",
"threatHunterInfo_score_d": "3",
"threatHunterInfo_summary_s": "Process explorer.exe was detected by the report \"Defense Evasion - Possible Persistence Regmod - Active Setup Components\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_time_d": "1.59062E+12",
"threatHunterInfo_indicators_s": "[\r\n {\r\n \"applicationName\": \"explorer.exe\",\r\n \"sha256Hash\": \"3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d\",\r\n \"indicatorName\": \"13d6501c-8ea5-497d-b043-6de9fb53c4d6-0\"\r\n }\r\n]",
"threatHunterInfo_watchLists_s": "[\r\n {\r\n \"id\": \"0uJ17G2S2WjMkYgynqQ\",\r\n \"name\": \"Carbon Black Endpoint Visibility\",\r\n \"alert\": true\r\n }\r\n]",
"threatHunterInfo_iocId_s": "13d6501c-8ea5-497d-b043-6de9fb53c4d6-0",
"threatHunterInfo_count_d": "0",
"threatHunterInfo_dismissed_b": "FALSE",
"threatHunterInfo_documentGuid_s": "Jup_raxCQ_OmoAFH4E7sTg",
"threatHunterInfo_firstActivityTime_d": "1.59062E+12",
"threatHunterInfo_md5_g": "021a4a56-6ae8-6079-929a-482dce9b76a7",
"threatHunterInfo_policyId_d": "88633",
"threatHunterInfo_processGuid_s": "NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d",
"threatHunterInfo_processPath_s": "c:\\windows\\explorer.exe",
"threatHunterInfo_reportName_s": "Defense Evasion - Possible Persistence Regmod - Active Setup Components",
"threatHunterInfo_reportId_s": "GUWNtEmJQhKmuOTxoRV8hA-13d6501c-8ea5-497d-b043-6de9fb53c4d6",
"threatHunterInfo_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_responseAlarmId_g": "3f09c43a-2631-9edc-90b3-83fff5fe1f88",
"threatHunterInfo_responseSeverity_d": "3",
"threatHunterInfo_runState_s": "RAN",
"threatHunterInfo_sha256_s": "3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d",
"threatHunterInfo_status_s": "UNRESOLVED",
"threatHunterInfo_targetPriority_s": "HIGH",
"threatHunterInfo_threatCause_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_threatCause_actor_s": "3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d",
"threatHunterInfo_threatCause_actorName_s": "explorer.exe",
"threatHunterInfo_threatCause_reason_s": "Process explorer.exe was detected by the report \"Defense Evasion - Possible Persistence Regmod - Active Setup Components\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_threatCause_threatCategory_s": "RESPONSE_WATCHLIST",
"threatHunterInfo_threatCause_originSourceType_s": "UNKNOWN",
"threatHunterInfo_threatId_g": "8f54111a-bca5-ffb4-b8ea-386c7e31470f",
"threatHunterInfo_lastUpdatedTime_d": "1.59062E+12",
"threatHunterInfo_orgId_d": "12261",
"threatInfo_incidentId_s": "",
"threatInfo_score_d": "null",
"threatInfo_summary_s": "",
"threatInfo_time_d": "null",
"threatInfo_indicators_s": "",
"threatInfo_threatCause_reputation_s": "",
"threatInfo_threatCause_actor_s": "",
"threatInfo_threatCause_reason_s": "",
"threatInfo_threatCause_threatCategory_s": "",
"threatInfo_threatCause_actorProcessPPid_s": "",
"threatInfo_threatCause_causeEventId_g": "",
"threatInfo_threatCause_originSourceType_s": "",
"url_s": "https://defense-prod05.conferdeploy.net/cb/investigate/processes?query=process_guid:NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d%20AND%20device_id:20602996%20AND%20report_id:GUWNtEmJQhKmuOTxoRV8hA-13d6501c-8ea5-497d-b043-6de9fb53c4d6&searchWindow=ALL",
"eventTime_d": "1.59062E+12",
"eventDescription_s": "[AzureSentinel] [Carbon Black has detected a threat against your company.] [https://defense-prod05.conferdeploy.net#device/20602996/incident/NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-13d6501c-8ea5-497d-b043-6de9fb53c4d6] [Process explorer.exe was detected by the report \"Defense Evasion - Possible Persistence Regmod - Active Setup Components\" in watchlist \"Carbon Black Endpoint Visibility\"] [Incident id: NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-13d6501c-8ea5-497d-b043-6de9fb53c4d6] [Threat score: 3] [Group: Standard] [Email: ajay.x.ku@accenture.com] [Name: Endpoint2] [Type and OS: WINDOWS pscr-sensor] [Severity: 3]\n",
"deviceInfo_deviceId_d": "20602996",
"deviceInfo_deviceName_s": "Endpoint2",
"deviceInfo_groupName_s": "Standard",
"deviceInfo_email_s": "user100@abccompany.com",
"deviceInfo_deviceType_s": "WINDOWS",
"deviceInfo_deviceVersion_s": "pscr-sensor",
"deviceInfo_targetPriorityType_s": "HIGH",
"deviceInfo_targetPriorityCode_d": "0",
"deviceInfo_uemId_s": "",
"deviceInfo_internalIpAddress_s": "10.10.10.10",
"deviceInfo_externalIpAddress_s": "166.166.166.166",
"ruleName_s": "AzureSentinel",
"type_s": "THREAT_HUNTER",
"notifications_s": "",
"success_b": "null",
"Message": "",
"Type": "CarbonBlackNotifications_CL",
"_ResourceId": ""
},
{
"TenantId": "a123456z-a123-1234-1234-1234aabbcc56",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-05-27T22:35:03.124Z",
"Computer": "",
"RawData": "",
"threatHunterInfo_incidentId_s": "NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8",
"threatHunterInfo_score_d": "3",
"threatHunterInfo_summary_s": "Process explorer.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_time_d": "1.59062E+12",
"threatHunterInfo_indicators_s": "[\r\n {\r\n \"applicationName\": \"explorer.exe\",\r\n \"sha256Hash\": \"3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d\",\r\n \"indicatorName\": \"5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8-0\"\r\n }\r\n]",
"threatHunterInfo_watchLists_s": "[\r\n {\r\n \"id\": \"0uJ17G2S2WjMkYgynqQ\",\r\n \"name\": \"Carbon Black Endpoint Visibility\",\r\n \"alert\": true\r\n }\r\n]",
"threatHunterInfo_iocId_s": "5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8-0",
"threatHunterInfo_count_d": "0",
"threatHunterInfo_dismissed_b": "FALSE",
"threatHunterInfo_documentGuid_s": "QwJ38p0DSUa_wEWDdRJQtw",
"threatHunterInfo_firstActivityTime_d": "1.59062E+12",
"threatHunterInfo_md5_g": "021a4a56-6ae8-6079-929a-482dce9b76a7",
"threatHunterInfo_policyId_d": "88633",
"threatHunterInfo_processGuid_s": "NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d",
"threatHunterInfo_processPath_s": "c:\\windows\\explorer.exe",
"threatHunterInfo_reportName_s": "Persistence - Winlogon Registry Modification Detected",
"threatHunterInfo_reportId_s": "GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8",
"threatHunterInfo_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_responseAlarmId_g": "ffea43a7-fa64-4156-27d9-dcaac1952779",
"threatHunterInfo_responseSeverity_d": "3",
"threatHunterInfo_runState_s": "RAN",
"threatHunterInfo_sha256_s": "3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d",
"threatHunterInfo_status_s": "UNRESOLVED",
"threatHunterInfo_targetPriority_s": "HIGH",
"threatHunterInfo_threatCause_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_threatCause_actor_s": "3f00013865e06a7d402e8565c6c553ed6099bc8e3d73c85e34292596c5a82d4d",
"threatHunterInfo_threatCause_actorName_s": "explorer.exe",
"threatHunterInfo_threatCause_reason_s": "Process explorer.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_threatCause_threatCategory_s": "RESPONSE_WATCHLIST",
"threatHunterInfo_threatCause_originSourceType_s": "UNKNOWN",
"threatHunterInfo_threatId_g": "9be3c541-9aa6-e115-86bc-751d6b93ef3f",
"threatHunterInfo_lastUpdatedTime_d": "1.59062E+12",
"threatHunterInfo_orgId_d": "12261",
"threatInfo_incidentId_s": "",
"threatInfo_score_d": "null",
"threatInfo_summary_s": "",
"threatInfo_time_d": "null",
"threatInfo_indicators_s": "",
"threatInfo_threatCause_reputation_s": "",
"threatInfo_threatCause_actor_s": "",
"threatInfo_threatCause_reason_s": "",
"threatInfo_threatCause_threatCategory_s": "",
"threatInfo_threatCause_actorProcessPPid_s": "",
"threatInfo_threatCause_causeEventId_g": "",
"threatInfo_threatCause_originSourceType_s": "",
"url_s": "https://defense-prod05.conferdeploy.net/cb/investigate/processes?query=process_guid:NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d%20AND%20device_id:20602996%20AND%20report_id:GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8&searchWindow=ALL",
"eventTime_d": "1.59062E+12",
"eventDescription_s": "[AzureSentinel] [Carbon Black has detected a threat against your company.] [https://defense-prod05.conferdeploy.net#device/20602996/incident/NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8] [Process explorer.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"] [Incident id: NE2F3D55-013a6074-00001524-00000000-1d6347599d05d0d-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8] [Threat score: 3] [Group: Standard] [Email: ajay.x.ku@accenture.com] [Name: Endpoint2] [Type and OS: WINDOWS pscr-sensor] [Severity: 3]\n",
"deviceInfo_deviceId_d": "20602996",
"deviceInfo_deviceName_s": "Endpoint2",
"deviceInfo_groupName_s": "Standard",
"deviceInfo_email_s": "user100@abccompany.com",
"deviceInfo_deviceType_s": "WINDOWS",
"deviceInfo_deviceVersion_s": "pscr-sensor",
"deviceInfo_targetPriorityType_s": "HIGH",
"deviceInfo_targetPriorityCode_d": "0",
"deviceInfo_uemId_s": "",
"deviceInfo_internalIpAddress_s": "10.10.10.10",
"deviceInfo_externalIpAddress_s": "166.166.166.166",
"ruleName_s": "AzureSentinel",
"type_s": "THREAT_HUNTER",
"notifications_s": "",
"success_b": "null",
"Message": "",
"Type": "CarbonBlackNotifications_CL",
"_ResourceId": ""
},
{
"TenantId": "a123456z-a123-1234-1234-1234aabbcc56",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-05-27T22:35:03.124Z",
"Computer": "",
"RawData": "",
"threatHunterInfo_incidentId_s": "NE2F3D55-013a6074-00000488-00000000-1d62fabf40236f4-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8",
"threatHunterInfo_score_d": "3",
"threatHunterInfo_summary_s": "Process svchost.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_time_d": "1.59062E+12",
"threatHunterInfo_indicators_s": "[\r\n {\r\n \"applicationName\": \"svchost.exe\",\r\n \"sha256Hash\": \"dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048\",\r\n \"indicatorName\": \"5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8-0\"\r\n }\r\n]",
"threatHunterInfo_watchLists_s": "[\r\n {\r\n \"id\": \"0uJ17G2S2WjMkYgynqQ\",\r\n \"name\": \"Carbon Black Endpoint Visibility\",\r\n \"alert\": true\r\n }\r\n]",
"threatHunterInfo_iocId_s": "5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8-0",
"threatHunterInfo_count_d": "0",
"threatHunterInfo_dismissed_b": "FALSE",
"threatHunterInfo_documentGuid_s": "nn1gC2n6SiydIaDCbknnLQ",
"threatHunterInfo_firstActivityTime_d": "1.59062E+12",
"threatHunterInfo_md5_g": "9520a99e-77d6-196d-0d09-833146424113",
"threatHunterInfo_policyId_d": "88633",
"threatHunterInfo_processGuid_s": "NE2F3D55-013a6074-00000488-00000000-1d62fabf40236f4",
"threatHunterInfo_processPath_s": "c:\\windows\\system32\\svchost.exe",
"threatHunterInfo_reportName_s": "Persistence - Winlogon Registry Modification Detected",
"threatHunterInfo_reportId_s": "GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8",
"threatHunterInfo_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_responseAlarmId_g": "df3dbb3a-7cea-7d53-ff33-66b48b1cea1a",
"threatHunterInfo_responseSeverity_d": "3",
"threatHunterInfo_runState_s": "RAN",
"threatHunterInfo_sha256_s": "dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048",
"threatHunterInfo_status_s": "UNRESOLVED",
"threatHunterInfo_targetPriority_s": "HIGH",
"threatHunterInfo_threatCause_reputation_s": "TRUSTED_WHITE_LIST",
"threatHunterInfo_threatCause_actor_s": "dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048",
"threatHunterInfo_threatCause_actorName_s": "svchost.exe",
"threatHunterInfo_threatCause_reason_s": "Process svchost.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_threatCause_threatCategory_s": "RESPONSE_WATCHLIST",
"threatHunterInfo_threatCause_originSourceType_s": "UNKNOWN",
"threatHunterInfo_threatId_g": "9be3c541-9aa6-e115-86bc-751d6b93ef3f",
"threatHunterInfo_lastUpdatedTime_d": "1.59062E+12",
"threatHunterInfo_orgId_d": "12261",
"threatInfo_incidentId_s": "",
"threatInfo_score_d": "null",
"threatInfo_summary_s": "",
"threatInfo_time_d": "null",
"threatInfo_indicators_s": "",
"threatInfo_threatCause_reputation_s": "",
"threatInfo_threatCause_actor_s": "",
"threatInfo_threatCause_reason_s": "",
"threatInfo_threatCause_threatCategory_s": "",
"threatInfo_threatCause_actorProcessPPid_s": "",
"threatInfo_threatCause_causeEventId_g": "",
"threatInfo_threatCause_originSourceType_s": "",
"url_s": "https://defense-prod05.conferdeploy.net/cb/investigate/processes?query=process_guid:NE2F3D55-013a6074-00000488-00000000-1d62fabf40236f4%20AND%20device_id:20602996%20AND%20report_id:GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8&searchWindow=ALL",
"eventTime_d": "1.59062E+12",
"eventDescription_s": "[AzureSentinel] [Carbon Black has detected a threat against your company.] [https://defense-prod05.conferdeploy.net#device/20602996/incident/NE2F3D55-013a6074-00000488-00000000-1d62fabf40236f4-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8] [Process svchost.exe was detected by the report \"Persistence - Winlogon Registry Modification Detected\" in watchlist \"Carbon Black Endpoint Visibility\"] [Incident id: NE2F3D55-013a6074-00000488-00000000-1d62fabf40236f4-GUWNtEmJQhKmuOTxoRV8hA-5d9d91a4-a88d-4ce4-a895-1e01f56b9ee8] [Threat score: 3] [Group: Standard] [Email: ajay.x.ku@accenture.com] [Name: Endpoint2] [Type and OS: WINDOWS pscr-sensor] [Severity: 3]\n",
"deviceInfo_deviceId_d": "20602996",
"deviceInfo_deviceName_s": "Endpoint2",
"deviceInfo_groupName_s": "Standard",
"deviceInfo_email_s": "user100@abccompany.com",
"deviceInfo_deviceType_s": "WINDOWS",
"deviceInfo_deviceVersion_s": "pscr-sensor",
"deviceInfo_targetPriorityType_s": "HIGH",
"deviceInfo_targetPriorityCode_d": "0",
"deviceInfo_uemId_s": "",
"deviceInfo_internalIpAddress_s": "10.10.10.10",
"deviceInfo_externalIpAddress_s": "166.166.166.166",
"ruleName_s": "AzureSentinel",
"type_s": "THREAT_HUNTER",
"notifications_s": "",
"success_b": "null",
"Message": "",
"Type": "CarbonBlackNotifications_CL",
"_ResourceId": ""
},
{
"TenantId": "a123456z-a123-1234-1234-1234aabbcc56",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-05-27T17:35:02.366Z",
"Computer": "",
"RawData": "",
"threatHunterInfo_incidentId_s": "NE2F3D55-013a6074-00001758-00000000-1d6344c296a9dc8-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b",
"threatHunterInfo_score_d": "6",
"threatHunterInfo_summary_s": "Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_time_d": "1.5906E+12",
"threatHunterInfo_indicators_s": "[\r\n {\r\n \"applicationName\": \"powershell.exe\",\r\n \"sha256Hash\": \"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53\",\r\n \"indicatorName\": \"6e5ae551-1cbb-45b3-b7a1-1569c0458f6b-0\"\r\n }\r\n]",
"threatHunterInfo_watchLists_s": "[\r\n {\r\n \"id\": \"0uJ17G2S2WjMkYgynqQ\",\r\n \"name\": \"Carbon Black Endpoint Visibility\",\r\n \"alert\": true\r\n }\r\n]",
"threatHunterInfo_iocId_s": "6e5ae551-1cbb-45b3-b7a1-1569c0458f6b-0",
"threatHunterInfo_count_d": "0",
"threatHunterInfo_dismissed_b": "FALSE",
"threatHunterInfo_documentGuid_s": "CARfsRC5T06XKdZdVBxxAw",
"threatHunterInfo_firstActivityTime_d": "1.5906E+12",
"threatHunterInfo_md5_g": "cda48fc7-5952-ad12-d99e-526d0b6bf70a",
"threatHunterInfo_policyId_d": "88633",
"threatHunterInfo_processGuid_s": "NE2F3D55-013a6074-00001758-00000000-1d6344c296a9dc8",
"threatHunterInfo_processPath_s": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"threatHunterInfo_reportName_s": "Execution - Powershell Execution With Unrestriced or Bypass Flags Detected",
"threatHunterInfo_reportId_s": "GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b",
"threatHunterInfo_reputation_s": "COMMON_WHITE_LIST",
"threatHunterInfo_responseAlarmId_g": "b1a8f431-0294-5948-1682-c32c81f6b214",
"threatHunterInfo_responseSeverity_d": "6",
"threatHunterInfo_runState_s": "RAN",
"threatHunterInfo_sha256_s": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threatHunterInfo_status_s": "UNRESOLVED",
"threatHunterInfo_targetPriority_s": "HIGH",
"threatHunterInfo_threatCause_reputation_s": "COMMON_WHITE_LIST",
"threatHunterInfo_threatCause_actor_s": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threatHunterInfo_threatCause_actorName_s": "powershell.exe",
"threatHunterInfo_threatCause_reason_s": "Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"",
"threatHunterInfo_threatCause_threatCategory_s": "RESPONSE_WATCHLIST",
"threatHunterInfo_threatCause_originSourceType_s": "UNKNOWN",
"threatHunterInfo_threatId_g": "48938b89-de6a-76a9-1717-6b2c629d4acc",
"threatHunterInfo_lastUpdatedTime_d": "1.5906E+12",
"threatHunterInfo_orgId_d": "12261",
"threatInfo_incidentId_s": "",
"threatInfo_score_d": "null",
"threatInfo_summary_s": "",
"threatInfo_time_d": "null",
"threatInfo_indicators_s": "",
"threatInfo_threatCause_reputation_s": "",
"threatInfo_threatCause_actor_s": "",
"threatInfo_threatCause_reason_s": "",
"threatInfo_threatCause_threatCategory_s": "",
"threatInfo_threatCause_actorProcessPPid_s": "",
"threatInfo_threatCause_causeEventId_g": "",
"threatInfo_threatCause_originSourceType_s": "",
"url_s": "https://defense-prod05.conferdeploy.net/cb/investigate/processes?query=process_guid:NE2F3D55-013a6074-00001758-00000000-1d6344c296a9dc8%20AND%20device_id:20602996%20AND%20report_id:GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b&searchWindow=ALL",
"eventTime_d": "1.5906E+12",
"eventDescription_s": "[AzureSentinel] [Carbon Black has detected a threat against your company.] [https://defense-prod05.conferdeploy.net#device/20602996/incident/NE2F3D55-013a6074-00001758-00000000-1d6344c296a9dc8-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b] [Process powershell.exe was detected by the report \"Execution - Powershell Execution With Unrestriced or Bypass Flags Detected\" in watchlist \"Carbon Black Endpoint Visibility\"] [Incident id: NE2F3D55-013a6074-00001758-00000000-1d6344c296a9dc8-GUWNtEmJQhKmuOTxoRV8hA-6e5ae551-1cbb-45b3-b7a1-1569c0458f6b] [Threat score: 6] [Group: Standard] [Email: ajay.x.ku@accenture.com] [Name: Endpoint2] [Type and OS: WINDOWS pscr-sensor] [Severity: 6]\n",
"deviceInfo_deviceId_d": "20602996",
"deviceInfo_deviceName_s": "Endpoint2",
"deviceInfo_groupName_s": "Standard",
"deviceInfo_email_s": "user100@abccompany.com",
"deviceInfo_deviceType_s": "WINDOWS",
"deviceInfo_deviceVersion_s": "pscr-sensor",
"deviceInfo_targetPriorityType_s": "HIGH",
"deviceInfo_targetPriorityCode_d": "0",
"deviceInfo_uemId_s": "",
"deviceInfo_internalIpAddress_s": "10.10.10.10",
"deviceInfo_externalIpAddress_s": "166.166.166.166",
"ruleName_s": "AzureSentinel",
"type_s": "THREAT_HUNTER",
"notifications_s": "",
"success_b": "null",
"Message": "",
"Type": "CarbonBlackNotifications_CL",
"_ResourceId": ""
}
]

262
Sample Data/Custom/ProofPointTAPClicksBlocked_CL_sample_data.json Normal file
Просмотреть файл

@ -0,0 +1,262 @@
[
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T20:30:01.687Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-22T20:15:06Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "ALhNQt0WZifN6zzz0WA8cEgEP1bBMe_e",
"url_s": "https://ritter1-my.sharepoint.com/:o:/g/personal/rpolaski_ritter1_com1/EqSjAGRMK_FLtuyzGSIyczUB75G9xtiwuG-9Iavc6RpdFA?e=UK72n9",
"classification_s": "phish",
"threatTime_t": "2020-04-22T16:34:23Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
"campaignId_s": "",
"threatID_s": "cfb087ce21c1a2d79f7713e051d4f52569afdc9971697c9610f3b16f9dd435b5",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/cfb087ce21c1a2d79f7713e051d4f52569afdc9971697c9610f3b16f9dd435b5",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T20:30:01.687Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-22T20:15:06Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "ALhNQt0WZifN6zzz0WA8cEgEP1bBMe_e",
"url_s": "https://ritter1-my.sharepoint.com/:o:/g/personal/rpolaski_ritter1_com1/EqSjAGRMK_FLtuyzGSIyczUB75G9xtiwuG-9Iavc6RpdFA?e=UK72n9",
"classification_s": "phish",
"threatTime_t": "2020-04-22T16:36:49Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
"campaignId_s": "",
"threatID_s": "0669315a05eeb1f88f3029c4511421d127c8116ae934c304486711a037aab2ea",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/0669315a05eeb1f88f3029c4511421d127c8116ae934c304486711a037aab2ea",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-23T18:15:08.717Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-23T18:03:16Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "d-KGSOVQPJXmEvRk9FPKDWoQEDogpYFQ",
"url_s": "https://akseaproperty.com/cone",
"classification_s": "phish",
"threatTime_t": "2020-04-23T18:02:24Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36",
"campaignId_s": "",
"threatID_s": "73706d110e82719da36edd7b18fbfee3d5f2de8f964304a8a896dc75f71e1eaf",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/73706d110e82719da36edd7b18fbfee3d5f2de8f964304a8a896dc75f71e1eaf",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T20:05:06.668Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-27T19:51:27Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "2WMsHmcWdVPylqkKIbXuauS41iestGs-",
"url_s": "https://onedrive.live.com/redir?resid=A37258A5832F32B8%214809&authkey=%21AB-vlYc5yFWRh28&page=View&wd=target%28Quick%20Notes.one%7Cff180e6d-abd8-44a9-b6b0-32c570f76934%2FRemittance%20Advice%20No.%20CLT90716546%7C5d0e01b0-92ab-48d8-bea8-dae7bfeebcab%2F%29",
"classification_s": "phish",
"threatTime_t": "2020-04-27T19:22:38Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "9f6f446ca98ec6ec3c52a272bf4148f0db27ea0562a07a091310b1d1b8a301a3",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/9f6f446ca98ec6ec3c52a272bf4148f0db27ea0562a07a091310b1d1b8a301a3",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T12:30:05.372Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T12:14:48Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "YgneddT8DgfdAJeTTP36fc3Ef2DQmnxV",
"url_s": "https://onedrive.live.com/redir?resid=715B49E9BE37C602!1714&authkey=!ALpQQ-ZSyuxMiOo&e=jOtfke",
"classification_s": "phish",
"threatTime_t": "2020-04-27T22:02:36Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36",
"campaignId_s": "",
"threatID_s": "3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T13:30:07.555Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T13:14:56Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "RitOunZGwWIZ4UkR7n0nLEKyIoEVn-7_",
"url_s": "https://onedrive.live.com/redir?resid=715B49E9BE37C602!1714&authkey=!ALpQQ-ZSyuxMiOo&e=jOtfke",
"classification_s": "phish",
"threatTime_t": "2020-04-27T22:02:36Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763",
"campaignId_s": "",
"threatID_s": "3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T17:40:08.564Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T17:28:40Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "mVpyO8yk9MvSqNEuXt8vOL7mRElhXPPJ",
"url_s": "https://mahamek35.com/payment/microsoftoffice_auto",
"classification_s": "phish",
"threatTime_t": "2020-04-28T17:17:40Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36",
"campaignId_s": "",
"threatID_s": "266397e3a1fe50ff37c7ba736ac6d56320740f9b90791f34a62df2a381b17b98",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/266397e3a1fe50ff37c7ba736ac6d56320740f9b90791f34a62df2a381b17b98",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T17:20:06.102Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T17:08:16Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "cvN8wQL1jhz8gfFHDaAY5v_Evst1fN4P",
"url_s": "http://safedocument1.homeunix.com",
"classification_s": "phish",
"threatTime_t": "2020-04-28T16:45:06Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "9d513adc30e6bdcf7103a3326f4248f856d34ab6ac584be7e9826c0acccbf7ec",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/9d513adc30e6bdcf7103a3326f4248f856d34ab6ac584be7e9826c0acccbf7ec",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T17:20:06.102Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T17:08:12Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "cvN8wQL1jhz8gfFHDaAY5v_Evst1fN4P",
"url_s": "http://safedocument1.homeunix.com",
"classification_s": "phish",
"threatTime_t": "2020-04-28T16:45:06Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "9d513adc30e6bdcf7103a3326f4248f856d34ab6ac584be7e9826c0acccbf7ec",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/9d513adc30e6bdcf7103a3326f4248f856d34ab6ac584be7e9826c0acccbf7ec",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T17:55:01.383Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-22T17:44:51Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<450D4F1E-E216-496A-9D0D-9180EF992779sanitized@sanitized.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "iRehN8hzg0xwRc2vZuy-SzgJZhTcToRH",
"url_s": "https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S",
"classification_s": "phish",
"threatTime_t": "2020-04-22T17:28:07Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763",
"campaignId_s": "",
"threatID_s": "3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksBlocked_CL",
"_ResourceId": ""
}
]

184
Sample Data/Custom/ProofPointTAPClicksPermitted_CL_sample_data.json Normal file
Просмотреть файл

@ -0,0 +1,184 @@
[
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T20:05:06.707Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-27T19:50:50Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<DM6PR18MB370645748696A23D7907165FC4AF0@DM6PR18MB3706.namprd18.prod.outlook.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "vgrlzeQZgesMah_Te1nSxvjAyHOCgKYW",
"url_s": "https://wholecoffeesign.com/",
"classification_s": "phish",
"threatTime_t": "2020-04-27T19:51:21Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "a4fb7740d6f4c080bf95e7b86757cafa445cc6cea87a8a1272c52dcaca7ecd0e",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/a4fb7740d6f4c080bf95e7b86757cafa445cc6cea87a8a1272c52dcaca7ecd0e",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T19:00:01.589Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-17T20:59:38Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<DF0B23F5-9DAA-431C-A6B2-4DAE7A9E19D7@yahoo.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "x-G7FVTB3JEhHAC4ADtDXmYQcvWJs3TG",
"url_s": "https://r.smore.com/c?u=https%253A%2F%2Fwww.smore.com%2Fhu4xb-superintendent-of-schools%253Fref%253Demail&nk=NWU5YTBlNzhkYzA5YjYwYTQwM2QyYTRjLGplbnBhbG1vQHlhaG9vLmNvbTpxNXR0ZmdlMzJldGdxdXJq",
"classification_s": "spam",
"threatTime_t": "2020-04-27T18:42:53Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatStatus_s": "cleared",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T19:00:01.589Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-17T15:54:07Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "9odGNMdG7K6_II7xDHBNMny1ebMjC34H",
"url_s": "https://r.smore.com/c?u=https%253A%2F%2Fdocs.google.com%2Fforms%2Fd%2Fe%2F1FAIpQLSedeVscnrxbj3PYVaoWNmgjYBPLjUMzGN1l9WAZnMaxEQGdfg%2Fviewform&bbn_message_id=045890cd-20a1-4275-b79f-069546ed7f98",
"classification_s": "spam",
"threatTime_t": "2020-04-27T18:42:53Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
"campaignId_s": "",
"threatID_s": "5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatStatus_s": "cleared",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T19:00:01.589Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-14T23:10:59Z",
"sender_s": "",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "",
"clickIP_s": "00.00.00.00",
"GUID_s": "Wsfjr9jw1vaJmN0f_bAB1oKvGUfV50jk",
"url_s": "https://r.smore.com/c?u=https%253A%2F%2Fwww.issaquah.wednet.edu%2Ffamily%2Fsupports%2Fisd-updates%2Fisd-updates%2F2020%2F04%2F10%2Fissaquah-school-district-high-school-update-april-10-2020&bbn_message_id=30cc4f4a-f80c-46da-a433-7b400d7b68cf",
"classification_s": "spam",
"threatTime_t": "2020-04-27T18:42:53Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
"campaignId_s": "",
"threatID_s": "5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/5a5adc5cc61e53a723e82eeeeda0a7cae69d99641fb739793baf9bc7d637f3b7",
"threatStatus_s": "cleared",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-27T22:10:01.199Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-27T21:56:27Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<BN6PR13MB2996E850249232CC5787C18EBAAF0@BN6PR13MB2996.namprd13.prod.outlook.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "Fg1093A0tkd1-vuIANQH7YUpxumur3Gj",
"url_s": "https://onedrive.live.com/redir?resid=715B49E9BE37C602!1714&authkey=!ALpQQ-ZSyuxMiOo&e=jOtfke",
"classification_s": "phish",
"threatTime_t": "2020-04-27T22:02:36Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763",
"campaignId_s": "",
"threatID_s": "3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3067dadb42afe96da48e60cf0ba6ad72e1f46932f7c0059fc41732a138755a7c",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T14:10:02.087Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-28T13:55:46Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<AE866DAD-C19E-4225-8B5D-4034548CE571@chanel.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "ckRIOEsYWuvqH2ECFO8df6sezwMX65EG",
"url_s": "https://1drv.ms/u/s!ApJwf_NGjDnohhs18UhjO5yCFupw?e=D9dogt",
"classification_s": "phish",
"threatTime_t": "2020-03-17T18:31:18Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "a05752f0827fecd9f2e92c295d52f50b636424b9ec8a146a683bed8016e12a2b",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/a05752f0827fecd9f2e92c295d52f50b636424b9ec8a146a683bed8016e12a2b",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-24T12:15:01.166Z",
"Computer": "",
"RawData": "",
"clickTime_t": "2020-04-24T11:59:09Z",
"sender_s": "sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<22e85feaf00bd2353671ef5a222acc7f@group-activa.com>",
"clickIP_s": "00.00.00.00",
"GUID_s": "AL1T8KiS64_JYENwmzdsTmKkiaPMXSQk",
"url_s": "https://56ekc.app.link/8y5Kg4XpW5?em=OS36@abc.com&cl=2&abc.comEOIHYVKYM##UNAME842641664abc.com",
"classification_s": "phish",
"threatTime_t": "2020-04-24T11:59:50Z",
"userAgent_s": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"campaignId_s": "",
"threatID_s": "7e5701ff7a6a12f345ce90fef2bb532e6141ed7e73b5386340fff06f06aeefd8",
"threatURL_s": "https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7e5701ff7a6a12f345ce90fef2bb532e6141ed7e73b5386340fff06f06aeefd8",
"threatStatus_s": "active",
"Type": "ProofPointTAPClicksPermitted_CL",
"_ResourceId": ""
}
]

392
Sample Data/Custom/ProofPointTAPMessagesBlocked_CL_sample_data.json Normal file
Просмотреть файл

@ -0,0 +1,392 @@
[
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:45:01.185Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"a1ac96cc939effe50aec93c726ca4ef67e5748fa55bf7988301d168a02060161\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/a1ac96cc939effe50aec93c726ca4ef67e5748fa55bf7988301d168a02060161\",\r\n \"threatTime\": \"2020-04-28T15:05:08Z\",\r\n \"threat\": \"a1ac96cc939effe50aec93c726ca4ef67e5748fa55bf7988301d168a02060161\",\r\n \"campaignID\": null,\r\n \"threatType\": \"attachment\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:06:56Z",
"subject_s": "BROOKS (17124244096) left you a message 21 second(s) long.",
"quarantineRule_s": "module.sandbox.rule.threat",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30pax0uf3f-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a1ac96cc939effe50aec93c726ca4ef67e5748fa55bf7988301d168a02060161\",\r\n \"md5\": \"2a0e7a82f0aff7fed2d1b13a6336602e\",\r\n \"filename\": \".htm\",\r\n \"sandboxStatus\": \"THREAT\",\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "2998",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\",\r\n \"allow_relay\",\r\n \"firewallsafe\",\r\n \"internalnet\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"urldefense\"\r\n]",
"GUID_s": "#NAME?",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "Attachment Defense",
"fromAddress_s": "[\r\n \"bdcfaa08a38889403842110ca5f53c17@sakagami-ltd.co.jp\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:50:01.044Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"c1425fbe7134b8cfcf479a5799cec7917ad7638268cc8554c5f50374198dfa75\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/c1425fbe7134b8cfcf479a5799cec7917ad7638268cc8554c5f50374198dfa75\",\r\n \"threatTime\": \"2020-01-13T15:59:53Z\",\r\n \"threat\": \"toursfera.com/wp-content/uploads/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:13:48Z",
"subject_s": "THE ONLINE DRUGSHOP amplifying the opportunity to impale other man",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam_definite",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30mhgfww0q-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"28bc3478403b64679b24c24f1c3d85f5fa97393a76a8d9cda49bb3f3244d7b18\",\r\n \"md5\": \"7c9192185123d6014afa57de8d086fc2\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "3269",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "100",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "wZPKm75dzvm8trCR2JvmZYCF5lkX82ep",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "InboundDefiniteSpam",
"fromAddress_s": "[\r\n \"56452b6fceba10a5291d2fd9b87b79f7@getplus.co.jp\"\r\n]",
"ccAddresses_s": "[\r\n \"981aca6444560fc70ef8d5258b164cff@aol.com\"\r\n]",
"xmailer_s": "iPad Mail (13E238)",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:55:01.201Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatTime\": \"2020-04-28T15:18:37Z\",\r\n \"threat\": \"insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatTime\": \"2019-09-25T15:10:50Z\",\r\n \"threat\": \"http://www.insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:21:30Z",
"subject_s": "=?utf-8?Q?Time=20to=20move=20off=20BNA=3F=20Enjoy=20a=20preview=20of=20Brocade=20SANnav=20Management=20Portal?=",
"quarantineRule_s": "module.spam.rule.defaultinbound_bulk",
"replyToAddress_s": "sanitized@sanitized.com",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30n4bskefr-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"d6b2936bcbecd35e4588173215467d0d98c0ca8a40e378bec1878714d50d05e3\",\r\n \"md5\": \"5dec6ecee7a2afc88c25d532aa23f157\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"d40946767fec64dcd165c805498343284d095f00052a40add2c0004b7c3d24cc\",\r\n \"md5\": \"3166305aa434a9b27e8672fa3a67394e\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "=?utf-8?Q?Brocade?= <xtw@broadcom.com>",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "48265",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "n9F2qSfAUGOuif5La6gJGG31p5IQof48",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "Bulk",
"fromAddress_s": "[\r\n \"6d223a5c21674829b702c278cd4c8c2f@broadcom.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "MailChimp Mailer - **CID4d52dc8025000c740f7d**",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:55:01.201Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"7ca2d79ade8ae0fadd78e918aa20824fed4688a9ee416a3cc5cb385be7031739\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7ca2d79ade8ae0fadd78e918aa20824fed4688a9ee416a3cc5cb385be7031739\",\r\n \"threatTime\": \"2020-04-28T15:43:33Z\",\r\n \"threat\": \"storage.googleapis.com/fgfdsd4545454/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T14:55:17Z",
"subject_s": "dl101@abc.com Received A Document",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam",
"replyToAddress_s": "sanitized@sanitized.com",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30n392kdhh-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"013d60df53d77cac080bb04033e4f8894e1d4eab89b8043069ab7b45e5c76cb4\",\r\n \"md5\": \"b599fa8eebd35574b59ce3ad55583002\",\r\n \"filename\": \"blue2x-10b63a7e9107c08c8d89a3f8016c133ae4fcf5afb3e59a65fb17e21eeb83148d.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"61e349e2391d26402442acf92f1df8f38cf959bc7f1ffca148d6f58ea9e1592e\",\r\n \"md5\": \"a2c9d9a2de2c6b2234408d5c1204e622\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "sanitized@sanitized.com",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "21310",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "B36mLqOc30s7ON9XZTBduuv920kclLCc",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "Quarantine",
"fromAddress_s": "[\r\n \"3a8ddda1c02aff30e434f7ffd9aabbe3@iplace.at\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:55:01.201Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatTime\": \"2020-04-28T15:18:37Z\",\r\n \"threat\": \"insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatTime\": \"2019-09-25T15:10:50Z\",\r\n \"threat\": \"http://www.insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:15:28Z",
"subject_s": "=?utf-8?Q?Time=20to=20move=20off=20BNA=3F=20Enjoy=20a=20preview=20of=20Brocade=20SANnav=20Management=20Portal?=",
"quarantineRule_s": "module.spam.rule.defaultinbound_bulk",
"replyToAddress_s": "sanitized@sanitized.com",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30pf35tf62-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"0c0ff478e259f471068c5ddf1328d675fa3d49bd803e04d9aac3aed0cc7222be\",\r\n \"md5\": \"6d459db17507ff6f0818b1d589edafca\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"aa19ae4a23989051610ad377b1adda51101a0db50b0866727b9e091a2a4b788e\",\r\n \"md5\": \"88557b066dc4234c866d445192f8e7ee\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "=?utf-8?Q?Brocade?= <xtw@broadcom.com>",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "48263",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "3G7d7FRKkq1RxzqS53d5efVkLR31WHQr",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "Bulk",
"fromAddress_s": "[\r\n \"6d223a5c21674829b702c278cd4c8c2f@broadcom.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "MailChimp Mailer - **CID4d52dc802539d918410f**",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:55:01.201Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/cd14380112aabefd7e972956ff1575f2da6de0e99e1d317160c5324a6777c8ca\",\r\n \"threatTime\": \"2020-04-28T15:18:37Z\",\r\n \"threat\": \"insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8ac038e5d7f9d945dcfa1b6d41980bd73baff3c88d4e4f7a8625b50e185a25ee\",\r\n \"threatTime\": \"2019-09-25T15:10:50Z\",\r\n \"threat\": \"http://www.insert-link-here.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:21:31Z",
"subject_s": "=?utf-8?Q?Time=20to=20move=20off=20BNA=3F=20Enjoy=20a=20preview=20of=20Brocade=20SANnav=20Management=20Portal?=",
"quarantineRule_s": "module.spam.rule.defaultinbound_bulk",
"replyToAddress_s": "sanitized@sanitized.com",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30n4bskf10-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"5ad9e33ffc21c2cc5da05723a002bebf1525f5443f8eca470993ac2f67b2cf0c\",\r\n \"md5\": \"0690782b893a6526815077f26285af33\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"ad50200fa9c35411db85a94365b82adcfa30792c9f67b39bd1ea9fcef9f982a9\",\r\n \"md5\": \"f443e1e02d3b60313d8a69c7900db695\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "=?utf-8?Q?Brocade?= <xtw@broadcom.com>",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "48222",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\",\r\n \"TAP_Technology\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aprCXPpMxuH-0KnqM7mkHhQqkkM5mGOP",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "Bulk",
"fromAddress_s": "[\r\n \"6d223a5c21674829b702c278cd4c8c2f@broadcom.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "MailChimp Mailer - **CID4d52dc8025358efeb219**",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T15:55:01.201Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"142c199adf96b20383ad38a442a486a280a2a90c9a81e8d475f00032f12ea3e8\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/142c199adf96b20383ad38a442a486a280a2a90c9a81e8d475f00032f12ea3e8\",\r\n \"threatTime\": \"2020-04-17T00:06:39Z\",\r\n \"threat\": \"firebasestorage.googleapis.com/v0/b/userupdate2020-f6776.appspot.com/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:15:26Z",
"subject_s": "Mail delivery failed: [6] messages to eric_banfield@northerntrust.com delayed for 48 hours",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam_definite",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30pf35tdqc-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"6b536ded3d77f04a70c60a568289ceedea490b1ddd457d337ef35de317cc0760\",\r\n \"md5\": \"c0e137c176f6df000b82d2a4c66e9c78\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "3614",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "100",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "psQenS1-GmtXQDWM8hDfmpoLjesN8Pmf",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "InboundDefiniteSpam",
"fromAddress_s": "[\r\n \"eric_banfield@northerntrust.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T16:05:07.215Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"142c199adf96b20383ad38a442a486a280a2a90c9a81e8d475f00032f12ea3e8\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/142c199adf96b20383ad38a442a486a280a2a90c9a81e8d475f00032f12ea3e8\",\r\n \"threatTime\": \"2020-04-17T00:06:39Z\",\r\n \"threat\": \"firebasestorage.googleapis.com/v0/b/userupdate2020-f6776.appspot.com/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:27:17Z",
"subject_s": "Mail delivery failed: [6] messages to garrett.mcknight@northerntrust.com delayed for 48 hours",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam_definite",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30n3n93nw3-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"06b6c6d0c4bddf0bb2a38ba8aa716cddddcc9e8f7562e32fbb870eba41a4576a\",\r\n \"md5\": \"d3c7d4dba093f54bb3d1697c98b8901b\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "3652",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "100",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "vIcTGn0KlQ_OaQoJ0moiqN1H9VzvKj7M",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "InboundDefiniteSpam",
"fromAddress_s": "[\r\n \"garrett.mcknight@northerntrust.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T16:05:07.215Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"1c36d41a2015861f032d329a33b58b3efc67176748da0c8abeed87da01acb13c\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/1c36d41a2015861f032d329a33b58b3efc67176748da0c8abeed87da01acb13c\",\r\n \"threatTime\": \"2020-04-28T14:41:20Z\",\r\n \"threat\": \"demo.mylingositter.com/wp-content/cache/redir\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:27:08Z",
"subject_s": "Email Quarantine Report For hjb3@abc.com",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam_definite",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30n3jxuptw-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"dfab02a6bfdba32d3687b3fb8d2cee32ba44c4e3fd7b3a3d92504cd098c32205\",\r\n \"md5\": \"50b6fbb842683b759eef3c6605120720\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "7163",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "100",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "iCPKKH9mIuOSUjPVg_7TAMaLIYAsvDGK",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "InboundDefiniteSpam",
"fromAddress_s": "[\r\n \"86af00feb0d3bcd4b73f5a0480edd48d@fatima-group.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-28T16:05:07.215Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"9f06d3cd0968894eaa4f9702c9fc6b6f8455f47973f524d771d2c4b17eaf8cb7\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/9f06d3cd0968894eaa4f9702c9fc6b6f8455f47973f524d771d2c4b17eaf8cb7\",\r\n \"threatTime\": \"2020-02-27T18:24:03Z\",\r\n \"threat\": \"electrotermal.ro/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-28T15:25:46Z",
"subject_s": "Sex endured by women is probably greater in!",
"quarantineRule_s": "module.spam.rule.defaultinbound_spam_definite",
"replyToAddress_s": "[]",
"toAddresses_s": "sanitized@sanitized.com",
"QID_s": "30mhgfwy3t-1",
"sender_s": "bdcfaa08a38889403842110ca5f53c17sanitized@sanitized.com",
"recipient_s": "sanitized@sanitized.com",
"senderIP_s": "00.00.00.00",
"messageID_s": "<fb09d87a-2d35-fb04-491c-faa1f5ea3f0bsanitized@sanitized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"e74eb96cdca7e49e42e1c015486301abfd127332889d01ca067350add677d850\",\r\n \"md5\": \"71b5acb455d3fb6db8f821f404fce525\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"30b822a528992205caa8343e34ed25cb91b1c2ced887de5574aea4ce1ceb2575\",\r\n \"md5\": \"9029bd45b9a03c5677b29f02afaf5fde\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "9701",
"headerFrom_s": "sanitized@sanitized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "25FrcWFqMhtVNJnQGTKxHUR-JbvOq71j",
"cluster_s": "abc_hosted",
"quarantineFolder_s": "InboundDefiniteSpam",
"fromAddress_s": "[\r\n \"operaciones@mundicomex.com\"\r\n]",
"ccAddresses_s": "[]",
"xmailer_s": "",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesBlocked_CL",
"_ResourceId": ""
}
]

392
Sample Data/Custom/ProofPointTAPMessagesDelivered_CL_sample_data.json Normal file
Просмотреть файл

@ -0,0 +1,392 @@
[
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T23:40:01.419Z",
"Computer": "",
"RawData": "",
"spamScore_d": "100",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"65a356c8681001be6d9ff87b57808f9398006e31c027cedb9cfd51c30c2c8d42\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"malware\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/65a356c8681001be6d9ff87b57808f9398006e31c027cedb9cfd51c30c2c8d42\",\r\n \"threatTime\": \"2020-04-22T23:03:51Z\",\r\n \"threat\": \"http://secure.signup-page.com/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-18T05:35:19Z",
"subject_s": "Your Reporting Statements Are Ready at WCM Investment Management's Client Portal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[\r\n \"aw108@abc.com\"\r\n]",
"QID_s": "03I5YVvs004766",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"aw108@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"59fa658852e9677fcbed74e7140dbd698696657c6ab32e3a3d4942ddf39c08f9\",\r\n \"md5\": \"ee2c83354b0226926d591d8da42bc935\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"f3370b7d844d70f1f0822dd1932ef1010aa05f888862221522860c0fdb487ab2\",\r\n \"md5\": \"149598a811bdc5c84b5023050d6e4025\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "103401",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"pp_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "FALSE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-23T00:55:01.575Z",
"Computer": "",
"RawData": "",
"spamScore_d": "1",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"63dc25289ed9541c3de5221172eaaa3dfb500c3c0e53d9584603be2940933408\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/63dc25289ed9541c3de5221172eaaa3dfb500c3c0e53d9584603be2940933408\",\r\n \"threatTime\": \"2020-04-23T00:40:08Z\",\r\n \"threat\": \"https://www.baysidejetsbasketball.com.au/wp-admin/service/index.php?email=ac177@abc.com\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"709159328137b804758e6dfef3cf4db23508230952a38157ba92a8082f8377c6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/709159328137b804758e6dfef3cf4db23508230952a38157ba92a8082f8377c6\",\r\n \"threatTime\": \"2020-04-23T00:41:56Z\",\r\n \"threat\": \"www.baysidejetsbasketball.com.au/wp-admin/service/\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"b24644bbe86e91a94f07e94bc145a70cbf1770410bd0bc9e5adcc3a81632f88a\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/b24644bbe86e91a94f07e94bc145a70cbf1770410bd0bc9e5adcc3a81632f88a\",\r\n \"threatTime\": \"2020-04-23T00:39:53Z\",\r\n \"threat\": \"www.baysidejetsbasketball.com.au/wp-admin/service/index.php\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-23T00:36:50Z",
"subject_s": "Message From ",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[\r\n \"ac177@abc.com\"\r\n]",
"QID_s": "03N0ZL6R011622",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"ac177@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"6e2828bfe958a88030689a7c4d334f78c32b7c033ce43d89208cabf78beb3571\",\r\n \"md5\": \"eb52baecf8a37f82bc0dcb9f9c5a6ae7\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "16206",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "8",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T20:50:01.613Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"062fb3cfbbb491f32f0e2e5176a937932b7425d995dc0fc236c8426dca0909c1\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/062fb3cfbbb491f32f0e2e5176a937932b7425d995dc0fc236c8426dca0909c1\",\r\n \"threatTime\": \"2020-04-22T20:41:12Z\",\r\n \"threat\": \"http://ritter1-my.sharepoint.com/:o:/g/personal/rmurray_rittertech_com/ElBNSlQ25CJBgRexZ1iVz1oBhKv_RHKCH_z25MGd_Lx4vA?e=Dd2Wvr\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"1dd7904f626422cea3f6aa6ea5683500038d6e0079999fb7075259286245cf68\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/1dd7904f626422cea3f6aa6ea5683500038d6e0079999fb7075259286245cf68\",\r\n \"threatTime\": \"2020-04-22T20:40:41Z\",\r\n \"threat\": \"https://ritter1-my.sharepoint.com/:o:/g/personal/rmurray_rittertech_com/ElBNSlQ25CJBgRexZ1iVz1oBhKv_RHKCH_z25MGd_Lx4vA?e=Dd2Wvr\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T20:36:26Z",
"subject_s": "ESTES # OpenBalance",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MKZFqE006570",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"hcd1@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"76cebb96c521711f3b610f318bc9e678b02c433e7e1acd5f6cdc06b42050bcdb\",\r\n \"md5\": \"c414b2206003e2d0c45ef02daaf81ddc\",\r\n \"filename\": \"image002.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"fd087e4f53310d2b522fb71a3e848719ffcc877c807093120b4643d9a076f8aa\",\r\n \"md5\": \"78d4d96b2b0e856a2ec26845ab33ec01\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"57bb6766ac516f8fbb8a6336ed8d28e0f750eb7423b59449e541c4e44e4b7e31\",\r\n \"md5\": \"9b5579945b419d968761113e1694b5e9\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"8cc290ccdb63ae5547c05b4136d39d6a36d8b331eb7522fb88c9c1364f421507\",\r\n \"md5\": \"15233376285fc4042667118ebea79112\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "58684",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T20:55:03.515Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"062fb3cfbbb491f32f0e2e5176a937932b7425d995dc0fc236c8426dca0909c1\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/062fb3cfbbb491f32f0e2e5176a937932b7425d995dc0fc236c8426dca0909c1\",\r\n \"threatTime\": \"2020-04-22T20:41:12Z\",\r\n \"threat\": \"http://ritter1-my.sharepoint.com/:o:/g/personal/rmurray_rittertech_com/ElBNSlQ25CJBgRexZ1iVz1oBhKv_RHKCH_z25MGd_Lx4vA?e=Dd2Wvr\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"1dd7904f626422cea3f6aa6ea5683500038d6e0079999fb7075259286245cf68\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/1dd7904f626422cea3f6aa6ea5683500038d6e0079999fb7075259286245cf68\",\r\n \"threatTime\": \"2020-04-22T20:40:41Z\",\r\n \"threat\": \"https://ritter1-my.sharepoint.com/:o:/g/personal/rmurray_rittertech_com/ElBNSlQ25CJBgRexZ1iVz1oBhKv_RHKCH_z25MGd_Lx4vA?e=Dd2Wvr\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T20:36:26Z",
"subject_s": "ESTES # OpenBalance",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MKZFqE006570",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"hcd1@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"76cebb96c521711f3b610f318bc9e678b02c433e7e1acd5f6cdc06b42050bcdb\",\r\n \"md5\": \"c414b2206003e2d0c45ef02daaf81ddc\",\r\n \"filename\": \"image002.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"fd087e4f53310d2b522fb71a3e848719ffcc877c807093120b4643d9a076f8aa\",\r\n \"md5\": \"78d4d96b2b0e856a2ec26845ab33ec01\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"57bb6766ac516f8fbb8a6336ed8d28e0f750eb7423b59449e541c4e44e4b7e31\",\r\n \"md5\": \"9b5579945b419d968761113e1694b5e9\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"8cc290ccdb63ae5547c05b4136d39d6a36d8b331eb7522fb88c9c1364f421507\",\r\n \"md5\": \"15233376285fc4042667118ebea79112\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "58684",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:20:28Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHG88G019113",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"ap242@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"c446e9d568a126cb08c9a101103bc1615b2a895accf14fcddb27792b8e323a23\",\r\n \"md5\": \"bae98a4ee32fb2b5920371a0bf8aca84\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "47675",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:25:35Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHJiXH027045",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"cb73@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"ea69a68f2513f10a8aa3ea09b4bf7ae8e8e36d707f94b285eb34b5bbbb495bd1\",\r\n \"md5\": \"d5227b0c397dd652915b1bb43c69b8a0\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "47674",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:23:53Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHKU3K024136",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"gs60@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"bd349a99e36c0c75d36942419a4e949fd69c0c697a009fb41b9840069a3f999e\",\r\n \"md5\": \"9a8e76a72c8c684e8a49ca0c072fb1c6\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "47674",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:21:28Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHG9fM019116",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"lies.michael@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"8221b7dfd8bcd314bd178790ad151959304b5a625921207961fa04d3857fee08\",\r\n \"md5\": \"e9a177cc1511d59edfdf696b313594e1\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "47682",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"spf\",\r\n \"dkimv\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"dmarc\",\r\n \"pdr\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:20:29Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHG7Nq019107",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"aer3@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"d693a839395bac264d702878dc10f10b5a7ce44ae645c0fe5599d9419796fea9\",\r\n \"md5\": \"50a098a6224807db4bbddd650a370bf2\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "52014",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\",\r\n \"allow_relay\",\r\n \"firewallsafe\",\r\n \"internalnet\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
},
{
"TenantId": "00000000-0000-0000-0000-00000000000",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-04-22T18:20:02.035Z",
"Computer": "",
"RawData": "",
"spamScore_d": "0",
"threatsInfoMap_s": "[\r\n {\r\n \"threatID\": \"8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/8023f2ee05679f9ea19e751eca49f3e0110596454425ec8a991fdf0e044b4ce2\",\r\n \"threatTime\": \"2020-04-22T17:40:57Z\",\r\n \"threat\": \"1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/3e3227973a56db6d3462ae92984530d3c06f1e4e2fa15be7fe3024441c235f55\",\r\n \"threatTime\": \"2020-04-22T17:28:07Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI?e=Ws5A6S\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n },\r\n {\r\n \"threatID\": \"7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatStatus\": \"active\",\r\n \"classification\": \"phish\",\r\n \"threatUrl\": \"https://threatinsight.proofpoint.com/314893f9-d777-b28e-8349-41ae02d88d57/threat/email/7f042f23b265c44188b86bf1338edc6e9f716a26c2fb5ed6fb9a4d5cc66011d6\",\r\n \"threatTime\": \"2020-04-22T18:06:01Z\",\r\n \"threat\": \"https://1drv.ms/u/s!AjlmjPDZjfaae2UHleJ83CB2rbI\",\r\n \"campaignID\": null,\r\n \"threatType\": \"url\"\r\n }\r\n]",
"messageTime_t": "2020-04-22T17:20:29Z",
"subject_s": "AC Transit - Invoice & Contract Proposal",
"quarantineRule_s": "module.access.rule.capture_prerewrite",
"replyToAddress_s": "[]",
"toAddresses_s": "[]",
"QID_s": "03MHG88O019113",
"sender_s": "sanatized@sanatized.com",
"recipient_s": "[\r\n \"pf22@abc.com\"\r\n]",
"senderIP_s": "00.00.00.00",
"messageID_s": "<8Culw000000000000000000000000000000000000000000000Q8YY5H00e7HuvHqvQ2CNwW-noEK2jQsanatized@sanatized.com>",
"messageParts_s": "[\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"d693a839395bac264d702878dc10f10b5a7ce44ae645c0fe5599d9419796fea9\",\r\n \"md5\": \"50a098a6224807db4bbddd650a370bf2\",\r\n \"filename\": \"text.html\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/html\",\r\n \"contentType\": \"text/html\"\r\n },\r\n {\r\n \"disposition\": \"attached\",\r\n \"sha256\": \"a9d941529fe3e8f7f9b358a924c6659f425a27e7832ca1a79233547bd242dc6b\",\r\n \"md5\": \"2125ca5fa3f3348fdcfdc01e6efd6397\",\r\n \"filename\": \"image001.png\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"image/png\",\r\n \"contentType\": \"image/png\"\r\n },\r\n {\r\n \"disposition\": \"inline\",\r\n \"sha256\": \"74054bf60518f33b22651405f09f8fbc92af248d1f7da3d3e2ecc0e8fe74d5f9\",\r\n \"md5\": \"274fc14761bc1e04343c697b336b752a\",\r\n \"filename\": \"text.txt\",\r\n \"sandboxStatus\": null,\r\n \"oContentType\": \"text/plain\",\r\n \"contentType\": \"text/plain\"\r\n }\r\n]",
"headerReplyTo_s": "",
"impostorScore_d": "0",
"malwareScore_d": "0",
"messageSize_d": "52014",
"headerFrom_s": "sanatized@sanatized.com",
"phishScore_d": "0",
"policyRoutes_s": "[\r\n \"default_inbound\",\r\n \"nt_spoofsafe\",\r\n \"allow_relay\",\r\n \"firewallsafe\",\r\n \"internalnet\"\r\n]",
"modulesRun_s": "[\r\n \"access\",\r\n \"dkim\",\r\n \"smtpsrv\",\r\n \"av\",\r\n \"zerohour\",\r\n \"sandbox\",\r\n \"spam\",\r\n \"urldefense\"\r\n]",
"GUID_s": "aBCDeFGsFjKEUROJsjfwk[efpIRUoewp[",
"quarantineFolder_s": "prerewrite_format",
"xmailer_s": "",
"cluster_s": "xyz_hosted",
"fromAddress_s": "sanatized@sanatized.com",
"ccAddresses_s": "[]",
"completelyRewritten_b": "TRUE",
"Type": "ProofPointTAPMessagesDelivered_CL",
"_ResourceId": ""
}
]

462
Sample Data/Custom/QualysHostDetection_CL.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

42
Workbooks/Images/Logos/proofpointlogo.svg Normal file
Просмотреть файл

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
<style type="text/css">
.st0{fill:#231F20;}
</style>
<g id="Layer_2">
<g id="Layer_1-2">
<path class="st0" d="M597.7,352.5v-12.8h-4.4c-4.8,0-5.9-0.7-5.9-4.1v-35.2h10.4v-11.9h-10.4v-17.3h-17.8v17.3h-8.9v11.9h8.9v34.3
c0,13.3,3.2,18.1,18,18.1C589.4,352.9,592.8,352.6,597.7,352.5"/>
<path class="st0" d="M495.5,352.1h18v-37.7c0-8.4,5.4-13.4,13.8-13.4c7.7,0,10.4,4.1,10.4,12.7v38.4h18v-43.3
c0-14.6-7.3-21.9-22.1-21.9c-8.5,0-15.3,3.1-20.4,9.2v-7.5h-17.6V352.1z"/>
<rect x="466.5" y="266.1" class="st0" width="18" height="15.4"/>
<rect x="466.5" y="288.5" class="st0" width="18" height="63.5"/>
<path class="st0" d="M409.7,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
S409.7,332.9,409.7,320.2 M391.5,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34c0-21.2-12.9-34-34-34S391.5,299,391.5,320.2"/>
<path class="st0" d="M367.9,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7
C362.4,301,367.9,307.8,367.9,320.7 M320.8,377.5h17.5v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2
c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8v-8.6h-17.1V377.5z"/>
<path class="st0" d="M284.3,352.1h17.6v-51.6H313v-11.9h-11.3v-4.4c0-4.1,1.6-4.8,6.6-4.8h4.7v-13.5c-3.2-0.2-5.9-0.4-8.6-0.4
c-13.8,0-20.1,5.3-20.1,17.2v5.9h-9.6v11.9h9.6L284.3,352.1z"/>
<path class="st0" d="M223.8,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
C229.6,340,223.8,332.9,223.8,320.2 M205.6,320.2c0,21.2,12.9,34,34,34c21.1,0,34-12.8,34-34c0-21.2-12.9-34-34-34
C218.4,286.3,205.5,299.1,205.6,320.2"/>
<path class="st0" d="M151.6,320.2c0-12.7,5.8-19.6,15.8-19.6s15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
S151.6,332.9,151.6,320.2 M133.4,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34s-12.9-34-34-34S133.4,299.1,133.4,320.2"/>
<path class="st0" d="M92.7,352.1h18v-33.6c0-9.6,5.1-14.4,14.8-14.4h5.9v-17.2c-0.9-0.1-1.8-0.1-2.7-0.1
c-8.6,0-14.7,3.9-19.4,12.7v-10.9H92.7V352.1z"/>
<path class="st0" d="M67.6,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7S67.7,307.8,67.6,320.7
M20.6,377.5H38v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8
v-8.6H20.6V377.5z"/>
<path class="st0" d="M620.6,346.8c0.1,3.9-2.9,7.1-6.8,7.2c-3.9,0.1-7.1-2.9-7.2-6.8c-0.1-3.9,2.9-7.1,6.8-7.2c0.1,0,0.2,0,0.3,0
C617.4,339.9,620.5,343,620.6,346.8C620.6,346.8,620.6,346.8,620.6,346.8z M608.3,346.8c-0.1,2.9,2.2,5.4,5.1,5.5
c0.1,0,0.1,0,0.2,0c2.9,0,5.2-2.4,5.2-5.2c0-0.1,0-0.1,0-0.2c0.1-2.9-2.1-5.4-5-5.5c-2.9-0.1-5.4,2.1-5.5,5
C608.3,346.5,608.3,346.7,608.3,346.8L608.3,346.8z M612.5,350.4h-1.6v-6.8c0.9-0.2,1.7-0.2,2.6-0.2c0.8-0.1,1.6,0.1,2.4,0.5
c0.4,0.4,0.7,0.9,0.7,1.5c-0.1,0.8-0.6,1.4-1.4,1.6v0.1c0.7,0.3,1.2,0.9,1.2,1.6c0.1,0.6,0.2,1.2,0.5,1.7h-1.7
c-0.3-0.5-0.4-1.1-0.5-1.7c-0.1-0.8-0.5-1.1-1.4-1.1h-0.8L612.5,350.4z M612.5,346.5h0.8c0.9,0,1.6-0.3,1.6-1s-0.5-1-1.5-1
c-0.3,0-0.6,0-0.9,0.1V346.5z"/>
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.3 KiB

1
Workbooks/Images/Logos/qualys_logo.svg Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 50 KiB

39
Workbooks/Images/Logos/vmwarecarbonblack_logo.svg Normal file
Просмотреть файл

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
<style type="text/css">
.st0{fill:#0A0A0A;}
</style>
<path class="st0" d="M620,339.1h-10.2l-5.1,8.8l5.1,8.8H620l5.1-8.8L620,339.1 M598.5,308.2h-12.7l-8.9,15.3c-1.1,1.6-1.5,2.6-4,2.7
h-6.1v-33.9h-11.4v64.4h11.4v-20.1h5c2.4,0.1,2.9,1,3.8,2.5l10.1,17.6h12.8l-14-24.3L598.5,308.2z M547.1,312.8
c-1.8-1.4-3.7-2.6-5.8-3.5c-3.2-1.4-6.6-2.1-10.1-2.1c-4.5,0-9,1.2-12.9,3.5c-3.9,2.2-7.2,5.4-9.5,9.3c-2.3,3.8-3.6,8.1-3.6,12.5
c0,4.4,1.2,8.8,3.6,12.6c2.3,3.9,5.6,7.1,9.5,9.3c7.1,4.1,15.7,4.6,23.2,1.3c2-0.9,4-2.1,5.7-3.5l-5.1-8.9c-1.4,1.5-3,2.7-4.8,3.5
c-1.9,0.9-4,1.4-6,1.4c-2.6,0-5.1-0.7-7.3-2.1c-2.2-1.4-4.1-3.4-5.3-5.7c-1.3-2.4-2-5.1-2-7.8c0-2.7,0.7-5.4,2-7.7
c1.2-2.3,3.1-4.3,5.3-5.7c2.2-1.4,4.7-2.1,7.3-2.1c4.1,0,8,1.8,10.7,4.8l3.9-6.8L547.1,312.8z M476.8,307.1
c-6.1,0-12.5,1.7-19.3,5.1l4.4,7.7c4-1.9,8.2-3.4,12.6-3.4c8.1,0,11.1,4.2,11.6,9.7h-13.3c-10.9,0-19.8,6.6-19.8,16.1
c0,9.4,7.8,15.5,18.1,15.5c5.6,0,11.4-2.1,15-6.6v5.5h11.5v-29.1C497.6,315.3,489.6,307.1,476.8,307.1L476.8,307.1z M486.1,340.1
c0,4.6-4.6,9.4-12.4,9.4c-5.4,0-9.5-2.9-9.5-7.5c0-4.6,4.6-7.6,10.3-7.6h11.6L486.1,340.1z M433.2,292.3h11.4v64.4h-11.4V292.3z
M412.5,322.7c6-3.2,9.1-8,9.1-14.2c0-2.9-0.8-5.8-2.4-8.3c-1.7-2.5-4-4.5-6.7-5.8c-2.9-1.4-6.1-2.1-9.8-2h-31.3v64.3h32.5
c3.9-0.1,7.5-0.8,10.6-2.3c3-1.4,5.5-3.5,7.3-6.2c1.8-2.7,2.7-5.8,2.6-9c0-3.4-1.1-6.7-3.1-9.5C419.1,326.8,416.2,324.5,412.5,322.7
L412.5,322.7z M382.6,302.5h17.1c2.9,0,5.2,0.7,7.1,2.2c1.8,1.3,2.8,3.5,2.8,5.7c0,2.2-0.9,4.1-2.8,5.6s-4.2,2.2-7.1,2.2h-17.1
V302.5z M409.2,344c-2,1.7-4.6,2.6-7.8,2.6h-18.8v-18.3h18.8c3.2,0,5.8,0.9,7.8,2.6c3.6,3.1,4.1,8.6,1,12.2
C410,343.3,409.6,343.7,409.2,344L409.2,344z M327.6,309.6c-2.8-1.6-6.1-2.4-9.3-2.4c-3,0-6,0.7-8.7,2.1c-2.5,1.3-4.7,3.2-6.3,5.5
v-6.6h-11.4v48.5h11.4v-30.6c0.4-2.6,1.8-5,3.9-6.5c2.2-1.8,5-2.7,7.8-2.6c3,0,5.4,1,7.3,3.1s2.9,4.8,2.8,8.1v28.6h11v-30.8
c0.1-3.4-0.7-6.7-2.3-9.7C332.5,313.4,330.3,311.1,327.6,309.6z M272.2,310.7c-8-4.6-17.8-4.6-25.7,0c-3.9,2.2-7.2,5.4-9.5,9.3
c-2.3,3.8-3.6,8.1-3.6,12.5c0,4.4,1.2,8.8,3.6,12.6c2.3,3.9,5.6,7.1,9.5,9.3c8,4.6,17.8,4.6,25.7,0c3.9-2.3,7.2-5.5,9.5-9.3
c2.3-3.8,3.6-8.1,3.6-12.6c0-4.4-1.2-8.8-3.6-12.5C279.4,316.1,276.1,312.9,272.2,310.7L272.2,310.7z M272,340.3
c-1.3,2.3-3.1,4.3-5.4,5.7c-2.2,1.4-4.7,2.1-7.3,2.1c-2.6,0-5.1-0.7-7.3-2.1c-2.3-1.4-4.1-3.4-5.4-5.7c-1.3-2.4-2-5.1-2-7.8
c0-2.7,0.7-5.4,2-7.7c1.3-2.3,3.2-4.3,5.4-5.7c2.2-1.4,4.7-2.1,7.3-2.1c2.6,0,5.1,0.7,7.3,2.1c4.6,2.9,7.4,8,7.4,13.4
C274.1,335.2,273.4,337.9,272,340.3L272,340.3z M216.6,310.4c-3.4-2.2-7.4-3.3-11.4-3.2c-6.7-0.1-13.1,3.2-16.8,8.8v-23.6h-11.4
v64.4h11.4V349c3.7,5.6,10.1,8.9,16.8,8.8c4,0.1,8-1.1,11.4-3.2c3.4-2.2,6.2-5.3,7.9-9c2-4.1,3-8.6,3-13.1c0-4.5-1-9-3-13
C222.8,315.8,220,312.6,216.6,310.4L216.6,310.4z M212.1,343.7c-2.6,2.9-6,4.4-10,4.4c-4,0-7.3-1.5-9.8-4.4
c-2.6-2.9-3.9-6.7-3.9-11.2s1.4-8.3,3.9-11.2c2.5-2.9,5.8-4.4,9.8-4.4c4.1,0,7.4,1.5,10,4.4c2.6,2.9,3.9,6.6,3.9,11.2
C216.1,337,214.7,340.8,212.1,343.7L212.1,343.7z M151.1,316.1v-7.8h-11.4v48.5h11.4v-23.4c0-4.6,1.6-8.3,4.8-11.1
c3.2-2.8,7.4-3.9,12.5-3.9v-10.1C163.2,308.2,154.6,312,151.1,316.1L151.1,316.1z M110.4,307.1c-6.1,0-12.5,1.7-19.3,5.1l4.4,7.7
c4-1.9,8.2-3.4,12.6-3.4c8.1,0,11.1,4.2,11.6,9.7h-13.3c-10.9,0-19.8,6.6-19.8,16.1c0,9.4,7.8,15.5,18.1,15.5c5.6,0,11.4-2.1,15-6.6
v5.5h11.5v-29.1C131.2,315.3,123.2,307.1,110.4,307.1L110.4,307.1z M119.7,340.1c0,4.6-4.6,9.4-12.4,9.4c-5.4,0-9.5-2.9-9.5-7.5
c0-4.6,4.6-7.6,10.3-7.6h11.6L119.7,340.1z M74.9,340.1c-8.6,8.8-22.7,9.1-31.5,0.5c-8.8-8.6-9.1-22.7-0.5-31.5
c8.6-8.8,22.7-9.1,31.5-0.5c0.2,0.2,0.3,0.3,0.5,0.5l5.6-9.7c-6.1-5.2-13.9-8.1-21.9-8.1c-18.5,0-33.5,14.9-33.5,33.3
s15,33.3,33.5,33.3c8,0,15.8-2.8,21.9-8L74.9,340.1z"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.9 KiB

Двоичные данные
Workbooks/Images/Preview/ProofpointTAPBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 86 KiB

Двоичные данные
Workbooks/Images/Preview/ProofpointTAPWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 91 KiB

Двоичные данные
Workbooks/Images/Preview/QualysVMBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 91 KiB

Двоичные данные
Workbooks/Images/Preview/QualysVMWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 90 KiB

Двоичные данные
Workbooks/Images/Preview/VMwareCarbonBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 76 KiB

Двоичные данные
Workbooks/Images/Preview/VMwareCarbonWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 73 KiB

1218
Workbooks/ProofpointTAP.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1718
Workbooks/QualysVM.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

938
Workbooks/VMwareCarbonBlack.json Normal file
Просмотреть файл

@ -0,0 +1,938 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "7276a9d6-ba34-4f06-9a14-785f03cedf52",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 2419200000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"resourceType": "microsoft.insights/components"
},
{
"id": "e10ce65c-0f31-4def-a81b-2c565d36a1d6",
"version": "KqlParameterItem/1.0",
"name": "EventType",
"label": "Event Type",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\n| distinct eventType_s\n| sort by eventType_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "b7f7d6bb-20af-4f36-9d0e-389147598e04",
"version": "KqlParameterItem/1.0",
"name": "ThreatIndicator",
"label": "Threat Indicator",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| distinct tostring(threatIndicators_s)\r\n| sort by threatIndicators_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "34e19468-ad9e-4170-bd1e-d9970cc6df5b",
"version": "KqlParameterItem/1.0",
"name": "PriorityType",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(deviceDetails_targetPriorityType_s)\r\n| distinct tostring(deviceDetails_targetPriorityType_s)\r\n| sort by deviceDetails_targetPriorityType_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"label": "Priority Type"
},
{
"id": "b06c1de8-163e-4f8a-8cc5-5aa0fe3fccfc",
"version": "KqlParameterItem/1.0",
"name": "Location",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\r\n| summarize count() by deviceDetails_deviceLocation_countryName_s\r\n| project deviceDetails_deviceLocation_countryName_s\r\n| order by deviceDetails_deviceLocation_countryName_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "046ce247-834a-49d5-9896-9d2bd5a559ce",
"version": "KqlParameterItem/1.0",
"name": "SensorOS",
"label": "Sensor OS",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "CarbonBlackEvents_CL\n| distinct deviceDetails_deviceVersion_s\n| sort by deviceDetails_deviceVersion_s asc",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by bin(eventTime,{TimeRange:grain}), tostring(threatIndicators_s)",
"size": 0,
"title": "Total Events by Threat Indicators",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "threatIndicators_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by bin(eventTime, {TimeRange:grain}), deviceDetails_targetPriorityType_s",
"size": 0,
"title": "Total Events by Priority Type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"chartSettings": {
"seriesLabelSettings": [
{
"seriesName": "MEDIUM",
"color": "orange"
},
{
"seriesName": "HIGH",
"color": "redBright"
}
]
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\n| mvexpand todynamic(threatIndicators_s)\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\n| where eventType_s in ({EventType}) or '*' in ({EventType})\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| summarize count() by City = netFlow_peerLocation_city_s, netFlow_peerLocation_countryName_s, latitude = netFlow_peerLocation_latitude_d, longitude = netFlow_peerLocation_longitude_d\n| where isnotempty(City)",
"size": 0,
"title": "Net Data Flow by City",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "City",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
},
"numberFormatSettings": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
}
},
"customWidth": "50",
"name": "query - 17 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\n| mvexpand todynamic(threatIndicators_s)\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\n| where eventType_s in ({EventType}) or '*' in ({EventType})\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| summarize count() by City = deviceDetails_deviceLocation_city_s, IPAddress = deviceDetails_deviceIpV4Address_s, Country = deviceDetails_deviceLocation_countryName_s, latitude = deviceDetails_deviceLocation_latitude_d, longitude = deviceDetails_deviceLocation_longitude_d",
"size": 0,
"title": "Endpoint Generated Events by City",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude",
"longitude": "longitude",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"labelSettings": "City",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"nodeColorField": "count_",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "greenRed"
},
"numberFormatSettings": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
}
},
"customWidth": "50",
"name": "query - 17"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize HIGH = countif(deviceDetails_targetPriorityType_s == \"HIGH\"), MEDIUM = countif(deviceDetails_targetPriorityType_s == \"MEDIUM\"), LOW = countif(deviceDetails_targetPriorityType_s == \"LOW\"), Total = count() by ParentProcess = processDetails_name_s\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Parent Processes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "ParentProcess",
"label": "Parent Process"
},
{
"columnId": "HIGH"
},
{
"columnId": "MEDIUM"
},
{
"columnId": "LOW"
},
{
"columnId": "Total"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by eventType_s",
"size": 0,
"title": "Event Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize count() by targetApp_effectiveReputation_s",
"size": 0,
"title": "Trageted Application Reputation Types",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7 - Copy",
"styleSettings": {
"progressStyle": "squares"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Sensors = dcount(deviceDetails_deviceName_s)",
"size": 0,
"title": "Total Sensors",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 1
}
}
}
]
},
"sortBy": [],
"tileSettings": {
"titleContent": {
"formatter": 1,
"formatOptions": {}
},
"leftContent": {
"columnMatch": "Sensors",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": false,
"size": "auto"
}
},
"customWidth": "20",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Total = count() by Sensor = deviceDetails_deviceName_s\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Event Generating Sensors",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "hotCold"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 3,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true,
"maximumFractionDigits": 1
}
}
}
]
},
"sortBy": []
},
"customWidth": "40",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| where deviceDetails_deviceVersion_s in ({SensorOS}) or '*' in ({SensorOS})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| summarize Total = dcount(deviceDetails_deviceName_s) by ['OS Version'] = deviceDetails_deviceVersion_s",
"size": 0,
"title": "Top 10 Sensor Operating Systems",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "blue"
}
}
]
},
"sortBy": []
},
"customWidth": "40",
"name": "query - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| where targetApp_effectiveReputation_s == \"KNOWN_MALWARE\"\r\n| summarize count() by eventTime, processDetails_fullUserName_s, deviceDetails_deviceName_s, processDetails_targetName_s, targetApp_applicationName_s\r\n| project-away count_\r\n| sort by eventTime desc, deviceDetails_deviceName_s asc",
"size": 0,
"title": "Recent Known Malware Detected",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "eventTime",
"label": "Event Time"
},
{
"columnId": "processDetails_fullUserName_s",
"label": "User"
},
{
"columnId": "deviceDetails_deviceName_s",
"label": "Endpoint"
},
{
"columnId": "processDetails_targetName_s",
"label": "Process Name"
},
{
"columnId": "targetApp_applicationName_s",
"label": "Application Name"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CarbonBlackEvents_CL\r\n| mvexpand todynamic(threatIndicators_s)\r\n| where threatIndicators_s in ({ThreatIndicator}) or '*' in ({ThreatIndicator})\r\n| where deviceDetails_deviceLocation_countryName_s in ({Location}) or '*' in ({Location})\r\n| where deviceDetails_targetPriorityType_s in ({PriorityType}) or '*' in ({PriorityType})\r\n| where eventType_s in ({EventType}) or '*' in ({EventType})\r\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\r\n| where targetApp_effectiveReputation_s == \"KNOWN_MALWARE\"\r\n| summarize count() by deviceDetails_deviceName_s, bin(TimeGenerated,{TimeRange:grain})",
"size": 0,
"title": "Known Malware Activity by Endpoint",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "HIGH",
"formatter": 8,
"formatOptions": {
"palette": "redDark"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": true
}
}
},
{
"columnMatch": "MEDIUM",
"formatter": 8,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "LOW",
"formatter": 8,
"formatOptions": {
"palette": "blue"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
},
{
"columnMatch": "Total",
"formatter": 3,
"formatOptions": {
"palette": "yellowOrangeRed"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 1
}
}
},
{
"columnMatch": "Count",
"formatter": 0,
"formatOptions": {},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2
}
}
}
],
"labelSettings": [
{
"columnId": "eventTime",
"label": "Event Time"
},
{
"columnId": "processDetails_fullUserName_s",
"label": "User"
},
{
"columnId": "deviceDetails_deviceName_s",
"label": "Endpoint"
},
{
"columnId": "processDetails_targetName_s",
"label": "Process Name"
},
{
"columnId": "targetApp_applicationName_s",
"label": "Application Name"
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ApplicationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 9 - Copy - Copy - Copy"
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

81
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -688,6 +688,45 @@
"subtitle": "",
"provider": "Symantec"
},
{
"workbookKey": "PulseConnectSecureWorkbook",
"logoFileName": "",
"description": "Gain insight into Pulse Secure VPN by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into user VPN activities",
"dataTypesDependencies": ["Syslog"],
"dataConnectorsDependencies": [ "PulseConnectSecure" ],
"previewImagesFileNames": [ "PulseConnectSecureWhite.png", "PulseConnectSecureBlack.png" ],
"version": "1.0",
"title": "Pulse Connect Secure",
"templateRelativePath": "PulseConnectSecure.json",
"subtitle": "",
"provider": "Pulse Secure"
},
{
"workbookKey": "InfobloxNIOSWorkbook",
"logoFileName": "infoblox_logo.svg",
"description": "Gain insight into Infoblox NIOS by analyzing, collecting and correlating DHCP and DNS data.\nThis workbook provides visibility into DHCP and DNS traffic",
"dataTypesDependencies": ["Syslog"],
"dataConnectorsDependencies": [ "InfobloxNIOS" ],
"previewImagesFileNames": [ "InfobloxNIOSWhite.png", "InfobloxNIOSBlack.png" ],
"version": "1.0",
"title": "Infoblox NIOS",
"templateRelativePath": "InfobloxNIOS.json",
"subtitle": "",
"provider": "Infoblox"
},
{
"workbookKey": "SymantecVIPWorkbook",
"logoFileName": "symantecVIP_logo.svg",
"description": "Gain insight into Symantec VIP by analyzing, collecting and correlating strong authentication data.\nThis workbook provides visibility into user authentications",
"dataTypesDependencies": ["Syslog"],
"dataConnectorsDependencies": [ "SymantecVIP" ],
"previewImagesFileNames": [ "SymantecVIPWhite.png", "SymantecVIPBlack.png" ],
"version": "1.0",
"title": "Symantec VIP",
"templateRelativePath": "SymantecVIP.json",
"subtitle": "",
"provider": "Symantec"
},
{
"workbookKey": "SysmonThreatHuntingWorkbook",
"logoFileName": "",
@ -701,7 +740,47 @@
"subtitle": "",
"provider": "Edoardo Gerosa"
},
{ "workbookKey": "GitHubSecurityWorkbook",
{
"workbookKey": "VMwareCarbonBlackWorkbook",
"logoFileName": "vmwarecarbonblack_logo.svg",
"description": "Gain extensive insight into VMware Carbon Black Cloud - Endpoint Standard by analyzing, collecting and correlating Event logs.\nThis workbook provides visibility into Carbon Black managed endpoints and identified threat event",
"dataTypesDependencies": [ "CarbonBlackEvents_CL","CarbonBlackNotifications_CL","CarbonBlackAuditLogs_CL" ],
"dataConnectorsDependencies": [ "VMwareCarbonBlack" ],
"previewImagesFileNames": [ "VMwareCarbonWhite.png", "VMwareCarbonBlack.png" ],
"version": "1.0",
"title": "VMware Carbon Black",
"templateRelativePath": "VMwareCarbonBlack.json",
"subtitle": "",
"provider": "VMware"
},
{
"workbookKey": "ProofPointTAPWorkbook",
"logoFileName": "proofpointlogo.svg",
"description": "Gain extensive insight into Proofpoint Targeted Attack Protection (TAP) by analyzing, collecting and correlating TAP log events.\nThis workbook provides visibility into message and click events that were permitted, delivered, or blocked",
"dataTypesDependencies": [ "ProofPointTAPMessagesBlocked_CL", "ProofPointTAPMessagesDelivered_CL", "ProofPointTAPClicksPermitted_CL", "ProofPointTAPClicksBlocked_CL" ],
"dataConnectorsDependencies": [ "ProofpointTAP" ],
"previewImagesFileNames": [ "ProofpointTAPWhite.png", "ProofpointTAPBlack.png" ],
"version": "1.0",
"title": "Proofpoint TAP",
"templateRelativePath": "ProofpointTAP.json",
"subtitle": "",
"provider": "Proofpoint"
},
{
"workbookKey": "QualysVMWorkbook",
"logoFileName": "qualys_logo.svg",
"description": "Gain insight into Qualys Vulnerability Management by analyzing, collecting and correlating vulnerability data.\nThis workbook provides visibility into vulnerabilities detected from vulnerability scans",
"dataTypesDependencies": ["QualysHostDetection_CL"],
"dataConnectorsDependencies": [ "QualysVulnerabilityManagement" ],
"previewImagesFileNames": [ "QualysVMWhite.png", "QualysVMBlack.png" ],
"version": "1.0",
"title": "Qualys Vulnerability Management",
"templateRelativePath": "QualysVM.json",
"subtitle": "",
"provider": "Qualys"
},
{
"workbookKey": "GitHubSecurityWorkbook",
"logoFileName": "github.svg",
"description": "Gain insights to GitHub activities that may be interesting for security.",
"dataTypesDependencies": [ "Github_CL", "GitHubRepoLogs_CL" ],