Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #1917 from socprime/exabeam_data_conn 

Exabeam Data Connector
This commit is contained in:
v-jayakal 2021-03-22 21:20:56 -07:00 коммит произвёл GitHub
Родитель bc947f8189 4fe8064727
Коммит 35ef5ce6ea
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 1037 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

189
.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json Normal file
Просмотреть файл

@ -0,0 +1,189 @@
{
"Name": "ExabeamEvent",
"Properties": [
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "Service",
"Type": "String"
},
{
"Name": "Status",
"Type": "String"
},
{
"Name": "Id",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "EntityValue",
"Type": "String"
},
{
"Name": "Score",
"Type": "String"
},
{
"Name": "SequenceType",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcDvcHostname",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "Labels",
"Type": "String"
},
{
"Name": "Accounts",
"Type": "String"
},
{
"Name": "AssetsCount",
"Type": "String"
},
{
"Name": "Assets",
"Type": "String"
},
{
"Name": "Zones",
"Type": "String"
},
{
"Name": "TopReasons",
"Type": "String"
},
{
"Name": "ReasonsCount",
"Type": "String"
},
{
"Name": "EventsCount",
"Type": "String"
},
{
"Name": "AlertsCount",
"Type": "String"
},
{
"Name": "AssetLabels",
"Type": "String"
},
{
"Name": "AssetLocations",
"Type": "String"
},
{
"Name": "TopUsers",
"Type": "String"
},
{
"Name": "AssetHostname",
"Type": "String"
},
{
"Name": "AssetIpAddress",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "Domain",
"Type": "String"
},
{
"Name": "Raw",
"Type": "String"
},
{
"Name": "RuleId",
"Type": "String"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleDescription",
"Type": "String"
},
{
"Name": "App",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "Activity",
"Type": "String"
},
{
"Name": "AdditionalInfo",
"Type": "String"
},
{
"Name": "JobStatus",
"Type": "String"
},
{
"Name": "JobDetails",
"Type": "String"
},
{
"Name": "JobId",
"Type": "String"
},
{
"Name": "CreatedBy",
"Type": "String"
},
{
"Name": "Timestamp",
"Type": "DateTime"
}
]
}

156
DataConnectors/Exabeam/Connector_Exabeam_Syslog.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{
"id": "Exabeam",
"title": "Exabeam Advanced Analytics",
"publisher": "Exabeam",
"descriptionMarkdown": "The [Exabeam Advanced Analytics](https://www.exabeam.com/ueba/advanced-analytics-and-mitre-detect-and-stop-threats/) data connector provides the capability to ingest Exabeam Advanced Analytics events into Azure Sentinel. Refer to [Exabeam Advanced Analytics documentation](https://docs.exabeam.com/) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **ExabeamEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Exabeam-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Exabeam",
"baseQuery": "ExabeamEvent"
}
],
"sampleQueries": [
{
"description" : "Top 10 Clients (Source IP)",
"query": "ExabeamEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (Exabeam)",
"lastDataReceivedQuery": "ExabeamEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ExabeamEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Exabeam-parser) to create the Kusto Functions alias, **ExabeamEvent**",
"instructions": [
]
},
{
"title": "",
"description": ">**NOTE:** This data connector has been developed using Exabeam Advanced Analytics i54 (Syslog)",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the server where the Exabeam Advanced Analytic logs are generated or forwarded.\n\n> Logs from Exabeam Advanced Analytic deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the custom log directory to be collected" ,
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "3. Configure Exabeam event forwarding to Syslog",
"description": "[Follow these instructions](https://docs.exabeam.com/en/advanced-analytics/i54/advanced-analytics-administration-guide/113254-configure-advanced-analytics.html#UUID-7ce5ff9d-56aa-93f0-65de-c5255b682a08) to send Exabeam Advanced Analytics activity log data via syslog."
}
]
}

3
Logos/exabeam.svg Normal file
Просмотреть файл

@ -0,0 +1,3 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M45.9 16.9774L16.8 56.9765H25.5L50.25 22.9549L54.6 28.9323L29.1 63.9502H3L41.55 11L45.9 16.9774ZM37.8 64H63.9L69 56.9765L72 52.8421L67.65 46.8647L60.3 56.9765H51.6L63.3 40.8872L58.95 34.9098L37.8 64Z" fill="#6ABA4F"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 330 B

99
Parsers/Exabeam/ExabeamEvent.txt Normal file
Просмотреть файл

@ -0,0 +1,99 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ExabeamEvent.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ExabeamEvent | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
Syslog
| where ProcessName contains "Exabeam"
| extend EventVendor = 'Exabeam'
| extend Service = extract(@'service=\"(.*?)\"', 1, SyslogMessage)
| extend Status = extract(@'status=\"(.*?)\"', 1, SyslogMessage)
| extend Id = extract(@'id=\"(.*?)\"', 1, SyslogMessage)
| extend UrlOriginal = extract(@'url=\"(.*?)\"', 1, SyslogMessage)
| extend EntityValue = extract(@'entity_value=\"(.*?)\"', 1, SyslogMessage)
| extend Score = extract(@'score=\"(.*?)\"', 1, SyslogMessage)
| extend SequenceType = extract(@'sequence_type=\"(.*?)\"', 1, SyslogMessage)
| extend EventStartTime = todatetime(extract(@'start_time=\"(.*?)\"', 1, SyslogMessage))
| extend EventEndTime = todatetime(extract(@'end_time=\"(.*?)\"', 1, SyslogMessage))
| extend SrcUserName = extract(@'user=\"(.*?)\"', 1, SyslogMessage)
| extend SrcDvcHostname = extract(@'src_host=\"(.*?)\"', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'src_ip=\"(.*?)\"', 1, SyslogMessage)
| extend Labels = extract(@'labels=\"(.*?)\"', 1, SyslogMessage)
| extend Accounts = extract(@'accounts=\"(.*?)\"', 1, SyslogMessage)
| extend AssetsCount = extract(@'assets_count=\"(.*?)\"', 1, SyslogMessage)
| extend Assets = extract(@'assets=\"(.*?)\"', 1, SyslogMessage)
| extend Zones = extract(@'zones=\"(.*?)\"', 1, SyslogMessage)
| extend TopReasons = extract(@'top_reasons=\"(.*?)\"', 1, SyslogMessage)
| extend ReasonsCount = extract(@'reasons_count=\"(.*?)\"', 1, SyslogMessage)
| extend EventsCount = extract(@'events_count=\"(.*?)\"', 1, SyslogMessage)
| extend AlertsCount = extract(@'alerts_count=\"(.*?)\"', 1, SyslogMessage)
| extend AssetLabels = extract(@'asset_labels=\"(.*?)\"', 1, SyslogMessage)
| extend AssetLocations = extract(@'asset_locations=\"(.*?)\"', 1, SyslogMessage)
| extend TopUsers = extract(@'top_users=\"(.*?)\"', 1, SyslogMessage)
| extend AssetHostname = extract(@'host_name=\"(.*?)\"', 1, SyslogMessage)
| extend AssetIpAddress = extract(@'ip_address=\"(.*?)\"', 1, SyslogMessage)
| extend DstDvcHostname = extract(@'dest_host=\"(.*?)\"', 1, SyslogMessage)
| extend DstIpAddr = extract(@'dest_ip=\"(.*?)\"', 1, SyslogMessage)
| extend EventTime = todatetime(extract(@'event_time=\"(.*?)\"', 1, SyslogMessage))
| extend EventType = extract(@'event_type=\"(.*?)\"', 1, SyslogMessage)
| extend DvcHostname = extract(@'host=\"(.*?)\"', 1, SyslogMessage)
| extend Domain = extract(@'domain=\"(.*?)\"', 1, SyslogMessage)
| extend Raw = extract(@'raw=\"(.*?)\"', 1, SyslogMessage)
| extend RuleId = extract(@'rule_id=\"(.*?)\"', 1, SyslogMessage)
| extend RuleName = extract(@'rule_name=\"(.*?)\"', 1, SyslogMessage)
| extend RuleDescription = extract(@'rule_description=\"(.*?)\"', 1, SyslogMessage)
| extend App = extract(@'app=\"(.*?)\"', 1, SyslogMessage)
| extend EventSubType = extract(@'event_subtype=\"(.*?)\"', 1, SyslogMessage)
| extend Activity = extract(@'activity=\"(.*?)\"', 1, SyslogMessage)
| extend AdditionalInfo = extract(@'additional_info=\"(.*?)\"', 1, SyslogMessage)
| extend JobStatus = extract(@'job_status=\"(.*?)\"', 1, SyslogMessage)
| extend JobDetails = extract(@'job_details=\"(.*?)\"', 1, SyslogMessage)
| extend JobId = extract(@'job_id=\"(.*?)\"', 1, SyslogMessage)
| extend CreatedBy = extract(@'created_by=\"(.*?)\"', 1, SyslogMessage)
| extend Timestamp = todatetime(extract(@'timestamp=\"(.*?)\"', 1, SyslogMessage))
| project TimeGenerated
, EventVendor
, Service
, Status
, Id
, UrlOriginal
, EntityValue
, Score
, SequenceType
, EventStartTime
, EventEndTime
, SrcUserName
, SrcDvcHostname
, SrcIpAddr
, Labels
, Accounts
, AssetsCount
, Assets
, Zones
, TopReasons
, ReasonsCount
, EventsCount
, AlertsCount
, AssetLabels
, AssetLocations
, TopUsers
, AssetHostname
, AssetIpAddress
, DstDvcHostname
, DstIpAddr
, EventTime
, EventType
, DvcHostname
, Domain
, Raw
, RuleId
, RuleName
, RuleDescription
, App
, EventSubType
, Activity
, AdditionalInfo
, JobStatus
, JobDetails
, JobId
, CreatedBy
, Timestamp

590
Sample Data/Syslog/ExabeamEvent.json Normal file
Просмотреть файл

@ -0,0 +1,590 @@
[
{
"TimeGenerated": "3/12/2021, 2:12:23.743 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "17",
"EventsCount": "4",
"AlertsCount": "2",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:12:03.653 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:12:18.123 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "17",
"EventsCount": "4",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:09:56.550 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 9:24:14.377 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 9:58:32.500 AM",
"EventVendor": "Exabeam",
"Service": "Analytics Log Ingestion",
"Status": "stopped",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "20",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 9:59:56.770 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "assets=",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 10:01:53.203 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "srv_123_dev, 10.23.123.56, tks_en_0b_jt",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 10:03:39.857 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "Started",
"Id": "10204143816",
"UrlOriginal": "",
"EntityValue": "",
"Score": "80",
"SequenceType": "",
"EventStartTime": "",
"EventEndTime": "",
"SrcUserName": "",
"SrcDvcHostname": "",
"SrcIpAddr": "",
"Labels": "",
"Accounts": "",
"AssetsCount": "",
"Assets": "",
"Zones": "",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "Started",
"JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).",
"JobId": "5c1ace5c123 b3801207481f",
"CreatedBy": "admin",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 10:04:22.973 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "Started",
"Id": "5c1ace5c123 b3801207481f",
"UrlOriginal": "",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "",
"EventEndTime": "",
"SrcUserName": "",
"SrcDvcHostname": "",
"SrcIpAddr": "",
"Labels": "",
"Accounts": "",
"AssetsCount": "",
"Assets": "",
"Zones": "",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "Started",
"JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).",
"JobId": "5c1ace5c123 b3801207481f",
"CreatedBy": "admin",
"Timestamp": ""
},
{
"TimeGenerated": "2/26/2021, 10:04:49.923 AM",
"EventVendor": "Exabeam",
"Service": "Analytics Log Ingestion",
"Status": "stopped",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "85",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 9:57:02.510 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "20",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "It is abnormal for account management activity (a user created and added to a group) to come from this zone. Account management events are notable because they can provide a path for an attacker to move laterally through a system.",
"ReasonsCount": "1",
"EventsCount": "248",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/4/2021, 2:38:16.000 PM"
}
]