Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge in Updates

This commit is contained in:
Thomas Dolan 2021-03-23 15:22:46 -05:00
Родитель 08c6f3eed9 eed4d27b9e
Коммит b8bdbb9553
89 изменённых файлов: 37202 добавлений и 285 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

189
.script/tests/KqlvalidationsTests/CustomTables/Exabeam.json Normal file
Просмотреть файл

@ -0,0 +1,189 @@
{
"Name": "ExabeamEvent",
"Properties": [
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "Service",
"Type": "String"
},
{
"Name": "Status",
"Type": "String"
},
{
"Name": "Id",
"Type": "String"
},
{
"Name": "UrlOriginal",
"Type": "String"
},
{
"Name": "EntityValue",
"Type": "String"
},
{
"Name": "Score",
"Type": "String"
},
{
"Name": "SequenceType",
"Type": "String"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "SrcDvcHostname",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "Labels",
"Type": "String"
},
{
"Name": "Accounts",
"Type": "String"
},
{
"Name": "AssetsCount",
"Type": "String"
},
{
"Name": "Assets",
"Type": "String"
},
{
"Name": "Zones",
"Type": "String"
},
{
"Name": "TopReasons",
"Type": "String"
},
{
"Name": "ReasonsCount",
"Type": "String"
},
{
"Name": "EventsCount",
"Type": "String"
},
{
"Name": "AlertsCount",
"Type": "String"
},
{
"Name": "AssetLabels",
"Type": "String"
},
{
"Name": "AssetLocations",
"Type": "String"
},
{
"Name": "TopUsers",
"Type": "String"
},
{
"Name": "AssetHostname",
"Type": "String"
},
{
"Name": "AssetIpAddress",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "Domain",
"Type": "String"
},
{
"Name": "Raw",
"Type": "String"
},
{
"Name": "RuleId",
"Type": "String"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleDescription",
"Type": "String"
},
{
"Name": "App",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "Activity",
"Type": "String"
},
{
"Name": "AdditionalInfo",
"Type": "String"
},
{
"Name": "JobStatus",
"Type": "String"
},
{
"Name": "JobDetails",
"Type": "String"
},
{
"Name": "JobId",
"Type": "String"
},
{
"Name": "CreatedBy",
"Type": "String"
},
{
"Name": "Timestamp",
"Type": "DateTime"
}
]
}

313
.script/tests/KqlvalidationsTests/CustomTables/Mcafee_ePO.json Normal file
Просмотреть файл

@ -0,0 +1,313 @@
{
"Name": "McAfeeEPOEvent",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "GmtTime",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventId",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "AgentGuid",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "AgentVersion",
"Type": "String"
},
{
"Name": "SrcDvcOs",
"Type": "String"
},
{
"Name": "SrcUserName",
"Type": "String"
},
{
"Name": "TimeZoneBias",
"Type": "String"
},
{
"Name": "ProductName",
"Type": "String"
},
{
"Name": "ProductFamily",
"Type": "String"
},
{
"Name": "ProductVersion",
"Type": "String"
},
{
"Name": "Analyzer",
"Type": "String"
},
{
"Name": "AnalyzerName",
"Type": "String"
},
{
"Name": "AnalyzerVersion",
"Type": "String"
},
{
"Name": "AnalyzerHostName",
"Type": "String"
},
{
"Name": "AnalyzerDatVersion",
"Type": "String"
},
{
"Name": "AnalyzerEngineVersion",
"Type": "String"
},
{
"Name": "AnalyzerDetectionMethod",
"Type": "String"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatType",
"Type": "String"
},
{
"Name": "ThreatCategory",
"Type": "String"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ThreatHandled",
"Type": "String"
},
{
"Name": "ThreatActionTaken",
"Type": "String"
},
{
"Name": "ThreatSeverity",
"Type": "String"
},
{
"Name": "SrcUserUpn",
"Type": "String"
},
{
"Name": "SrcProcessName",
"Type": "String"
},
{
"Name": "DstDvcHostname",
"Type": "String"
},
{
"Name": "DstUserName",
"Type": "String"
},
{
"Name": "TargetProcessName",
"Type": "String"
},
{
"Name": "DstFileName",
"Type": "String"
},
{
"Name": "Target",
"Type": "String"
},
{
"Name": "BladeName",
"Type": "String"
},
{
"Name": "AnalyzerContentVersion",
"Type": "String"
},
{
"Name": "AnalyzerContentCreationDate",
"Type": "String"
},
{
"Name": "AnalyzerRuleName",
"Type": "String"
},
{
"Name": "AnalyzerRuleId",
"Type": "String"
},
{
"Name": "AnalyzerGtiQuery",
"Type": "String"
},
{
"Name": "ThreatDetectedOnCreation",
"Type": "String"
},
{
"Name": "DstFileSize",
"Type": "String"
},
{
"Name": "DstFileModifiedTime",
"Type": "DateTime"
},
{
"Name": "DstFileAccessedTime",
"Type": "DateTime"
},
{
"Name": "DstFileCreationTime",
"Type": "DateTime"
},
{
"Name": "Cleanable",
"Type": "String"
},
{
"Name": "TaskName",
"Type": "String"
},
{
"Name": "FirstAttemptedAction",
"Type": "String"
},
{
"Name": "FirstActionStatus",
"Type": "String"
},
{
"Name": "SecondAttemptedAction",
"Type": "String"
},
{
"Name": "SecondActionStatus",
"Type": "String"
},
{
"Name": "ApiName",
"Type": "String"
},
{
"Name": "SourceDescription",
"Type": "String"
},
{
"Name": "SrcProcessId",
"Type": "String"
},
{
"Name": "SrcProcessHashMd5",
"Type": "String"
},
{
"Name": "AttackVectorType",
"Type": "String"
},
{
"Name": "DurationBeforeDetection",
"Type": "String"
},
{
"Name": "AccessRequested",
"Type": "String"
},
{
"Name": "DetectionMessage",
"Type": "String"
},
{
"Name": "AmCoreContentVersion",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcMacAddr",
"Type": "String"
},
{
"Name": "DstIpAddr",
"Type": "String"
},
{
"Name": "DstMacAddr",
"Type": "String"
},
{
"Name": "ProductId",
"Type": "String"
},
{
"Name": "Locale",
"Type": "String"
},
{
"Name": "Error",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "Version",
"Type": "String"
},
{
"Name": "InitiatorId",
"Type": "String"
},
{
"Name": "InitiatorType",
"Type": "String"
},
{
"Name": "SiteName",
"Type": "String"
},
{
"Name": "Description",
"Type": "String"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -57,6 +57,7 @@
"InfobloxNIOS",
"IoT",
"JuniperSRX",
"McAfeeePO",
"MicrosoftCloudAppSecurity",
"MicrosoftDefenderAdvancedThreatProtection",
"MicrosoftThreatIntelligence",

344
DataConnectors/AlsidForAD.json
Просмотреть файл

@ -1,172 +1,172 @@
{
"id": "AlsidForAD",
"title": "Alsid for Active Directory",
"publisher": "Alsid",
"descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AlsidForADLog_CL",
"baseQuery": "AlsidForADLog_CL"
}
],
"sampleQueries": [
{
"description" : "Get the number of alerts triggered by each IoE",
"query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename"
},
{
"description" : "Get all IoE alerts with severity superior to the threshold",
"query" : "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']"
},
{
"description" : "Get all IoE alerts for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all IoE alerts for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)"
},
{
"description" : "Get all IoE alerts for the last 30 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)"
},
{
"description" : "Get all trailflow changes for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all trailflow changes for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)"
}
],
"dataTypes": [
{
"name": "AlsidForADLog_CL",
"lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AlsidForADLog_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) to create the Kusto Functions alias, **afad_parser**",
"instructions": [
]
},
{
"title": "1. Configure the Syslog server",
"description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish but it is recommended to be able to output AFAD logs in a separate file."
},
{
"title": "2. Configure Alsid to send logs to your Syslog server",
"description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a separate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD)."
},
{
"title": "3. Install and onboard the Microsoft agent for Linux",
"description": "",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "4. Configure the logs to be collected by the agents",
"description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n4. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**.\n5. Set the record delimiter to **New Line** if not already the case and click **Next**.\n6. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**.\n7. In the Name field type *AlsidForADLog* before the _CL suffix, then click **Done**.\n\nAll of theses steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example",
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "",
"description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates."
}
],
"metadata": {
"id": "12ff1831-b733-4861-a3e7-6115d20106f4",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Alsid"
},
"support": {
"name": "Alsid",
"link": "https://www.alsid.com/contact-us/",
"tier": "developer"
}
}
}
{
"id": "AlsidForAD",
"title": "Alsid for Active Directory",
"publisher": "Alsid",
"descriptionMarkdown": "Alsid for Active Directory connector allows to export Alsid Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.\nIt provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **afad_parser** in queries and workbooks. [Follow steps to get this Kusto Function>](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) ",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AlsidForADLog_CL",
"baseQuery": "AlsidForADLog_CL"
}
],
"sampleQueries": [
{
"description" : "Get the number of alerts triggered by each IoE",
"query": "afad_parser\n | where MessageType == 0\n | summarize AlertCount = count() by Codename"
},
{
"description" : "Get all IoE alerts with severity superior to the threshold",
"query" : "let threshold = 2;\n let SeverityTable=datatable(Severity:string,Level:int) [\n \"low\", 1,\n \"medium\", 2,\n \"high\", 3,\n \"critical\", 4\n ];\n afad_parser\n | where MessageType == 0\n | lookup kind=leftouter SeverityTable on Severity\n | where Level >= ['threshold']"
},
{
"description" : "Get all IoE alerts for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all IoE alerts for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(7d)"
},
{
"description" : "Get all IoE alerts for the last 30 days",
"query" : "afad_parser\r\n| where MessageType == 0 and TimeGenerated > ago(30d)"
},
{
"description" : "Get all trailflow changes for the last 24 hours",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(1d)"
},
{
"description" : "Get all trailflow changes for the last 7 days",
"query" : "afad_parser\r\n| where MessageType == 1 and TimeGenerated > ago(7d)"
}
],
"dataTypes": [
{
"name": "AlsidForADLog_CL",
"lastDataReceivedQuery": "AlsidForADLog_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"afad_parser\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Alsid/afad_parser.kql) to create the Kusto Functions alias, **afad_parser**",
"instructions": [
]
},
{
"title": "1. Configure the Syslog server",
"description": "You will first need a **linux Syslog** server that Alsid for AD will send logs to. Typically you can run **rsyslog** on **Ubuntu**.\n You can then configure this server as you wish, but it is recommended to be able to output AFAD logs in a separate file.\nAlternatively you can use [this Quickstart template](https://azure.microsoft.com/resources/templates/alsid-syslog-proxy/) which will deploy the Syslog server and the Microsoft agent for you. If you do use this template, you can skip step 3."
},
{
"title": "2. Configure Alsid to send logs to your Syslog server",
"description": "On your **Alsid for AD** portal, go to *System*, *Configuration* and then *Syslog*.\nFrom there you can create a new Syslog alert toward your Syslog server.\n\nOnce this is done, check that the logs are correctly gathered on your server in a seperate file (to do this, you can use the *Test the configuration* button in the Syslog alert configuration in AFAD).\nIf you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS."
},
{
"title": "3. Install and onboard the Microsoft agent for Linux",
"description": "You can skip this step if you used the Quickstart template in step 1",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "4. Configure the logs to be collected by the agents",
"description": "Configure the agent to collect the logs.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Custom Logs**.\n2. Select **Apply below configuration to my machines** and click **Add**.\n3. Upload a sample AFAD Syslog file from the **Linux** machine running the **Syslog** server and click **Next**, for your convenience, you can find such a file [here](https://github.com/Azure/azure-quickstart-templates/blob/master/alsid-syslog-proxy/logs/AlsidForAD.log).\n4. Set the record delimiter to **New Line** if not already the case and click **Next**.\n5. Select **Linux** and enter the file path to the **Syslog** file, click **+** then **Next**. If you used the Quickstart template in step 1, the default location of the file is `/var/log/AlsidForAD.log`.\n6. Set the **Name** to *AlsidForADLog_CL* then click **Done** (Azure automatically adds *_CL* at the end of the name, there must be only one, make sure the name is not *AlsidForADLog_CL_CL*).\n\nAll of these steps are showcased [here](https://www.youtube.com/watch?v=JwV1uZSyXM4&feature=youtu.be) as an example",
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "",
"description": "> You should now be able to receive logs in the *AlsidForADLog_CL* table, logs data can be parse using the **afad_parser()** function, used by all query samples, workbooks and analytic templates."
}
],
"metadata": {
"id": "12ff1831-b733-4861-a3e7-6115d20106f4",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Alsid"
},
"support": {
"name": "Alsid",
"link": "https://www.alsid.com/contact-us/",
"tier": "developer"
}
}
}

12
DataConnectors/Box/AzureFunctionBox/main.py
Просмотреть файл

@ -11,12 +11,22 @@ from .state_manager import StateManager
from dateutil.parser import parse as parse_date
import azure.functions as func
import logging
import re
WORKSPACE_ID = os.environ['AzureSentinelWorkspaceId']
SHARED_KEY = os.environ['AzureSentinelSharedKey']
logAnalyticsUri = os.environ.get('logAnalyticsUri')
LOG_TYPE = 'BoxEvents'
if ((logAnalyticsUri in (None, '') or str(logAnalyticsUri).isspace())):
logAnalyticsUri = 'https://' + WORKSPACE_ID + '.ods.opinsights.azure.com'
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if(not match):
raise Exception("Invalid Log Analytics Uri.")
# interval of script execution
SCRIPT_EXECUTION_INTERVAL_MINUTES = 2
# if ts of last extracted event is older than now - MAX_PERIOD_MINUTES -> script will get events from now - SCRIPT_EXECUTION_INTERVAL_MINUTES
@ -41,7 +51,7 @@ def main(mytimer: func.TimerRequest):
logging.info('Script started. Getting events from stream_position {}, created_after {}'.format(stream_position, created_after))
sentinel = AzureSentinelConnector(workspace_id=WORKSPACE_ID, shared_key=SHARED_KEY, log_type=LOG_TYPE, queue_size=10000)
sentinel = AzureSentinelConnector(workspace_id=WORKSPACE_ID, logAnalyticsUri = logAnalyticsUri, shared_key=SHARED_KEY, log_type=LOG_TYPE, queue_size=10000)
with sentinel:
for events, stream_position in get_events(config_dict, created_after, stream_position=stream_position):
for event in events:

5
DataConnectors/Box/AzureFunctionBox/sentinel_connector.py
Просмотреть файл

@ -9,8 +9,9 @@ from threading import Thread
class AzureSentinelConnector:
def __init__(self, workspace_id, shared_key, log_type, queue_size=200, bulks_number=10, queue_size_bytes=25 * (2**20)):
def __init__(self, workspace_id, logAnalyticsUri, shared_key, log_type, queue_size=200, bulks_number=10, queue_size_bytes=25 * (2**20)):
self.workspace_id = workspace_id
self.logAnalyticsUri = logAnalyticsUri
self.shared_key = shared_key
self.log_type = log_type
self.queue_size = queue_size
@ -79,7 +80,7 @@ class AzureSentinelConnector:
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = self._build_signature(workspace_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = 'https://' + workspace_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
uri = self.logAnalyticsUri + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,

Двоичные данные
DataConnectors/Box/BoxConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/Box/Box_API_FunctionApp.json
Просмотреть файл

@ -124,7 +124,7 @@
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tBOX_CONFIG_JSON\n3. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tBOX_CONFIG_JSON\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**."
}
]
}

22
DataConnectors/Box/azuredeploy_Box_API_FunctionApp.json
Просмотреть файл

@ -4,6 +4,8 @@
"parameters": {
"FunctionName": {
"defaultValue": "Box",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"BoxConfigJSON": {
@ -20,7 +22,9 @@
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]"
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('AzureSentinelWorkspaceId')), '.ods.opinsights'))]"
},
"resources": [
{
@ -141,28 +145,16 @@
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=core.windows.net')]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"BOX_CONFIG_JSON": "[parameters('BoxConfigJSON')]",
"AzureSentinelWorkspaceId": "[parameters('AzureSentinelWorkspaceId')]",
"AzureSentinelSharedKey": "[parameters('AzureSentinelSharedKey')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-BoxDataConnector-functionapp"
}
}
]
},
{
"type": "Microsoft.Web/sites/hostNameBindings",
"apiVersion": "2018-11-01",
"name": "[concat(variables('FunctionName'), '/', variables('FunctionName'), '.azurewebsites.net')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('FunctionName'))]"
],
"properties": {
"siteName": "[variables('FunctionName')]",
"hostNameType": "Verified"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",

159
DataConnectors/Corelight/Connector_LogAnalytics_agent_Corelight.json Normal file
Просмотреть файл

@ -0,0 +1,159 @@
{
"id": "Corelight",
"title": "Corelight",
"publisher": "Corelight",
"descriptionMarkdown": "The [Corelight](https://corelight.com/) data connector provides the capability to ingest [Corelight Zeek/Bro events](https://www3.corelight.com/zeek-logs-v3.0) into Azure Sentinel. Refer to [Corelight Logs documentation](https://corelight.com/about-zeek/how-zeek-works) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **Corelight** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Corelight-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Corelight_CL",
"baseQuery": "Corelight"
}
],
"sampleQueries": [
{
"description" : "Top 10 Clients (Source IP)",
"query": "Corelight\n | summarize count() by SrcIpAddr\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Corelight_CL",
"lastDataReceivedQuery": "Corelight\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Corelight\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Corelight-parser) to create the Kusto Functions alias, **Corelight**",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the Server where the Corelight logs are generated.\n\n> Logs from Corelight Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description":"Follow the configuration steps below to get Corelight logs into Azure Sentinel. This configuration enriches events generated by Corelight module to provide visibility on log source information for Corelight logs. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Download config file [corelight.conf](link to the file).\n2. Login to the server where you have installed Azure Log Analytics agent.\n3. Copy corelight.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n4. Edit corelight.conf as follows:\n\n\t i. change the path to Corelight logs based on your configuration (line 3)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 25,26,27,30)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
}
]
}
]
}

37
DataConnectors/Corelight/la_agent_configs/corelight.conf Normal file
Просмотреть файл

@ -0,0 +1,37 @@
<source>
type tail
path /var/log/corelight/*.log
pos_file /tmp/corelight.pos
read_from_head true
refresh_interval 10
tag oms.api.Corelight
path_key "log_file"
format none
</source>
<filter oms.api.Corelight>
type record_transformer
enable_ruby
<record>
hostname "${hostname}"
</record>
</filter>
<match oms.api.Corelight>
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/<workspace id>/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/<workspace id>/certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/<workspace id>/state/out_oms_api_corelight*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>

156
DataConnectors/Exabeam/Connector_Exabeam_Syslog.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{
"id": "Exabeam",
"title": "Exabeam Advanced Analytics",
"publisher": "Exabeam",
"descriptionMarkdown": "The [Exabeam Advanced Analytics](https://www.exabeam.com/ueba/advanced-analytics-and-mitre-detect-and-stop-threats/) data connector provides the capability to ingest Exabeam Advanced Analytics events into Azure Sentinel. Refer to [Exabeam Advanced Analytics documentation](https://docs.exabeam.com/) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **ExabeamEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Exabeam-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Exabeam",
"baseQuery": "ExabeamEvent"
}
],
"sampleQueries": [
{
"description" : "Top 10 Clients (Source IP)",
"query": "ExabeamEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (Exabeam)",
"lastDataReceivedQuery": "ExabeamEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ExabeamEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Exabeam-parser) to create the Kusto Functions alias, **ExabeamEvent**",
"instructions": [
]
},
{
"title": "",
"description": ">**NOTE:** This data connector has been developed using Exabeam Advanced Analytics i54 (Syslog)",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the server where the Exabeam Advanced Analytic logs are generated or forwarded.\n\n> Logs from Exabeam Advanced Analytic deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the custom log directory to be collected" ,
"instructions": [
{
"parameters": {
"linkType": "OpenAdvancedWorkspaceSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "3. Configure Exabeam event forwarding to Syslog",
"description": "[Follow these instructions](https://docs.exabeam.com/en/advanced-analytics/i54/advanced-analytics-administration-guide/113254-configure-advanced-analytics.html#UUID-7ce5ff9d-56aa-93f0-65de-c5255b682a08) to send Exabeam Advanced Analytics activity log data via syslog."
}
]
}

2
DataConnectors/FORCEPOINT_NGFW.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "FORCEPOINT_NGFW",
"id": "ForcepointNgfw",
"title": "Forcepoint NGFW (Preview)",
"publisher": "Forcepoint",
"descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Azure Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Azure Sentinel.",

2
DataConnectors/Zimperium MTD Alerts.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"id": "Zimperium_MTD_Alerts",
"id": "ZimperiumMtdAlerts",
"title": "Zimperium Mobile Threat Defense",
"publisher": "Zimperium",
"descriptionMarkdown": "Zimperium Mobile Threat Defense connector gives you the ability to connect the Zimperium threat log with Azure Sentinel to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's mobile threat landscape and enhances your security operation capabilities.",

20
Detections/AlsidForAD/DCShadow.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c
name: Alsid DCShadow
description: |
'Searches for DCShadow attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1207
query: |
afad_parser
| where MessageType == 2 and Codename == "DCShadow"

20
Detections/AlsidForAD/DCSync.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: d3c658bd-8da9-4372-82e4-aaffa922f428
name: Alsid DCSync
description: |
'Searches for DCSync attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003.006
query: |
afad_parser
| where MessageType == 2 and Codename == "DCSync"

20
Detections/AlsidForAD/GoldenTicket.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb
name: Alsid Golden Ticket
description: |
'Searches for Golden Ticket attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1558.001
query: |
afad_parser
| where MessageType == 2 and Codename == "Golden Ticket"

28
Detections/AlsidForAD/IndicatorsOfAttack.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: 3caa67ef-8ed3-4ab5-baf2-3850d3667f3d
name: Alsid Indicators of Attack
description: |
'Searches for triggered Indicators of Attack'
severity: Low
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
afad_parser
| where MessageType == 2
| lookup kind=leftouter SeverityTable on Severity
| order by Level

20
Detections/AlsidForAD/LSASSMemory.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 3acf5617-7c41-4085-9a79-cc3a425ba83a
name: Alsid LSASS Memory
description: |
'Searches for OS Credentials dumping attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1003.001
query: |
afad_parser
| where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"

20
Detections/AlsidForAD/PasswordGuessing.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: ba239935-42c2-472d-80ba-689186099ea1
name: Alsid Password Guessing
description: |
'Searches for bruteforce Password Guessing attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
afad_parser
| where MessageType == 2 and Codename == "Password Guessing"

20
Detections/AlsidForAD/PasswordSpraying.yaml Normal file
Просмотреть файл

@ -0,0 +1,20 @@
id: 9e20eb4e-cc0d-4349-a99d-cad756859dfb
name: Alsid Password Spraying
description: |
'Searches for Password spraying attacks'
severity: High
requiredDataConnectors:
- connectorId: AlsidForAD
dataTypes:
- AlsidForADLog_CL
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110.003
query: |
afad_parser
| where MessageType == 2 and Codename == "Password Spraying"

1
Logos/corelight.svg Normal file
Просмотреть файл

@ -0,0 +1 @@
<svg id="a949bbb6-6d51-4e9b-b73e-d1f2070c8dbd" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 73.04"><path id="a201a3aa-59b7-4110-92df-cba76dad51ef" d="M49.16,32h0a.57.57,0,0,0-.63.63h0a2.61,2.61,0,0,0-1.72-.71,1.71,1.71,0,0,0-1.89,2v5.58a1.75,1.75,0,0,0,1.89,1.94,2.74,2.74,0,0,0,1.7-.71v2.66c0,.55-.26.79-.81.79H47c-.59,0-.85-.24-.85-.77v-.08c0-.24-.1-.53-.59-.53h-.06a.52.52,0,0,0-.59.57v.08c0,1.28.69,1.93,2,1.93h.65a1.91,1.91,0,0,0,2.17-2.11V32.61C49.81,32.19,49.59,32,49.16,32Zm-.65,7.41a2.33,2.33,0,0,1-1.5.73.72.72,0,0,1-.81-.82V34c0-.59.24-.85.79-.85a2.25,2.25,0,0,1,1.52.83Zm-6.39,3a.58.58,0,0,0,.65-.65V32.67a.57.57,0,0,0-.65-.64h0a.58.58,0,0,0-.65.64v9.07a.59.59,0,0,0,.65.65Zm0-13.37h0a.62.62,0,0,0-.67.67v.45a.62.62,0,0,0,.67.67h0a.61.61,0,0,0,.67-.67v-.45A.61.61,0,0,0,42.12,29ZM38.39,42.39a.58.58,0,0,0,.65-.65V29.43a.58.58,0,0,0-.65-.65h0a.58.58,0,0,0-.65.65V41.74a.59.59,0,0,0,.65.65Zm-3.34-4.63a.66.66,0,0,0,.73-.73V34.28A2.06,2.06,0,0,0,33.46,32H33.2a2.05,2.05,0,0,0-2.31,2.32v5.88a2,2,0,0,0,2.31,2.31h.26a2.05,2.05,0,0,0,2.32-2.31v-.67a.57.57,0,0,0-.63-.63h0a.57.57,0,0,0-.63.63v.71c0,.69-.33,1-1,1h-.22c-.69,0-1-.32-1-1V37.76Zm-2.8-3.52a.89.89,0,0,1,1-1h.2c.69,0,1,.33,1,1v2.25H32.23V34.24Zm-4.83-2.19h0a.56.56,0,0,0-.63.6v9.11a.58.58,0,0,0,.63.65h0a.58.58,0,0,0,.65-.65V34.15a3.18,3.18,0,0,1,1.16-.67c.56-.16.69-.5.69-.77v-.12a.57.57,0,0,0-.59-.65c-.39,0-.79.29-1.24.86v-.19A.59.59,0,0,0,27.42,32.05ZM22.68,32h-.39A2.05,2.05,0,0,0,20,34.28v5.88a2,2,0,0,0,2.31,2.31h.39A2,2,0,0,0,25,40.16V34.28A2,2,0,0,0,22.68,32Zm1,8.24a.86.86,0,0,1-1,1h-.37a.86.86,0,0,1-1-1v-6c0-.69.32-1,1-1h.37c.69,0,1,.33,1,1Zm-6-4.2h0a.58.58,0,0,0,.65-.65V34.24A2,2,0,0,0,16.05,32h-.33a2.05,2.05,0,0,0-2.31,2.32v5.88a2,2,0,0,0,2.31,2.31h.33a2,2,0,0,0,2.29-2.31V38.74a.58.58,0,0,0-.65-.63h0a.57.57,0,0,0-.63.63V40.2a.86.86,0,0,1-1,1h-.29a.86.86,0,0,1-1-1v-6c0-.69.32-1,1-1H16c.69,0,1,.33,1,1v1.11A.57.57,0,0,0,17.63,36Zm37.19-4a2.66,2.66,0,0,0-1.75.75V29.45a.58.58,0,0,0-.65-.65h0a.57.57,0,0,0-.62.65V41.76a.57.57,0,0,0,.62.65h0a.58.58,0,0,0,.65-.65V34a2.5,2.5,0,0,1,1.52-.77c.51,0,.75.26.75.81v7.75a.59.59,0,0,0,.65.65h0a.58.58,0,0,0,.63-.65V33.81A1.66,1.66,0,0,0,54.82,32Zm4.76,10.43h0a.59.59,0,0,1-.65-.65V33.3h-.16a.56.56,0,0,1-.61-.61v0a.54.54,0,0,1,.61-.58h.18V31a.59.59,0,0,1,.65-.65h0a.58.58,0,0,1,.65.65v1.08h.63a.52.52,0,0,1,.59.58v0a.54.54,0,0,1-.59.61h-.63v8.44A.6.6,0,0,1,59.58,42.39Z" transform="translate(-1 -0.98)"/><path id="f6598a2b-3c00-4d19-b9dc-59da3af4d8b7" d="M66.07,38.84a28.67,28.67,0,0,1-56.7,4.5,30,30,0,0,1-.56-5.72A28.68,28.68,0,0,1,37.48,8.93V1A36.52,36.52,0,1,0,74,38.84Z" transform="translate(-1 -0.98)" fill="#00ff17"/></svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.6 KiB

3
Logos/exabeam.svg Normal file
Просмотреть файл

@ -0,0 +1,3 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M45.9 16.9774L16.8 56.9765H25.5L50.25 22.9549L54.6 28.9323L29.1 63.9502H3L41.55 11L45.9 16.9774ZM37.8 64H63.9L69 56.9765L72 52.8421L67.65 46.8647L60.3 56.9765H51.6L63.3 40.8872L58.95 34.9098L37.8 64Z" fill="#6ABA4F"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 330 B

12
Parsers/Alsid/afad_parser.kql
Просмотреть файл

@ -91,6 +91,16 @@ let Changes = Common
EventID:string "\" \""
EventType:string "\" "
Attributes:string "\r?\n";
union Changes, Deviances
let Attacks = Common
| where MessageType == 2
| parse DistinctPart with "\""
Codename:string "\" \""
Severity:string "\" \""
SourceHostname:string "\" \""
SourceIP:string "\" \""
DestinationHostname:string "\" \""
DestinationIP:string "\" \""
Attributes:string "\r\n";
union Changes, Deviances, Attacks
| project-away DistinctPart, Product, _ResourceId, _SubscriptionId
| lookup kind=leftouter CodenameTable on Codename;

621
Parsers/Corelight/Corelight.txt Normal file
Просмотреть файл

@ -0,0 +1,621 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Corelight.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Corelight | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Corelight_view = view () {
Corelight_CL | where isnotempty(Message)
| extend tmp = parse_json(Message)
| evaluate bag_unpack(tmp)| extend path_parts = parse_path(log_file_s)
| extend EventType = extract("(^.*?)_\\d+", 1, tostring(path_parts["Filename"])),
EventVendor="Corelight",
EventProduct="Corelight Sensor",
SrcDvcHostname=column_ifexists('hostname_s', ''),
EventEndTime=column_ifexists('ts', ''),
SrcDvcFile=column_ifexists('log_file_s', '')
| project-away path_parts, log_file_s
};
let Corelight_main_view = view () {
Corelight_view
| extend
Action=column_ifexists('action', ''),
Actions=column_ifexists('actions', ''),
AgentRemoteId=column_ifexists('agent_remote_id', ''),
Analyzer=column_ifexists('analyzer', ''),
AuthAttempts=column_ifexists('auth_attempts', ''),
AuthSuccess=column_ifexists('auth_success', ''),
BasicConstraintsCa=column_ifexists('basic_constraints.ca', ''),
BasicConstraintsPathLen=column_ifexists('basic_constraints.path_len', ''),
Cc=column_ifexists('cc', ''),
CertificateCn=column_ifexists('certificate.cn', ''),
CertificateCurve=column_ifexists('certificate.curve', ''),
CertificateExponent=column_ifexists('certificate.exponent', ''),
CertificateHashSha1=column_ifexists('orig_certificate_sha1', ''),
CertificateIssuer=column_ifexists('certificate.issuer', column_ifexists('client_issuer', '')),
CertificateKeyAlg=column_ifexists('certificate.key_alg', ''),
CertificateKeyLength=column_ifexists('certificate.key_length', ''),
CertificateKeyType=column_ifexists('certificate.key_type', ''),
CertificateNotValidAfter=column_ifexists('certificate.not_valid_after', ''),
CertificateNotValidBefore=column_ifexists('certificate.not_valid_before', ''),
CertificateSerial=column_ifexists('certificate.serial', ''),
CertificateSigAlg=column_ifexists('certificate.sig_alg', ''),
CertificateSubject=column_ifexists('certificate.subject', column_ifexists('client_subject', '')),
CertificateVersion=column_ifexists('certificate.version', ''),
CipherAlg=column_ifexists('cipher_alg', ''),
Client=column_ifexists('client', ''),
ClientMessage=column_ifexists('client_message', ''),
ClientSoftware=column_ifexists('client_software', ''),
CompileTs=column_ifexists('compile_ts', ''),
CompressionAlg=column_ifexists('compression_alg', ''),
Cshka=column_ifexists('cshka', ''),
DataChannelOrigH=column_ifexists('data_channel.orig_h', ''),
DataChannelPassive=column_ifexists('data_channel.passive', ''),
DataChannelRespH=column_ifexists('data_channel.resp_h', ''),
DataChannelRespP=column_ifexists('data_channel.resp_p', ''),
Date=column_ifexists('date', ''),
Depth=column_ifexists('depth', ''),
DhcpAssignedIpAddr=column_ifexists('assigned_addr', ''),
DhcpCircuitId=column_ifexists('circuit_id', ''),
DhcpLeaseTime=column_ifexists('lease_time', ''),
DhcpRequestedIpAddr=column_ifexists('requested_addr', ''),
DhcpSubscriberId=column_ifexists('subscriber_id', ''),
Direction=column_ifexists('direction', ''),
Dnp3FunctionReply=column_ifexists('fc_reply', ''),
Dnp3FunctionRequest=column_ifexists('fc_request', ''),
Dnp3Iin=column_ifexists('iin', ''),
DnsAdditionalAuthoritativeName=column_ifexists('auth', ''),
DnsAdditionalName=column_ifexists('addl', ''),
DnsFlagsAuthoritative=column_ifexists('AA', ''),
DnsFlagsRecursionAvailable=column_ifexists('RA', ''),
DnsFlagsRecursionDesired=column_ifexists('RD', ''),
DnsFlagsTruncated=column_ifexists('TC', ''),
DnsFlagsZ=column_ifexists('Z', ''),
DnsQueryClass=column_ifexists('qclass', ''),
DnsQueryClassName=column_ifexists('qclass_name', ''),
DnsQueryName=column_ifexists('query', ''),
DnsQueryType=column_ifexists('qtype', ''),
DnsQueryTypeName=column_ifexists('qtype_name', ''),
DnsRejected=column_ifexists('rejected', ''),
DnsResponseCode=column_ifexists('rcode', ''),
DnsResponseCodeName=column_ifexists('rcode_name', ''),
DnsResponseName=column_ifexists('answers', ''),
DnsResponseTtl=column_ifexists('TTLs', ''),
DnsRtt=column_ifexists('rtt', ''),
DnsTransactionId=column_ifexists('trans_id', ''),
Domainname=column_ifexists('domainname', ''),
Dropped=column_ifexists('dropped', ''),
Dst=column_ifexists('dst', ''),
DstBytes=column_ifexists('resp_bytes', ''),
DstCertificateIssuerName=column_ifexists('issuer', ''),
DstCertificateSha1=column_ifexists('resp_certificate_sha1', ''),
DstCertificateSubjectName=column_ifexists('subject', ''),
DstHostName=column_ifexists('http_header_host', column_ifexists('tls_server_name', '')),
DstIpAddr=column_ifexists('id.resp_h', column_ifexists('server_addr', column_ifexists('tx_hosts', ''))),
DstIpBytes=column_ifexists('resp_ip_bytes', ''),
DstMac=column_ifexists('resp_l2_addr', ''),
DstPackets=column_ifexists('resp_pkts', ''),
DstPort=column_ifexists('id.resp_p', ''),
Duration=column_ifexists('duration', ''),
EmailBodySections=column_ifexists('email_body_sections', ''),
EventDuration=column_ifexists('duration', ''),
EventUid=column_ifexists('z_Enrichment', column_ifexists('zeek_id_uids', column_ifexists('uid', ''))),
FailureReason=column_ifexists('failure_reason', ''),
FileAccessedTime=column_ifexists('times_accessed', ''),
FileChangedTime=column_ifexists('times_changed', ''),
FileCreationTime=column_ifexists('times_created', ''),
FileDesc=column_ifexists('file_desc', ''),
FileDirectory=column_ifexists('cwd', ''),
FileMimeType=column_ifexists('file_mime_type', column_ifexists('mime_type', column_ifexists('resp_mime_types', ''))),
FileModifiedTime=column_ifexists('times_modified', ''),
FileName=column_ifexists('filename', column_ifexists('resp_filenames', '')),
FilePath=column_ifexists('file_name', ''),
FilePreviousName=column_ifexists('prev_name', ''),
FileSize=column_ifexists('file_size', column_ifexists('total_bytes', column_ifexists('size', ''))),
FileSystemType=column_ifexists('native_file_system', ''),
FingerprintNetworkCommunityId=column_ifexists('community_id', ''),
FirstReceived=column_ifexists('first_received', ''),
From=column_ifexists('from', ''),
FtpCommandLine=column_ifexists('arg', ''),
FtpPassive=column_ifexists('ftp_passive', ''),
FtpProcessName=column_ifexists('command', ''),
Fuid=column_ifexists('fuid', ''),
Fuids=column_ifexists('fuids', ''),
HasCertTable=column_ifexists('has_cert_table', ''),
HasDebugData=column_ifexists('has_debug_data', ''),
HasExportTable=column_ifexists('has_export_table', ''),
HasImportTable=column_ifexists('has_import_table', ''),
HashJa3=column_ifexists('ja3', ''),
HashJa3s=column_ifexists('ja3s', ''),
HashMd5=column_ifexists('md5', ''),
HashSha1=column_ifexists('sha1', ''),
HashSha256=column_ifexists('sha256', ''),
Hassh=column_ifexists('hassh', ''),
Hasshalgorithms=column_ifexists('hasshAlgorithms', ''),
Hasshserver=column_ifexists('hasshServer', ''),
Hasshserveralgorithms=column_ifexists('hasshServerAlgorithms', ''),
Hasshversion=column_ifexists('hasshVersion', ''),
Helo=column_ifexists('helo', ''),
Host=column_ifexists('host', ''),
HostKey=column_ifexists('host_key', ''),
HostKeyAlg=column_ifexists('host_key_alg', ''),
HostP=column_ifexists('host_p', ''),
Hostname=column_ifexists('hostname', ''),
HttpCookieVariables=column_ifexists('cookie_vars', ''),
HttpInformationalCode=column_ifexists('info_code', ''),
HttpInformationalMessage=column_ifexists('info_msg', ''),
HttpProxiedHeaders=column_ifexists('proxied', ''),
HttpReferrerOriginal=column_ifexists('referrer', ''),
HttpRequestBodyBytes=column_ifexists('request_body_len', ''),
HttpRequestHeaderHost=column_ifexists('host', ''),
HttpRequestHeaderNames=column_ifexists('client_header_names', ''),
HttpRequestHeaderOrigin=column_ifexists('origin', ''),
HttpRequestMethod=column_ifexists('method', ''),
HttpResponseBodyBytes=column_ifexists('response_body_len', ''),
HttpResponseBodyOriginal=column_ifexists('post_body', ''),
HttpResponseHeaderNames=column_ifexists('server_header_names', ''),
HttpStatusCode=column_ifexists('status_code', ''),
HttpStatusMessage=column_ifexists('status_msg', ''),
HttpVersion=column_ifexists('version', ''),
Id=column_ifexists('id', ''),
InReplyTo=column_ifexists('in_reply_to', ''),
Is64bit=column_ifexists('is_64bit', ''),
IsExe=column_ifexists('is_exe', ''),
IsOrig=column_ifexists('is_orig', ''),
IsWebmail=column_ifexists('is_webmail', ''),
KexAlg=column_ifexists('kex_alg', ''),
LastReply=column_ifexists('last_reply', ''),
LocalOrig=column_ifexists('local_orig', ''),
Logcert=column_ifexists('logcert', ''),
MacAlg=column_ifexists('mac_alg', ''),
Machine=column_ifexists('machine', ''),
Mailfrom=column_ifexists('mailfrom', ''),
Matched=column_ifexists('matched', ''),
MimeType=column_ifexists('mime_type', ''),
Msg=column_ifexists('msg', ''),
MsgId=column_ifexists('msg_id', ''),
MsgOrig=column_ifexists('msg_orig', ''),
MsgTypes=column_ifexists('msg_types', ''),
N=column_ifexists('n', ''),
Name=column_ifexists('name', ''),
NetworkApplication=column_ifexists('service', ''),
NetworkConnectionHistory=column_ifexists('history', ''),
NetworkConnectionState=column_ifexists('conn_state', ''),
NetworkInnerVlanId=column_ifexists('inner_vlan', ''),
NetworkMissedBytes=column_ifexists('missed_bytes', ''),
NetworkOuterVlanId=column_ifexists('vlan', ''),
NetworkProtocol=case(EventType == "smb_files" or EventType == "smb_mapping" or EventType == "ssl" or EventType == "ssl_red" or EventType == "http" or EventType == "http_red", "tcp",EventType == "dhcp", "udp",column_ifexists('proto','')),
Node=column_ifexists('node', ''),
Note=column_ifexists('note', ''),
Notice=column_ifexists('notice', ''),
Os=column_ifexists('os', ''),
OscpValidationStatus=column_ifexists('ocsp_status', ''),
P=column_ifexists('p', ''),
PacketSegment=column_ifexists('packet_segment', ''),
Path=column_ifexists('path', ''),
Peer=column_ifexists('peer', ''),
PeerDescr=column_ifexists('peer_descr', ''),
Rcptto=column_ifexists('rcptto', ''),
RemoteLocationCity=column_ifexists('remote_location.city', ''),
RemoteLocationCountryCode=column_ifexists('remote_location.country_code', ''),
RemoteLocationLatitude=column_ifexists('remote_location.latitude', ''),
RemoteLocationLongitude=column_ifexists('remote_location.longitude', ''),
RemoteLocationRegion=column_ifexists('remote_location.region', ''),
ReplyCode=column_ifexists('reply_code', ''),
ReplyMsg=column_ifexists('reply_msg', ''),
ReplyTo=column_ifexists('reply_to', ''),
SanDns=column_ifexists('san.dns', ''),
SanEmail=column_ifexists('san.email', ''),
SanIp=column_ifexists('san.ip', ''),
SanUri=column_ifexists('san.uri', '') ,
SecondReceived=column_ifexists('second_received', ''),
SectionNames=column_ifexists('section_names', ''),
SeenIndicator=column_ifexists('seen.indicator', ''),
SeenIndicatorType=column_ifexists('seen.indicator_type', ''),
SeenWhere=column_ifexists('seen.where', ''),
Server=column_ifexists('server', ''),
ServerDnsComputerName=column_ifexists('server_dns_computer_name', ''),
ServerMessage=column_ifexists('server_message', ''),
ServerNbComputerName=column_ifexists('server_nb_computer_name', ''),
ServerSoftware=column_ifexists('server_software', ''),
ServerTreeName=column_ifexists('server_tree_name', ''),
Service=column_ifexists('service', ''),
ShareName=column_ifexists('path', ''),
ShareRelativeTargetName=column_ifexists('name', ''),
ShareType=column_ifexists('share_type', ''),
SmbAction=column_ifexists('action', ''),
SoftwareFlashVersionOriginal=column_ifexists('flash_version', ''),
SoftwareType=column_ifexists('software_type', ''),
Source=column_ifexists('source', ''),
Sources=column_ifexists('sources', ''),
Src=column_ifexists('src', ''),
SrcBytes=column_ifexists('orig_bytes', ''),
SrcDomain=column_ifexists('domain', ''),
SrcFileName=column_ifexists('orig_filenames', ''),
SrcFilePath=column_ifexists('src_file_name', ''),
SrcFqdn=column_ifexists('client_fqdn', ''),
SrcHostName=column_ifexists('host_name', ''),
SrcIpAddr=column_ifexists('id.orig_h', column_ifexists('rx_hosts', column_ifexists('client_addr', ''))),
SrcIpBytes=column_ifexists('orig_ip_bytes', ''),
SrcMac=column_ifexists('mac', column_ifexists('orig_l2_addr', '')),
SrcMimeType=column_ifexists('orig_mime_types', ''),
SrcPackets=column_ifexists('orig_pkts', ''),
SrcPort=column_ifexists('id.orig_p', ''),
Sub=column_ifexists('sub', ''),
Subject=column_ifexists('subject', ''),
SubpressFor=column_ifexists('subpress_for', ''),
Subsystem=column_ifexists('subsystem', ''),
Success=column_ifexists('success', ''),
Tls=column_ifexists('tls', ''),
TlsCertificateValidationStatus=column_ifexists('validation_status', ''),
TlsCipher=column_ifexists('cipher', ''),
TlsCurve=column_ifexists('curve', ''),
TlsEstablished=column_ifexists('established', ''),
TlsLastAlert=column_ifexists('last_alert', ''),
TlsNextProtocol=column_ifexists('next_protocol', ''),
TlsNotaryResponse=column_ifexists('notary', ''),
TlsResumed=column_ifexists('resumed', ''),
TlsServerName=column_ifexists('server_name', ''),
TlsVersion=column_ifexists('version', ''),
TlsVersionNumber=column_ifexists('version_num', ''),
To=column_ifexists('to', ''),
TransDepth=column_ifexists('trans_depth', ''),
TunnelType=column_ifexists('tunnel_type', ''),
UnparsedVersion=column_ifexists('unparsed_version', ''),
Url=column_ifexists('url', ''),
UrlOriginal=column_ifexists('uri', ''),
UrlQueryValues=column_ifexists('uri_vars', ''),
UserAgent=column_ifexists('user_agent', ''),
UserAgentOriginal=column_ifexists('user_agent', ''),
UserName=column_ifexists('user', column_ifexists('username', '')),
UserPassword=column_ifexists('password', ''),
Username=column_ifexists('username', ''),
UsesAslr=column_ifexists('uses_aslr', ''),
UsesCodeIntegrity=column_ifexists('uses_code_integrity', ''),
UsesDep=column_ifexists('uses_dep', ''),
UsesSeh=column_ifexists('uses_seh', ''),
ValidCtLogs=column_ifexists('valid_ct_logs', ''),
ValidCtOperators=column_ifexists('valid_ct_operators', ''),
ValidCtOperatorsList=column_ifexists('valid_ct_operators_list', ''),
Version=column_ifexists('version', ''),
VersionAddl=column_ifexists('version.addl', ''),
VersionMajor=column_ifexists('version.major', ''),
VersionMinor2=column_ifexists('version.minor2', ''),
VersionMinor3=column_ifexists('version.minor3', ''),
VersionMinor=column_ifexists('version.minor', ''),
X509=column_ifexists('x509', ''),
XOriginatingIp=column_ifexists('x_originating_ip', ''),
ZeekConnLocalDst=column_ifexists('local_resp', ''),
ZeekConnLocalSrc=column_ifexists('local_orig', ''),
ZeekFilesAnalyzers=column_ifexists('analyzers', ''),
ZeekFilesEntropy=column_ifexists('entropy', ''),
ZeekFilesExtracted=column_ifexists('extracted', ''),
ZeekFilesExtractedCutoff=column_ifexists('extracted_cutoff', ''),
ZeekFilesExtractedSize=column_ifexists('extracted_size', ''),
ZeekFilesMissingBytes=column_ifexists('missing_bytes', ''),
ZeekFilesOverflowBytes=column_ifexists('overflow_bytes', ''),
ZeekFilesSeenBytes=column_ifexists('seen_bytes', ''),
ZeekFilesTimedout=column_ifexists('timedout', ''),
ZeekHttpOmniture=column_ifexists('omniture', ''),
ZeekHttpTags=column_ifexists('tags', ''),
ZeekHttpTransDepth=column_ifexists('trans_depth', ''),
ZeekIdCertChainFuids=column_ifexists('cert_chain_fuids', ''),
ZeekIdClientCertChainFuids=column_ifexists('client_cert_chain_fuids', ''),
ZeekIdConnUids=column_ifexists('conn_uids', ''),
ZeekIdFuid=column_ifexists('fuid', ''),
ZeekIdOrigFuids=column_ifexists('orig_fuids', ''),
ZeekIdParentFuid=column_ifexists('parent_fuid', ''),
ZeekIdRespFuids=column_ifexists('resp_fuids', ''),
ZeekIdTunnelParents=column_ifexists('tunnel_parents', ''),
ZeekIdUids=column_ifexists('uids', ''),
ZeekMetaDstIpAddrHostName=column_ifexists('id.resp_h_name.vals', ''),
ZeekMetaDstIpAddrSource=column_ifexists('id.resp_h_name.src', ''),
ZeekMetaSrcIpAddrHostName=column_ifexists('id.orig_h_name.vals', ''),
ZeekMetaSrcIpAddrSource=column_ifexists('id.orig_h_name.src', ''),
ZeekOrigCc=column_ifexists('orig_cc', ''),
ZeekRespCc=column_ifexists('resp_cc', '')
| project
SrcDvcHostname,
EventEndTime,
SrcDvcFile,
Message,
TimeGenerated,
EventType,
EventVendor,
EventProduct,
Action,
Actions,
AgentRemoteId,
Analyzer,
AuthAttempts,
AuthSuccess,
BasicConstraintsCa,
BasicConstraintsPathLen,
Cc,
CertificateCn,
CertificateCurve,
CertificateExponent,
CertificateHashSha1,
CertificateIssuer,
CertificateKeyAlg,
CertificateKeyLength,
CertificateKeyType,
CertificateNotValidAfter,
CertificateNotValidBefore,
CertificateSerial,
CertificateSigAlg,
CertificateSubject,
CertificateVersion,
CipherAlg,
Client,
ClientMessage,
ClientSoftware,
CompileTs,
CompressionAlg,
Cshka,
DataChannelOrigH,
DataChannelPassive,
DataChannelRespH,
DataChannelRespP,
Date,
Depth,
DhcpAssignedIpAddr,
DhcpCircuitId,
DhcpLeaseTime,
DhcpRequestedIpAddr,
DhcpSubscriberId,
Direction,
Dnp3FunctionReply,
Dnp3FunctionRequest,
Dnp3Iin,
DnsAdditionalAuthoritativeName,
DnsAdditionalName,
DnsFlagsAuthoritative,
DnsFlagsRecursionAvailable,
DnsFlagsRecursionDesired,
DnsFlagsTruncated,
DnsFlagsZ,
DnsQueryClass,
DnsQueryClassName,
DnsQueryName,
DnsQueryType,
DnsQueryTypeName,
DnsRejected,
DnsResponseCode,
DnsResponseCodeName,
DnsResponseName,
DnsResponseTtl,
DnsRtt,
DnsTransactionId,
Domainname,
Dropped,
Dst,
DstBytes,
DstCertificateIssuerName,
DstCertificateSha1,
DstCertificateSubjectName,
DstHostName,
DstIpAddr,
DstIpBytes,
DstMac,
DstPackets,
DstPort,
Duration,
EmailBodySections,
EventDuration,
EventUid,
FailureReason,
FileAccessedTime,
FileChangedTime,
FileCreationTime,
FileDesc,
FileDirectory,
FileMimeType,
FileModifiedTime,
FileName,
FilePath,
FilePreviousName,
FileSize,
FileSystemType,
FingerprintNetworkCommunityId,
FirstReceived,
From,
FtpCommandLine,
FtpPassive,
FtpProcessName,
Fuid,
Fuids,
HasCertTable,
HasDebugData,
HasExportTable,
HasImportTable,
HashJa3,
HashJa3s,
HashMd5,
HashSha1,
HashSha256,
Hassh,
Hasshalgorithms,
Hasshserver,
Hasshserveralgorithms,
Hasshversion,
Helo,
Host,
HostKey,
HostKeyAlg,
HostP,
Hostname,
HttpCookieVariables,
HttpInformationalCode,
HttpInformationalMessage,
HttpProxiedHeaders,
HttpReferrerOriginal,
HttpRequestBodyBytes,
HttpRequestHeaderHost,
HttpRequestHeaderNames,
HttpRequestHeaderOrigin,
HttpRequestMethod,
HttpResponseBodyBytes,
HttpResponseBodyOriginal,
HttpResponseHeaderNames,
HttpStatusCode,
HttpStatusMessage,
HttpVersion,
Id,
InReplyTo,
Is64bit,
IsExe,
IsOrig,
IsWebmail,
KexAlg,
LastReply,
LocalOrig,
Logcert,
MacAlg,
Machine,
Mailfrom,
Matched,
MimeType,
Msg,
MsgId,
MsgOrig,
MsgTypes,
N,
Name,
NetworkApplication,
NetworkConnectionHistory,
NetworkConnectionState,
NetworkInnerVlanId,
NetworkMissedBytes,
NetworkOuterVlanId,
NetworkProtocol,
Node,
Note,
Notice,
Os,
OscpValidationStatus,
P,
PacketSegment,
Path,
Peer,
PeerDescr,
Rcptto,
RemoteLocationCity,
RemoteLocationCountryCode,
RemoteLocationLatitude,
RemoteLocationLongitude,
RemoteLocationRegion,
ReplyCode,
ReplyMsg,
ReplyTo,
SanDns,
SanEmail,
SanIp,
SanUri,
SecondReceived,
SectionNames,
SeenIndicator,
SeenIndicatorType,
SeenWhere,
Server,
ServerDnsComputerName,
ServerMessage,
ServerNbComputerName,
ServerSoftware,
ServerTreeName,
Service,
ShareName,
ShareRelativeTargetName,
ShareType,
SmbAction,
SoftwareFlashVersionOriginal,
SoftwareType,
Source,
Sources,
Src,
SrcBytes,
SrcDomain,
SrcFileName,
SrcFilePath,
SrcFqdn,
SrcHostName,
SrcIpAddr,
SrcIpBytes,
SrcMac,
SrcMimeType,
SrcPackets,
SrcPort,
Sub,
Subject,
SubpressFor,
Subsystem,
Success,
Tls,
TlsCertificateValidationStatus,
TlsCipher,
TlsCurve,
TlsEstablished,
TlsLastAlert,
TlsNextProtocol,
TlsNotaryResponse,
TlsResumed,
TlsServerName,
TlsVersion,
TlsVersionNumber,
To,
TransDepth,
TunnelType,
UnparsedVersion,
Url,
UrlOriginal,
UrlQueryValues,
UserAgent,
UserAgentOriginal,
UserName,
UserPassword,
Username,
UsesAslr,
UsesCodeIntegrity,
UsesDep,
UsesSeh,
ValidCtLogs,
ValidCtOperators,
ValidCtOperatorsList,
Version,
VersionAddl,
VersionMajor,
VersionMinor2,
VersionMinor3,
VersionMinor,
X509,
XOriginatingIp,
ZeekConnLocalDst,
ZeekConnLocalSrc,
ZeekFilesAnalyzers,
ZeekFilesEntropy,
ZeekFilesExtracted,
ZeekFilesExtractedCutoff,
ZeekFilesExtractedSize,
ZeekFilesMissingBytes,
ZeekFilesOverflowBytes,
ZeekFilesSeenBytes,
ZeekFilesTimedout,
ZeekHttpOmniture,
ZeekHttpTags,
ZeekHttpTransDepth,
ZeekIdCertChainFuids,
ZeekIdClientCertChainFuids,
ZeekIdConnUids,
ZeekIdFuid,
ZeekIdOrigFuids,
ZeekIdParentFuid,
ZeekIdRespFuids,
ZeekIdTunnelParents,
ZeekIdUids,
ZeekMetaDstIpAddrHostName,
ZeekMetaDstIpAddrSource,
ZeekMetaSrcIpAddrHostName,
ZeekMetaSrcIpAddrSource,
ZeekOrigCc,
ZeekRespCc
};
Corelight_main_view

99
Parsers/Exabeam/ExabeamEvent.txt Normal file
Просмотреть файл

@ -0,0 +1,99 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ExabeamEvent.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ExabeamEvent | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
Syslog
| where ProcessName contains "Exabeam"
| extend EventVendor = 'Exabeam'
| extend Service = extract(@'service=\"(.*?)\"', 1, SyslogMessage)
| extend Status = extract(@'status=\"(.*?)\"', 1, SyslogMessage)
| extend Id = extract(@'id=\"(.*?)\"', 1, SyslogMessage)
| extend UrlOriginal = extract(@'url=\"(.*?)\"', 1, SyslogMessage)
| extend EntityValue = extract(@'entity_value=\"(.*?)\"', 1, SyslogMessage)
| extend Score = extract(@'score=\"(.*?)\"', 1, SyslogMessage)
| extend SequenceType = extract(@'sequence_type=\"(.*?)\"', 1, SyslogMessage)
| extend EventStartTime = todatetime(extract(@'start_time=\"(.*?)\"', 1, SyslogMessage))
| extend EventEndTime = todatetime(extract(@'end_time=\"(.*?)\"', 1, SyslogMessage))
| extend SrcUserName = extract(@'user=\"(.*?)\"', 1, SyslogMessage)
| extend SrcDvcHostname = extract(@'src_host=\"(.*?)\"', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'src_ip=\"(.*?)\"', 1, SyslogMessage)
| extend Labels = extract(@'labels=\"(.*?)\"', 1, SyslogMessage)
| extend Accounts = extract(@'accounts=\"(.*?)\"', 1, SyslogMessage)
| extend AssetsCount = extract(@'assets_count=\"(.*?)\"', 1, SyslogMessage)
| extend Assets = extract(@'assets=\"(.*?)\"', 1, SyslogMessage)
| extend Zones = extract(@'zones=\"(.*?)\"', 1, SyslogMessage)
| extend TopReasons = extract(@'top_reasons=\"(.*?)\"', 1, SyslogMessage)
| extend ReasonsCount = extract(@'reasons_count=\"(.*?)\"', 1, SyslogMessage)
| extend EventsCount = extract(@'events_count=\"(.*?)\"', 1, SyslogMessage)
| extend AlertsCount = extract(@'alerts_count=\"(.*?)\"', 1, SyslogMessage)
| extend AssetLabels = extract(@'asset_labels=\"(.*?)\"', 1, SyslogMessage)
| extend AssetLocations = extract(@'asset_locations=\"(.*?)\"', 1, SyslogMessage)
| extend TopUsers = extract(@'top_users=\"(.*?)\"', 1, SyslogMessage)
| extend AssetHostname = extract(@'host_name=\"(.*?)\"', 1, SyslogMessage)
| extend AssetIpAddress = extract(@'ip_address=\"(.*?)\"', 1, SyslogMessage)
| extend DstDvcHostname = extract(@'dest_host=\"(.*?)\"', 1, SyslogMessage)
| extend DstIpAddr = extract(@'dest_ip=\"(.*?)\"', 1, SyslogMessage)
| extend EventTime = todatetime(extract(@'event_time=\"(.*?)\"', 1, SyslogMessage))
| extend EventType = extract(@'event_type=\"(.*?)\"', 1, SyslogMessage)
| extend DvcHostname = extract(@'host=\"(.*?)\"', 1, SyslogMessage)
| extend Domain = extract(@'domain=\"(.*?)\"', 1, SyslogMessage)
| extend Raw = extract(@'raw=\"(.*?)\"', 1, SyslogMessage)
| extend RuleId = extract(@'rule_id=\"(.*?)\"', 1, SyslogMessage)
| extend RuleName = extract(@'rule_name=\"(.*?)\"', 1, SyslogMessage)
| extend RuleDescription = extract(@'rule_description=\"(.*?)\"', 1, SyslogMessage)
| extend App = extract(@'app=\"(.*?)\"', 1, SyslogMessage)
| extend EventSubType = extract(@'event_subtype=\"(.*?)\"', 1, SyslogMessage)
| extend Activity = extract(@'activity=\"(.*?)\"', 1, SyslogMessage)
| extend AdditionalInfo = extract(@'additional_info=\"(.*?)\"', 1, SyslogMessage)
| extend JobStatus = extract(@'job_status=\"(.*?)\"', 1, SyslogMessage)
| extend JobDetails = extract(@'job_details=\"(.*?)\"', 1, SyslogMessage)
| extend JobId = extract(@'job_id=\"(.*?)\"', 1, SyslogMessage)
| extend CreatedBy = extract(@'created_by=\"(.*?)\"', 1, SyslogMessage)
| extend Timestamp = todatetime(extract(@'timestamp=\"(.*?)\"', 1, SyslogMessage))
| project TimeGenerated
, EventVendor
, Service
, Status
, Id
, UrlOriginal
, EntityValue
, Score
, SequenceType
, EventStartTime
, EventEndTime
, SrcUserName
, SrcDvcHostname
, SrcIpAddr
, Labels
, Accounts
, AssetsCount
, Assets
, Zones
, TopReasons
, ReasonsCount
, EventsCount
, AlertsCount
, AssetLabels
, AssetLocations
, TopUsers
, AssetHostname
, AssetIpAddress
, DstDvcHostname
, DstIpAddr
, EventTime
, EventType
, DvcHostname
, Domain
, Raw
, RuleId
, RuleName
, RuleDescription
, App
, EventSubType
, Activity
, AdditionalInfo
, JobStatus
, JobDetails
, JobId
, CreatedBy
, Timestamp

967
Sample Data/Custom/Corelight_CL.json Normal file
Просмотреть файл

@ -0,0 +1,967 @@
[
{
"message":"{\"ts\":\"2018-08-03T23:37:28.937335Z\",\"uid\":\"CYEduc4AvbZxqylsqk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49530,\"id.resp_h\":\"191.234.4.50\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":30615,\"resp_size\":107046238,\"mbps\":338.122437,\"age_of_conn\":2.413327}",
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:42.980914Z\",\"uid\":\"CK3sI01OPsX7RoNlQ2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49493,\"id.resp_h\":\"195.12.232.163\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":579,\"resp_size\":106980076,\"mbps\":362.046669,\"age_of_conn\":2.253853}",
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:47.156977Z\",\"uid\":\"CqLHTe4QCc5A0bXrWd\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49572,\"id.resp_h\":\"64.233.165.109\",\"id.resp_p\":587,\"trans_depth\":1,\"helo\":\"DellDator32\",\"last_reply\":\"220 2.0.0 Ready to start TLS\",\"path\":[\"64.233.165.109\",\"192.168.0.54\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.545927Z\",\"uid\":\"C7dt3I3EPGcL9Dfob3\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2153,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Wed, 11 Mar 2015 13:20:11 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<EF168BBF16E344D49311C8F4870E03BF@passwordnedxp>\",\"subject\":\"Re: www.pwned.se now online\",\"last_reply\":\"250 <54EF7C1F0039BECF> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FkYyUX3O20nQIB8Oej\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"PASV\",\"reply_code\":227,\"reply_msg\":\"Entering Passive Mode. (77,67,22,165,195,204)\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":50124}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/CommonUpdater/SiteStat.xml\",\"file_size\":118,\"reply_code\":226,\"reply_msg\":\"Transfer Complete\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"PASV\",\"reply_code\":213,\"reply_msg\":\"1436\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":55634}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/./BOCVSE__1000/BOCVSE__1000/PkgCatalog.z\",\"reply_code\":213,\"reply_msg\":\"1436\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.210749Z\",\"fuid\":\"FCFk534jSanLgTUIK9\",\"tx_hosts\":[\"192.168.0.54\"],\"rx_hosts\":[\"192.168.0.1\"],\"conn_uids\":[\"CIhf2A1eM0sO4ZVyEl\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.476893Z\",\"fuid\":\"FJtflHVMljMnwuXQl\",\"tx_hosts\":[\"93.184.220.29\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CArZ6s3o464GaJTg7b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":788,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.552833Z\",\"fuid\":\"FWVJ1GDbhVz2aBpmh\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CdvgcM26CxCaCwmL4b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FXALax1SNy4ie6rAUh\",\"tx_hosts\":[\"217.195.49.146\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FlwmUy2bApwnWGkpYc\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.559949Z\",\"fuid\":\"F8lKOuRdzAwivoOYb\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CiDL9R1tDpuUZ2mU4h\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":16516,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.563011Z\",\"fuid\":\"FzMvQhlL2FQNwbt3l\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CMen3q2ZwVS3r1XPrj\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":11363,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.563090Z\",\"fuid\":\"FWM9XD1OkYpyYNS7Nh\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CpbMRO2vFC64HiL9na\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":71644,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.573188Z\",\"fuid\":\"FcmNZx1JYgbvul8Sjl\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"C3XKFg33c48ee5EtX5\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":4643,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:56.699118Z\",\"fuid\":\"FkgQNz2dye4VOjihZi\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"37.48.81.52\"],\"conn_uids\":[\"CLErWp4pCb5euqBBK7\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":81740,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:01.446597Z\",\"uid\":\"CvTrYj2scU7ZCC5pCe\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3706,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"d.knuth@hushmail.com\"],\"date\":\"Fri, 13 Mar 2015 14:01:05 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"<d.knuth@hushmail.com>\"],\"msg_id\":\"<5782CF072601423EAC2E00492D5218F4@passwordnedxp>\",\"subject\":\"Re: I\\u0027d like to purchase a secure password\",\"last_reply\":\"250 <54E6F8320061B982> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FIsdVz2Dv4ezujWIn4\",\"F0WUmi4UiEdfo1GSu3\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:01.560483Z\",\"uid\":\"CPT5L914wmfDebfHsb\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3852,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Fri, 13 Mar 2015 16:16:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3DAC7AF9CE584CE293ED592C27084E16@passwordnedxp>\",\"subject\":\"Fw: You\\u0027re running a vulnerable version of SkyBlueCanvas\",\"last_reply\":\"250 <54E6F832006275FE> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FZEZ0W15JFy6T7yl6e\",\"FB5z1b1ruqnFdUigN3\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.518121Z\",\"uid\":\"CG4WBv1YvP5xn6hJP5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60362,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 17 Mar 2015 08:17:43 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Krusty <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<5507D517.2010809@gmx.com>\",\"in_reply_to\":\"<009501d05d7a$b933aff0$2b9b0fd0$@gmail.com>\",\"subject\":\"Re: I\\u0027ve got 61 problems but my job aint one\",\"last_reply\":\"250 <54E6F832006D9D22> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"F6UDerS2pfvei0KRb\",\"FXrqL92XflpLEXVZ44\",\"FgO5rW3M7VlUyIcCyd\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.534084Z\",\"uid\":\"Cka4Bv1qmbA1RTFF53\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1289,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:30:26 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00507F60> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FfJJQ74pDIlEgQWhGf\",\"FzVjQqYsRcLYhdctg\",\"FqnOzl4JMMdMrbOt72\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.546444Z\",\"uid\":\"CaOpm4JpVQx9WPa7d\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60390,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"ned.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:48:37 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Password Ned <ned.pwned.se@gmx.com>\"],\"msg_id\":\"<5507DC55.6090005@gmx.com>\",\"in_reply_to\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Re: Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00509EF1> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"FakMHq1PsByTwuXldh\",\"FsjHdk229asuLxBht6\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:07.145415Z\",\"uid\":\"CZDNzM17Z7IIM6aiCg\",\"id.orig_h\":\"212.71.235.158\",\"id.orig_p\":52998,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:07.634540Z\",\"uid\":\"C6o9LOw6TqD2qMLEc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1322,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"ed.dijkstra@yahoo.com\",\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 10:15:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Edsger Dijkstra\\u0022 <ed.dijkstra@yahoo.com>\"],\"msg_id\":\"<82576B8A45B540B7BF165BEF67BB02C5@passwordnedxp>\",\"subject\":\"Re: The frog is back!\",\"last_reply\":\"250 <54E6F832006E937A> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FvPQjWWCYLJefchUh\",\"FzpSIF3VtoCmG9x903\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:12.367493Z\",\"uid\":\"C5yXAv453aG4WkzlBj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1283,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Thu, 19 Mar 2015 12:42:06 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"cc\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<A0E1C8DD4D4F4B93A3F65533283A85BA@passwordnedxp>\",\"subject\":\"Fw: My password has leaked online\",\"last_reply\":\"250 <54EF7C1F005E0201> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FaliahTGJHuhFeWt2\",\"FcR4TLdk7gJDb6h9k\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:14.341408Z\",\"uid\":\"Cd2Bw41Y3L43thVVtd\",\"id.orig_h\":\"85.25.43.94\",\"id.orig_p\":40522,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-paramiko_1.15.1\",\"server\":\"SSH-2.0-OpenSSH_6.4\",\"cipher_alg\":\"aes128-ctr\",\"mac_alg\":\"hmac-md5\",\"compression_alg\":\"none\",\"kex_alg\":\"diffie-hellman-group-exchange-sha1\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"24:ca:ee:e1:84:b3:0f:1a:17:86:c0:72:0a:8c:61:f6\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:15.393648Z\",\"uid\":\"CcuRx42gzHsf8IyWFa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.146\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":43.571823,\"orig_bytes\":18,\"resp_bytes\":52,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":2,\"resp_ip_bytes\":108,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:16.038750Z\",\"uid\":\"ChlhLC372Wy90aCsie\",\"id.orig_h\":\"222.186.56.46\",\"id.orig_p\":4458,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:21.488530Z\",\"uid\":\"CwBz7k283qnrY1G3C\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.56.52.24\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":37.534503,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:21.709801Z\",\"uid\":\"CuKJtW3Y0V28ohg7il\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3504,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANIPConnection\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:44.981697Z\",\"uid\":\"C80aN92il06fzkTt5c\",\"id.orig_h\":\"61.160.247.150\",\"id.orig_p\":3029,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:45.138677Z\",\"host\":\"192.168.0.53\",\"host_p\":2869,\"software_type\":\"HTTP::SERVER\",\"name\":\"Microsoft-HTTPAPI\",\"version.major\":1,\"version.minor\":0,\"unparsed_version\":\"Microsoft-HTTPAPI/1.0\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.907917Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"id\":\"FE3J0j3TsIQKs4zA2c\",\"machine\":\"I386\",\"compile_ts\":\"2014-03-20T14:31:56.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":false,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_RCPT_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at HTTP::IN_HOST_HEADER\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"5.254.127.11\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"seen.indicator\":\"www.mybusinessdoc.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at DNS::IN_REQUEST\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at DNS::IN_REQUEST\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"DNS::IN_REQUEST\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CeEwr7suNmvvJmp14\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2211,\"id.resp_h\":\"216.47.227.188\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on 216.47.227.188 at Conn::IN_RESP\",\"sub\":\"216.47.227.188\",\"src\":\"192.168.0.53\",\"dst\":\"216.47.227.188\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at HTTP::IN_HOST_HEADER\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"209.59.156.160\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FHbgSb1YVdbVLUVtqa\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T06:24:04.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".seg17\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FOj8Wh4jnTs2JXfDfa\",\"machine\":\"I386\",\"compile_ts\":\"2015-09-19T15:48:53.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".data\",\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"Fawiz94DjZdmOoK2dj\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.936416Z\",\"id\":\"FoIhp237WDbNURatZc\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"host\":\"192.168.0.53\",\"software_type\":\"SMTP::MAIL_CLIENT\",\"name\":\"Microsoft Outlook Express\",\"version.major\":6,\"version.minor\":0,\"version.minor2\":2900,\"version.minor3\":5512,\"unparsed_version\":\"Microsoft Outlook Express 6.00.2900.5512\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 7 Apr 2015 15:36:29 +0200\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\",\"<homer.pwned.se@gmx.com>\"],\"msg_id\":\"<5E99EDAF8CAE4C34862FF55486CB99C5@passwordnedxp>\",\"subject\":\"Re: Krusty, unable to deliver your item, #00000529832\",\"last_reply\":\"250 <54EF7C1F00AD3590> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FS5nuj3XkXvMebrmdb\",\"FPxQhPcrO0yOQFbh9\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:49.630817Z\",\"id\":\"F54Kv41wqmJYmluTNj\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T14:43:55.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:51.556709Z\",\"id\":\"FXk0GZ31k7RZFFEq8c\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-08T00:49:30.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":true,\"section_names\":[\".text\",\".rdata\",\".data\",\".zdata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:51.586164Z\",\"host\":\"192.168.0.53\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Client\",\"unparsed_version\":\"Client\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.090902Z\",\"host\":\"192.168.0.51\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Python-urllib\",\"version.major\":3,\"version.minor\":4,\"unparsed_version\":\"Python-urllib/3.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.203241Z\",\"uid\":\"CzQqWP3aJDe8zy8TBe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4871,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.206022Z\",\"uid\":\"CunqCs2VofincaO988\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3574,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cpn0xm3AxnlqYiMuRh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":1550,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cw2HA3QMlupOayfhe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3416,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.211410Z\",\"uid\":\"CuzwQD115sos6GKflc\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2444,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.216550Z\",\"uid\":\"CwDrWLqZ4CoapKe15\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2482,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.223140Z\",\"uid\":\"Cdc4dG2bCkm6fpXxNf\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3935,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.226589Z\",\"uid\":\"CgYzka2SoJ8Zl9axf4\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2334,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.227677Z\",\"uid\":\"CKiZuk1Axq1tUnk5B3\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4653,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.229456Z\",\"uid\":\"Csa0Z73EXyT0QU7kuh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3802,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"id\":\"FU7lf04eX89UTxvc2c\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.437867Z\",\"uid\":\"CzzfiW35EGQRLBFouk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62801,\"id.resp_h\":\"108.160.166.138\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"F5b5EIBsnFV30Bt5h\",\"F2jv9r2b5CjPqT1eog\",\"Fksb6730CMJUNZehec\"],\"client_cert_chain_fuids\":[],\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"id\":\"FqeCdEdtohZbSZPW2\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.900979Z\",\"uid\":\"C7j0kK3LbsiwywnHR1\",\"id.orig_h\":\"37.113.135.20\",\"id.orig_p\":23221,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":47,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"RU\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.144930Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"uid\":\"C0HyjnU8giZuxqPC9\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":3929,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"client\":\"\\u0000\\u0000\\u0003$\\u00a7\\u0014\\u00ae\\u000f\\u00a3\\u0001\\u00db;SD\\u001fe\\u009b\\u00e3Th\\u0002e\\u0000\\u0000\\u0000Ydiffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\\u0000\\u0000\\u0000\\u000fssh-rsa,ssh-dss\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000o\\u00bd\\u00edt+\\u00f2\\u0091\\u0008\\u00dc\\u00cc\\u00c8\\u00bdqA0\\u00c4\\u0098\\u0017\\u00c5\\u00fa\\u00ea\\u00f3\\u008c\\u00e7\\u00bc\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.149811Z\",\"uid\":\"CKjFMW2DiNiXKkipk5\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":1048,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.160619Z\",\"uid\":\"CwQw6D3ll7W8PSB5z6\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":4680,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.280678Z\",\"uid\":\"CsaSLq4ag8XtiYxvt4\",\"id.orig_h\":\"162.253.130.90\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":3,\"proto\":\"icmp\",\"duration\":0.02791,\"orig_bytes\":4144,\"resp_bytes\":0,\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":74,\"orig_ip_bytes\":6216,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.288730Z\",\"uid\":\"CgV4Rq4mULfGfcCwmd\",\"id.orig_h\":\"70.48.138.88\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":1,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":80,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.289238Z\",\"uid\":\"CkhnAP1pPhPNjvI3Ng\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"190.88.150.6\",\"id.resp_p\":42285,\"proto\":\"udp\",\"duration\":0.000006,\"orig_bytes\":18,\"resp_bytes\":26,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"CW\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.304832Z\",\"uid\":\"CvVYcx3vExjfwILFQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"64.4.23.140\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^d\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.307168Z\",\"uid\":\"C99Xsy1SZ94ZVIdXd1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.55.235.147\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"resp_cc\":\"IE\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.334229Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":31828,\"query\":\"play.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"play.l.google.com\",\"216.58.209.142\"],\"TTLs\":[168.0,168.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.824656Z\",\"uid\":\"CZxXNh2PrduLyJMZa7\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"177.3.93.142\",\"id.resp_p\":3892,\"proto\":\"udp\",\"duration\":0.000084,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"BR\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.838807Z\",\"uid\":\"C5KYsNWDVWC2agMPj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":64649,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2277,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.848581Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8856,\"query\":\"wpad.pwned.se\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.852988Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":45275,\"query\":\"talkgadget.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.883311Z\",\"uid\":\"CWJBPaI9e0QuH1mTl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.174\",\"id.resp_p\":40021,\"proto\":\"udp\",\"duration\":0.002513,\"orig_bytes\":304,\"resp_bytes\":108,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":2,\"orig_ip_bytes\":360,\"resp_pkts\":2,\"resp_ip_bytes\":164,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.263340Z\",\"uid\":\"CstFQx4BI1fg8CWVI1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":51785,\"id.resp_h\":\"193.149.88.183\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp384r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FOjrklZl04wHbhdUd\",\"FwoJPw4TdhPBlnv6Ea\"],\"client_cert_chain_fuids\":[],\"ja3\":\"06207a1730b5deeb207b0556e102ded2\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.925904Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2244,\"query\":\"mail.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.938600Z\",\"uid\":\"COrePssLENSOflB2g\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":49865,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":32153,\"query\":\"www.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.945553Z\",\"uid\":\"CXgUSFFDSVzOfZ8x9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52640,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.964107Z\",\"uid\":\"Cy26oNvQBpiu1PEG\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52714,\"id.resp_h\":\"108.160.166.139\",\"id.resp_p\":443,\"resumed\":false,\"established\":false,\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.001217Z\",\"uid\":\"Cvh6wj4VimbGAfsIq2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52794,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.006067Z\",\"uid\":\"C5qsU43WVspFbFHtkf\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52795,\"id.resp_h\":\"80.239.237.10\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"crl.microsoft.com\",\"uri\":\"/pki/crl/products/tspca.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.022738Z\",\"uid\":\"CdAux82PdcPXUx7NX4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3424,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANCommonInterfaceConfig\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.032946Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":16916,\"query\":\"safebrowsing.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.044659Z\",\"uid\":\"CMWcFP23u6AkrdEfZh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52898,\"id.resp_h\":\"64.233.161.189\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"server_name\":\"12.client-channel.google.com\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FO8b6W2yJRpm2KXng6\",\"FmnhOg1Eb8Eb2PmsP7\",\"FneYmJiFUIxkgqpWc\"],\"client_cert_chain_fuids\":[],\"ja3\":\"e03fdb6b99211ce6d1ed8a21abf4b25b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.047976Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":44335,\"query\":\"safebrowsing-cache.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"safebrowsing.cache.l.google.com\",\"213.155.151.155\",\"213.155.151.148\",\"213.155.151.149\",\"213.155.151.150\",\"213.155.151.151\",\"213.155.151.152\",\"213.155.151.153\",\"213.155.151.154\"],\"TTLs\":[168497.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"CdNU9c2P0uebDBSWo5\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":60416,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":21121,\"query\":\"accounts.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"accounts.l.google.com\",\"216.58.209.141\"],\"TTLs\":[278777.0,262.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"Cm7HKR3RQ9cPxV5X0h\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52923,\"id.resp_h\":\"198.199.14.15\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.wajam.com\",\"uri\":\"/webenhancer/config?v=d1.4.1.5\\u0026os_mj=6\\u0026os_mn=1\\u0026os_bitness=64\\u0026mid=f06847d131a21bb534bd07962f92bd3e\\u0026uid=942E7E7368DAADD6C1330C564D1D3954\\u0026aid=9860\\u0026aid2=none\\u0026ts=1426247458\\u0026ts2=\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.069973Z\",\"uid\":\"ChWglr3KAZblx8vTR1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52938,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"server_name\":\"talkgadget.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"FruyQsIM31LEyQ5mj\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":2,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F7v4Ep1MMC13a4yDD6\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":3,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F8en7l1LV2IPx6fLCi\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.079083Z\",\"uid\":\"Cae8jj44kIVwU95K9\",\"id.orig_h\":\"61.160.195.10\",\"id.orig_p\":1285,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"95.192.215.175\",\"uri\":\"/8nzr701m3s.jsp\",\"user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.085129Z\",\"uid\":\"CqRVMl43u5sQROjmK9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52966,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"talkgadget.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.092663Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":292319466}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.100860Z\",\"uid\":\"CVAKdv11VMygyHMWoh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53009,\"id.resp_h\":\"213.155.151.183\",\"id.resp_p\":443,\"server_name\":\"clients6.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.102810Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1730265640}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.113819Z\",\"uid\":\"C19mag3BYc9imOhGF\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53043,\"id.resp_h\":\"75.101.135.23\",\"id.resp_p\":443,\"server_name\":\"www.hipchat.com\",\"resumed\":false,\"established\":false,\"ja3\":\"d6d0268c238e629784c6440543062546\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.114483Z\",\"uid\":\"CQcGkX1PaSnGr3ORJ9\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b2:45\",\"assigned_ip\":\"192.168.0.51\",\"lease_time\":86400.0,\"trans_id\":1560696338}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1357091566}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3186368546}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3409528128}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":647710817}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.124145Z\",\"uid\":\"C9FY9f3dBGwUJTUrsi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53055,\"id.resp_h\":\"216.58.209.141\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"accounts.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"5039c2e4865acfa462910ad50a1ecd66\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.124570Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":3934,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.138206Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3203197054}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.145435Z\",\"uid\":\"Cp6Jg83qPc3E7AZOpc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53118,\"id.resp_h\":\"23.53.58.73\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"server_name\":\"ads1.msads.net\",\"resumed\":false,\"established\":false,\"ja3\":\"2a458dd9c65afbcf591cd8c2a194b804\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"F0T1T52YtVLugdWEA9\",\"certificate.version\":3,\"certificate.serial\":\"615DAAD2000600000040\",\"certificate.subject\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.issuer\":\"CN=Microsoft Internet Authority\",\"certificate.not_valid_before\":\"2012-05-16T03:40:55.000000Z\",\"certificate.not_valid_after\":\"2016-05-16T03:50:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FAuQnh411Poc4j6IB5\",\"certificate.version\":3,\"certificate.serial\":\"0851F959814145CABDE024E212C9C20E\",\"certificate.subject\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2007-04-03T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2022-04-03T07:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FTDJXw3B9FNH6LllVi\",\"certificate.version\":3,\"certificate.serial\":\"07276FAE\",\"certificate.subject\":\"CN=Microsoft Internet Authority\",\"certificate.issuer\":\"CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE\",\"certificate.not_valid_before\":\"2012-04-26T00:41:36.000000Z\",\"certificate.not_valid_after\":\"2020-04-26T00:40:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":4096,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":1}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FlwjH1VX5WGZwfNA\",\"certificate.version\":3,\"certificate.serial\":\"67FBBC6F0001000077AF\",\"certificate.subject\":\"CN=flex.msn.com,OU=Adcenter,O=Microsoft,L=Redmond,ST=WA,C=US\",\"certificate.issuer\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.not_valid_before\":\"2013-06-06T00:09:06.000000Z\",\"certificate.not_valid_after\":\"2015-06-06T00:09:06.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\"}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FnbDjP2vdfoNORnLy9\",\"certificate.version\":3,\"certificate.serial\":\"0809E169141E080784D177C649586BFA\",\"certificate.subject\":\"CN=*.ib-ibi.com,OU=IT,O=I-Behavior\\u005c, Inc,L=Louisville,ST=Colorado,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2013-09-27T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2016-11-30T20:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"*.ib-ibi.com\",\"ib-ibi.com\"],\"basic_constraints.ca\":false}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.158369Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":41767348}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"F0ycGZ2X6t2bjfE77k\",\"certificate.version\":3,\"certificate.serial\":\"6ECC7AA5A7032009B8CEBCF4E952D491\",\"certificate.subject\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2020-02-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FEbyRb1pcTUgT14Jxd\",\"certificate.version\":3,\"certificate.serial\":\"1F6AAF787FE640ABBC314A3DEBE434A7\",\"certificate.subject\":\"CN=na.gmtdmp.com,OU=TechOps,O=Media Innovation Group\\u005c, LLC,L=New York,ST=New York,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2014-10-15T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2015-10-17T06:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"na.gmtdmp.com\",\"gmtdmp.mookie1.com\"],\"basic_constraints.ca\":false}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FwZxHaTosC5HMTFQ2\",\"certificate.version\":3,\"certificate.serial\":\"250CE8E030612E9F2B89F7054D7CF8FD\",\"certificate.subject\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"OU=Class 3 Public Primary Certification Authority,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2006-11-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2021-11-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"F8Wvj82UfJkQXp14pg\",\"certificate.version\":3,\"certificate.serial\":\"12BBE6\",\"certificate.subject\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.issuer\":\"OU=Equifax Secure Certificate Authority,O=Equifax,C=US\",\"certificate.not_valid_before\":\"2002-05-21T11:00:00.000000Z\",\"certificate.not_valid_after\":\"2018-08-21T11:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"FyfBmE1uxR4LPQiiwg\",\"certificate.version\":3,\"certificate.serial\":\"0236D1\",\"certificate.subject\":\"CN=RapidSSL CA,O=GeoTrust\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-20T06:45:05.000000Z\",\"certificate.not_valid_after\":\"2020-02-19T06:45:05.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.231971Z\",\"uid\":\"Ct9xQdrkYT5FlOxzl\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":0,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":0,\"tunnel_type\":\"Tunnel::IP\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,214\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63958}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,29\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63773}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,248,143\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63631}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 125.5.61.130 to 10.0.0.11\",\"src\":\"125.5.61.130\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 85.132.46.226 to 10.0.0.11\",\"src\":\"85.132.46.226\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CJ2I2X3eumh4KByV81\",\"id.orig_h\":\"202.177.98.46\",\"id.orig_p\":8530,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 202.177.98.46 to 10.0.0.11\",\"src\":\"202.177.98.46\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 81.213.174.63 to 10.0.0.11\",\"src\":\"81.213.174.63\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.347346Z\",\"id\":\"FISJc7YSDyP0IIgZj\",\"machine\":\"I386\",\"compile_ts\":\"2007-10-06T03:09:43.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\":\\u00c2I\\u00ce\\u009b\\u00b7vA\",\"\\u000c\\u00afk7\\u00fa\\u001d\\u0012<\",\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.348480Z\",\"uid\":\"CX0U3u2aujkDwKyUZj\",\"id.orig_h\":\"172.16.253.130\",\"id.orig_p\":68,\"id.resp_h\":\"172.16.253.254\",\"id.resp_p\":67,\"mac\":\"00:0c:29:af:9c:dc\",\"assigned_ip\":\"172.16.253.130\",\"lease_time\":1800.0,\"trans_id\":1671394645}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.394640Z\",\"uid\":\"Cvvh1e10TgqGgOUKIh\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.81\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.395376Z\",\"uid\":\"C1fJIA1dasC4KZQJia\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"83.170.1.38\",\"id.resp_p\":32900,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.396052Z\",\"uid\":\"Cf80KsDADsn4c7Koa\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.80\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"COLD_RESTART\",\"fc_reply\":\"RESPONSE\",\"iin\":0}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"CONFIRM\",\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":0}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.436247Z\",\"uid\":\"CFtzZB20l6R7JprzA\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":1159,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":256}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.439072Z\",\"uid\":\"CTLKmv8tYC2Buh1i\",\"id.orig_h\":\"10.0.0.9\",\"id.orig_p\":1084,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"STOP_APPL\"}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808643Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 172.16.1.8 to 172.16.1.7\",\"src\":\"172.16.1.8\",\"dst\":\"172.16.1.7\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808953Z\",\"uid\":\"Co7dkb3VZW4JUWlYV5\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38891,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808982Z\",\"uid\":\"C21en73FMP4ek9D6V7\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38894,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.809566Z\",\"uid\":\"CkoU0m2UO5IJCGczh\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":41952,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":22,\"version\":2,\"auth_success\":true,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10\",\"server\":\"SSH-2.0-OpenSSH_7.4p1 Ubuntu-10\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"2e:65:01:b6:47:1c:7f:9e:de:7e:eb:00:98:2b:a1:1d\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.858240Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.tiff\",\"size\":1913531,\"times.modified\":\"2018-07-24T17:56:05.520403Z\",\"times.accessed\":\"2018-07-24T17:56:05.356403Z\",\"times.created\":\"2018-07-24T17:56:05.356403Z\",\"times.changed\":\"2018-07-24T17:56:05.520403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.jpg\",\"size\":61292,\"times.modified\":\"2018-07-24T17:56:04.832403Z\",\"times.accessed\":\"2018-07-24T17:56:04.824403Z\",\"times.created\":\"2018-07-24T17:56:04.824403Z\",\"times.changed\":\"2018-07-24T17:56:04.832403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.string.~1~\",\"size\":2373948,\"times.modified\":\"2018-07-24T17:56:04.824403Z\",\"times.accessed\":\"2018-07-24T17:56:04.620403Z\",\"times.created\":\"2018-07-24T17:56:04.620403Z\",\"times.changed\":\"2018-07-24T17:56:04.824403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpacket_filter.log\",\"size\":253,\"times.modified\":\"2018-07-24T17:56:05.132403Z\",\"times.accessed\":\"2018-07-24T17:56:05.128403Z\",\"times.created\":\"2018-07-24T17:56:05.128403Z\",\"times.changed\":\"2018-07-24T17:56:05.132403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif-small.gif\",\"size\":1085,\"times.modified\":\"2018-07-24T17:56:05.356403Z\",\"times.accessed\":\"2018-07-24T17:56:05.352403Z\",\"times.created\":\"2018-07-24T17:56:05.352403Z\",\"times.changed\":\"2018-07-24T17:56:05.356403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.xwd\",\"size\":5095658,\"times.modified\":\"2018-07-24T17:56:04.600403Z\",\"times.accessed\":\"2018-07-24T17:56:04.164402Z\",\"times.created\":\"2018-07-24T17:56:04.164402Z\",\"times.changed\":\"2018-07-24T17:56:04.600403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cftp.log\",\"size\":1040,\"times.modified\":\"2018-07-24T17:56:05.020403Z\",\"times.accessed\":\"2018-07-24T17:56:05.020403Z\",\"times.created\":\"2018-07-24T17:56:05.020403Z\",\"times.changed\":\"2018-07-24T17:56:05.020403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif.string\",\"size\":162232,\"times.modified\":\"2018-07-24T17:56:04.616403Z\",\"times.accessed\":\"2018-07-24T17:56:04.600403Z\",\"times.created\":\"2018-07-24T17:56:04.600403Z\",\"times.changed\":\"2018-07-24T17:56:04.616403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpng.png\",\"size\":148698,\"times.modified\":\"2018-07-24T17:56:04.848403Z\",\"times.accessed\":\"2018-07-24T17:56:04.832403Z\",\"times.created\":\"2018-07-24T17:56:04.832403Z\",\"times.changed\":\"2018-07-24T17:56:04.848403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.pnm\",\"size\":1910848,\"times.modified\":\"2018-07-24T17:56:05.308403Z\",\"times.accessed\":\"2018-07-24T17:56:05.132403Z\",\"times.created\":\"2018-07-24T17:56:05.132403Z\",\"times.changed\":\"2018-07-24T17:56:05.308403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:18.568559Z\",\"uid\":\"CATSgW2JPVhX7ESua5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":39491,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:18.872776Z\",\"uid\":\"CR1nf0433a3ialytj1\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":64427,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.053959Z\",\"uid\":\"Cb0oDz1hEwX3a8sPc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50281,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.211561Z\",\"uid\":\"Cee4q23WQLcRqZlJ94\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":57515,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.308033Z\",\"uid\":\"CMMvTP2PNc0xC5kWvk\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":48458,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.334330Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.793311Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.825907Z\",\"uid\":\"C83b3V1vZIrsJ2P6lg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":54297,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.848609Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.864909Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
}
]

35
Sample Data/Syslog/AlsidForADLog_CL.json
Просмотреть файл

@ -974,7 +974,40 @@
"ManagementGroupName": "sysloger",
"TimeGenerated [UTC]": "11/5/2020, 4:38:58.000 PM",
"Computer": "sysloger",
"RawData": "2020-11-05T16:38:17+00:00 julienc.alsid.app AlsidForAD[4]: \"1\" \"1\" \"Sulforest\" \"dc\" \"CN=ok ok. ok,CN=Users,DC=alsid,DC=corp\" \"2157\" \"\" \"usnchanged\"=\"51747",
"RawData": "2020-11-05T16:38:17+00:00 julienc.alsid.app AlsidForAD[4]: \"1\" \"1\" \"Sulforest\" \"dc\" \"CN=ok ok. ok,CN=Users,DC=alsid,DC=corp\" \"2157\" \"\" \"usnchanged\"=\"51747\"",
"Type": "AlsidForADLog_CL",
"_ResourceId": "/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.compute/virtualmachines/sysloger"
},
{
"TenantId": "cc1bd33d-9555-48b2-9161-6d8ca52f65f8",
"SourceSystem": "OpsManager",
"MG": "00000000-0000-0000-0000-000000000002",
"ManagementGroupName": "sysloger",
"TimeGenerated [UTC]": "03/03/2021, 7:38:08.000 AM",
"Computer": "sysloger",
"RawData": "2021-03-03T07:37:51+00:00 julienc.alsid.app AlsidForAD[4]: \"2\" \"0\" \"Sulforest\" \"dc\" \"DC Sync\" \"medium\" \"yoda.alsid.corp\" \"10.0.0.1\" \"x1x.alsid.corp\" \"10.1.0.1\" \"user\"=\"Gustavo Fring\" \"dc_name\"=\"MyDC\"",
"Type": "AlsidForADLog_CL",
"_ResourceId": "/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.compute/virtualmachines/sysloger"
},
{
"TenantId": "cc1bd33d-9555-48b2-9161-6d8ca52f65f8",
"SourceSystem": "OpsManager",
"MG": "00000000-0000-0000-0000-000000000002",
"ManagementGroupName": "sysloger",
"TimeGenerated [UTC]": "03/03/2021, 7:38:08.000 AM",
"Computer": "sysloger",
"RawData": "2021-03-03T07:37:51+00:00 julienc.alsid.app AlsidForAD[4]: \"2\" \"0\" \"Sulforest\" \"dc\" \"DC Sync\" \"medium\" \"yoda.alsid.corp\" \"10.0.0.1\" \"x1x.alsid.corp\" \"10.1.0.1\" \"user\"=\"Gustavo Fring\" \"dc_name\"=\"MyDC\"",
"Type": "AlsidForADLog_CL",
"_ResourceId": "/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.compute/virtualmachines/sysloger"
},
{
"TenantId": "cc1bd33d-9555-48b2-9161-6d8ca52f65f8",
"SourceSystem": "OpsManager",
"MG": "00000000-0000-0000-0000-000000000002",
"ManagementGroupName": "sysloger",
"TimeGenerated [UTC]": "03/03/2021, 7:38:08.000 AM",
"Computer": "sysloger",
"RawData": "2021-03-03T07:37:52+00:00 julienc.alsid.app AlsidForAD[4]: \"2\" \"0\" \"Sulforest\" \"dc\" \"DC Sync\" \"medium\" \"yoda.alsid.corp\" \"10.0.0.1\" \"x1x.alsid.corp\" \"10.1.0.1\" \"user\"=\"Gustavo Fring\" \"dc_name\"=\"MyDC\"",
"Type": "AlsidForADLog_CL",
"_ResourceId": "/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.compute/virtualmachines/sysloger"
}

590
Sample Data/Syslog/ExabeamEvent.json Normal file
Просмотреть файл

@ -0,0 +1,590 @@
[
{
"TimeGenerated": "3/12/2021, 2:12:23.743 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "17",
"EventsCount": "4",
"AlertsCount": "2",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:12:03.653 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:12:18.123 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": "19.10.150.7",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "17",
"EventsCount": "4",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "3/12/2021, 2:09:56.550 PM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 9:24:14.377 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "testUser-20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": " userx ",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "test-host01-userx",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 9:58:32.500 AM",
"EventVendor": "Exabeam",
"Service": "Analytics Log Ingestion",
"Status": "stopped",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "20",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 9:59:56.770 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "assets=",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 10:01:53.203 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "20140402150331",
"UrlOriginal": "http://localhost:8484/#sessions/userx-20140402150331",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "4/2/2014, 7:03:31.000 AM",
"EventEndTime": "1/1/1970, 12:00:00.000 AM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "test-host01-userx",
"SrcIpAddr": " 192.0.150.7 ",
"Labels": "",
"Accounts": "testUser",
"AssetsCount": "",
"Assets": "srv_123_dev, 10.23.123.56, tks_en_0b_jt",
"Zones": "test.zone.test",
"TopReasons": "First logon to workstation for user,First logon to network zone,Abnormal logon to network zone for group",
"ReasonsCount": "10",
"EventsCount": "1",
"AlertsCount": "0",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "test-host01-userx",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "4/21/2015, 7:55:21.503 AM"
},
{
"TimeGenerated": "2/26/2021, 10:03:39.857 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "Started",
"Id": "10204143816",
"UrlOriginal": "",
"EntityValue": "",
"Score": "80",
"SequenceType": "",
"EventStartTime": "",
"EventEndTime": "",
"SrcUserName": "",
"SrcDvcHostname": "",
"SrcIpAddr": "",
"Labels": "",
"Accounts": "",
"AssetsCount": "",
"Assets": "",
"Zones": "",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "Started",
"JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).",
"JobId": "5c1ace5c123 b3801207481f",
"CreatedBy": "admin",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 10:04:22.973 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "Started",
"Id": "5c1ace5c123 b3801207481f",
"UrlOriginal": "",
"EntityValue": "",
"Score": "",
"SequenceType": "",
"EventStartTime": "",
"EventEndTime": "",
"SrcUserName": "",
"SrcDvcHostname": "",
"SrcIpAddr": "",
"Labels": "",
"Accounts": "",
"AssetsCount": "",
"Assets": "",
"Zones": "",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "Started",
"JobDetails": "Modified rules: rule AM-OG-A has new score 40.0 ,rule AM-GOU-A has new score 40.0 ,rule AM-GA-AC-A has new score 40.0. Reprocess starts from May 5 2014, 7:00AM (UTC), ends on May 7 2018, 6:59AM (UTC).",
"JobId": "5c1ace5c123 b3801207481f",
"CreatedBy": "admin",
"Timestamp": ""
},
{
"TimeGenerated": "2/26/2021, 10:04:49.923 AM",
"EventVendor": "Exabeam",
"Service": "Analytics Log Ingestion",
"Status": "stopped",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "85",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "",
"ReasonsCount": "",
"EventsCount": "",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/7/2021, 2:38:16.000 PM"
},
{
"TimeGenerated": "2/26/2021, 9:57:02.510 AM",
"EventVendor": "Exabeam",
"Service": "",
"Status": "open",
"Id": "sstrickland-20210204143816",
"UrlOriginal": "http://g-aa.exabeamdemo.com/#sessions/sstrickland-20210204143816",
"EntityValue": "",
"Score": "20",
"SequenceType": "",
"EventStartTime": "2/4/2021, 2:38:16.000 PM",
"EventEndTime": "2/4/2021, 2:38:16.000 PM",
"SrcUserName": "sstrickland",
"SrcDvcHostname": "wks_5cc_kt",
"SrcIpAddr": "192.168.25.136",
"Labels": " assets=",
"Accounts": "sstrickland",
"AssetsCount": "",
"Assets": "tks_en_360_kt",
"Zones": "None",
"TopReasons": "It is abnormal for account management activity (a user created and added to a group) to come from this zone. Account management events are notable because they can provide a path for an attacker to move laterally through a system.",
"ReasonsCount": "1",
"EventsCount": "248",
"AlertsCount": "1",
"AssetLabels": "",
"AssetLocations": "",
"TopUsers": "",
"AssetHostname": "",
"AssetIpAddress": "",
"DstDvcHostname": "",
"DstIpAddr": "",
"EventTime": "",
"EventType": "",
"DvcHostname": "wks_5cc_kt",
"Domain": "",
"Raw": "",
"RuleId": "",
"RuleName": "",
"RuleDescription": "",
"App": "",
"EventSubType": "",
"Activity": "",
"AdditionalInfo": "",
"JobStatus": "",
"JobDetails": "",
"JobId": "",
"CreatedBy": "",
"Timestamp": "2/4/2021, 2:38:16.000 PM"
}
]

31918
Sample Data/Syslog/McAfee_ePO.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

0
DataConnectors/Cloudflare/AzureFunctionCloudflare/function.json → Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json
Просмотреть файл

0
DataConnectors/Cloudflare/AzureFunctionCloudflare/main.py → Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py
Просмотреть файл

0
DataConnectors/Cloudflare/AzureFunctionCloudflare/sentinel_connector_async.py → Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py
Просмотреть файл

0
DataConnectors/Cloudflare/AzureFunctionCloudflare/state_manager.py → Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/state_manager.py
Просмотреть файл

0
DataConnectors/Cloudflare/CloudflareConn.zip → Solutions/Cloudflare/Data Connectors/CloudflareConn.zip
Просмотреть файл

0
DataConnectors/Cloudflare/Cloudflare_API_FunctionApp.json → Solutions/Cloudflare/Data Connectors/Cloudflare_API_FunctionApp.json
Просмотреть файл

0
Logos/cloudflare.svg → Solutions/Cloudflare/Data Connectors/Logo/cloudflare.svg
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 1.9 KiB

После

Ширина:  |  Высота:  |  Размер: 1.9 KiB

0
DataConnectors/Cloudflare/azuredeploy_Cloudflare_API_FunctionApp.json → Solutions/Cloudflare/Data Connectors/azuredeploy_Cloudflare_API_FunctionApp.json
Просмотреть файл

0
DataConnectors/Cloudflare/host.json → Solutions/Cloudflare/Data Connectors/host.json
Просмотреть файл

0
DataConnectors/Cloudflare/proxies.json → Solutions/Cloudflare/Data Connectors/proxies.json
Просмотреть файл

0
DataConnectors/Cloudflare/requirements.txt → Solutions/Cloudflare/Data Connectors/requirements.txt
Просмотреть файл

0
Parsers/Cloudflare/Cloudflare.txt → Solutions/Cloudflare/Parsers/Cloudflare.txt
Просмотреть файл

0
Workbooks/Cloudflare.json → Solutions/Cloudflare/Workbooks/Cloudflare.json
Просмотреть файл

0
Workbooks/Images/Logos/cloudflare.svg → Solutions/Cloudflare/Workbooks/Images/Logo/cloudflare.svg
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 1.9 KiB

После

Ширина:  |  Высота:  |  Размер: 1.9 KiB

0
Workbooks/Images/Preview/CloudflareOverviewBlack01.png → Solutions/Cloudflare/Workbooks/Images/Preview/CloudflareOverviewBlack01.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 55 KiB

После

Ширина:  |  Высота:  |  Размер: 55 KiB

0
Workbooks/Images/Preview/CloudflareOverviewBlack02.png → Solutions/Cloudflare/Workbooks/Images/Preview/CloudflareOverviewBlack02.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 38 KiB

После

Ширина:  |  Высота:  |  Размер: 38 KiB

0
Workbooks/Images/Preview/CloudflareOverviewWhite01.png → Solutions/Cloudflare/Workbooks/Images/Preview/CloudflareOverviewWhite01.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 56 KiB

После

Ширина:  |  Высота:  |  Размер: 56 KiB

0
Workbooks/Images/Preview/CloudflareOverviewWhite02.png → Solutions/Cloudflare/Workbooks/Images/Preview/CloudflareOverviewWhite02.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 44 KiB

После

Ширина:  |  Высота:  |  Размер: 44 KiB

30
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOAgentHandlerDown.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 3c1425d3-93d4-4eaf-8aa0-370dbac94c82
name: McAfee ePO - Agent Handler down
description: |
'Detects when AgentHandler is down.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
McAfeeEPOEvent
| where EventId == '16025'
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

27
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOAlertError.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 1e3bcd0f-10b2-4fbd-854f-1c6f33acc36a
name: McAfee ePO - Error sending alert
description: |
'Detects when error sending alert occurs.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId == '1062'
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

31
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOAttemptUninstallAgent.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: 2eff5809-bf84-48e0-8288-768689672c37
name: McAfee ePO - Attempt uninstall McAfee agent
description: |
'Detects attempts uninstalling McAfee agent on host.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId == '2413'
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

30
Solutions/McAfeeePO/Analytic Rules/McAfeeEPODeploymentFailed.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 155243f4-d962-4717-8a7b-b15b6d112660
name: McAfee ePO - Deployment failed
description: |
'Detects when errors occur during deployment new changes/policies.'
severity: High
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 6h
queryPeriod: 6h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
McAfeeEPOEvent
| where EventId == '2412'
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

28
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOExceptionAdded.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: b9d9fdfe-bc17-45ce-a70d-67a5cfd119f4
name: McAfee ePO - File added to exceptions
description: |
'Detects when file was added to exception list on a host.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId in ('1029', '2005', '2015')
| project DvcIpAddr, DstFileName
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

32
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOFirewallDisabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: bd3cedc3-efba-455a-85bd-0cf9ac1b0727
name: McAfee ePO - Firewall disabled
description: |
'Detects when firewall was disabled from Mctray.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- CommandAndControl
relevantTechniques:
- T1562
- T1071
query: |
McAfeeEPOEvent
| where EventId in ('35009')
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

35
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOLoggingError.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 0c9243d6-d2ec-48e1-8593-e713859c8f3c
name: McAfee ePO - Logging error occurred
description: |
'Detects when logging errors on agent.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId in ('1040', '1076', '3032', '3033', '3034', '3036', '3038')
| extend EventMessage = case(EventId == '1040', 'Activity Log error',
EventId == '1076', 'Error logging information',
EventId == '3032', 'Error while trying to open/create activity log file',
EventId == '3033', 'Activity log file maximum size reached',
EventId == '3034', 'Unable to write the activity log file',
EventId == '3036', 'Error during initialization of the activity log file',
'Error writing to log')
| project DvcIpAddr, EventId, EventMessage
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

37
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOMultipleThreatsSameHost.yaml Normal file
Просмотреть файл

@ -0,0 +1,37 @@
id: f53e5168-afdb-4fad-b29a-bb9cb71ec460
name: McAfee ePO - Multiple threats on same host
description: |
'Rule fires when multiple threat events were detected on the same host.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- PrivilegeEscalation
relevantTechniques:
- T1562
- T1070
- T1189
- T1195
- T1543
- T1055
query: |
McAfeeEPOEvent
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize th_cnt = dcount(ThreatName), th_list = makeset(ThreatName) by DvcIpAddr
| where th_cnt > 1
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

31
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOScanningEngineDisabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: 5223c1b8-75ef-4019-9076-a19b1ef3e5d1
name: McAfee ePO - Scanning engine disabled
description: |
'Detects when OAS scanning engine was disabled.'
severity: Low
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId == '1127'
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

30
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOSpamEmail.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: ffc9052b-3658-4ad4-9003-0151515fde15
name: McAfee ePO - Spam Email detected
description: |
'Detects when email was marked as spam.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
McAfeeEPOEvent
| where EventId == '4650'
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

30
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOTaskError.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: 3e397e31-7964-417e-a3e0-0acfaa2056f4
name: McAfee ePO - Task error
description: |
'Detects when task error occurs.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId in ('1003', '1067')
| extend EventMessage = case(EventId == '1003', 'Error starting Task',
'Unable to start scheduled task')
| project DvcIpAddr, EventId, EventMessage
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

32
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOThreatNotBlocked.yaml Normal file
Просмотреть файл

@ -0,0 +1,32 @@
id: 6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7
name: McAfee ePO - Threat was not blocked
description: |
'Detects when a threat was not blocked on a host.'
severity: High
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
- T1068
- T1189
- T1195
query: |
McAfeeEPOEvent
| where ThreatActionTaken in~ ('none', 'IDS_ACTION_WOULD_BLOCK')
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

36
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOUnableCleanDeleteInfectedFile.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: 9860e89f-72c8-425e-bac9-4a170798d3ea
name: McAfee ePO - Unable to clean or delete infected file
description: |
'Detects when McAfee failed to clean or delete infected file.'
severity: High
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId in ('1026', '1028', '1298', '1310', '1055', '2002', '2004', '2009')
| extend EventMessage = case(EventId == '1026', 'Unable to clean infected file',
EventId == '1028', 'Unable to delete infected file',
EventId == '1298', 'File infected. Delete failed, quarantine failed',
EventId == '1310', 'Multiple extension heuristic detection - delete failed, quarantine failed',
EventId == '1055', 'Unable to delete infected file',
EventId == '2002', 'Unable to clean infected file',
EventId == '2004', 'Unable to delete infected file',
'Unable to move infected file to quarantine')
| project DvcIpAddr, EventId, EventMessage, DstFileName
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

31
Solutions/McAfeeePO/Analytic Rules/McAfeeEPOUpdateFailed.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: 4f0c91c3-1690-48f0-b538-4282dd5417a4
name: McAfee ePO - Update failed
description: |
'Detects when update failed event occurs on agent.'
severity: Medium
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
- T1070
query: |
McAfeeEPOEvent
| where EventId in ('2402', '1119', '1123')
| extend IPCustomEntity = DvcIpAddr, HostCustomEntity = DvcHostname
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

35
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOAgentErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: dff3c841-6e3e-432e-ad68-3ddd7326bc01
name: McAfee ePO - Agent Errors
description: |
'Query searches for error events from McAfee agents.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- DefenseEvasion
relevantTechniques:
- T1070
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('2402', '2412', '1119', '1123', '2201', '2202', '2204', '2208', '3020', '3021')
| extend EventMessage = case(EventId == '2402', "Update Failed",
EventId == '2412', "Deployment Failed",
EventId == '1119',
"The update failed; see event log",
EventId == '1123', "The upgrade failed; see event log",
EventId == '2201', "McAfee Agent: Failed to install software package",
EventId == '2202', "McAfee Agent: Install retry limit reached for software package",
EventId == '2204', "McAfee Agent: Insufficient disk space to install software",
EventId == '2208', "McAfee Agent: Insufficient disk space to download software",
EventId == '3020', "Invalid virus signature files",
"Scan engine error")
| project DvcIpAddr, EventId, EventMessage
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

28
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOApplicationsBlocked.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: e838519b-1f03-417f-863b-6c1a141677ee
name: McAfee ePO - Applications blocked or contained
description: |
'Query searches for blocked or contained applications.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1204
- T1189
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('18002', '37275')
| extend Reason = case(EventId == '18002', "Application blocked",
"Application contained")
| project DvcIpAddr, DstFileName
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

39
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOEmailThreats.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 851b63f1-cc5d-44d5-b505-9444a5e87076
name: McAfee ePO - Email Treats
description: |
'Query searches for email related threat events.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('1417', '1418', '1419', '1420', '1500', '1501', '1502', '1503', '1504', '1505', '1506', '1507', '1513', '1514')
| extend EventMessage = case(EventId == '1417', "Email message deleted (user defined detection)",
EventId == '1418', "Email message deleted (user defined detection), Clean failed",
EventId == '1419',
"Email message deleted (user defined detection), Move failed",
EventId == '1420', "Email message deleted (user defined detection), Delete failed",
EventId == '1500', "Infected email cleaned (Medium)",
EventId == '1501', "Infected email quarantined",
EventId == '1502', "Unable to clean infected mail",
EventId == '1503', "Infected email detected",
EventId == '1504', "Infected mail item deleted",
EventId == '1505', "Email content filtered",
EventId == '1506', "Email content blocked",
EventId == '1507', "Inbound email suspended for low disk",
EventId == '1513', "Mail virus quarantined and cleaned",
"Mail virus quarantined (not cleaned)")
| project DvcIpAddr, EventId, EventMessage
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

25
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOInfectedFiles.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: e83b72a0-60dd-4d65-b1c2-582766f2f181
name: McAfee ePO - Infected files by source
description: |
'Query searches for infected files which were detected.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
relevantTechniques:
- T1189
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('1024', '1053', '2000', '3004')
| summarize ['Infected Files List'] = makeset(DstFileName) by DvcIpAddr
| project DvcIpAddr, ['Infected Files List']
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

25
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOInfectedSystems.yaml Normal file
Просмотреть файл

@ -0,0 +1,25 @@
id: 2e7a56fb-ffff-491c-bdee-e772f83c47e2
name: McAfee ePO - Infected Systems
description: |
'Query searches for infected systems based on scan results.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
relevantTechniques:
- T1189
- T1195
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('1038', '3043')
| project DvcIpAddr, DvcHostname
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

41
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOLongTermInfectedSystems.yaml Normal file
Просмотреть файл

@ -0,0 +1,41 @@
id: a65e4129-d936-4165-bc08-699f9151aa26
name: McAfee ePO - Long term infected systems
description: |
'Query searches for infected systems which were not cleaned for long term.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
- Persistence
relevantTechniques:
- T1189
query: |
let lbperiod_30d = 30d;
let infected_systems = McAfeeEPOEvent
| where TimeGenerated > ago(lbperiod_30d)
| where EventId in ('1038', '3043')
| summarize LastScanTimeInfected = max(TimeGenerated) by DvcIpAddr
| extend SystemStatus = 'Infected';
let clean_systems = McAfeeEPOEvent
| where TimeGenerated > ago(lbperiod_30d - 1h)
| where EventId in ('1034', '3039')
| summarize LastScanTimeClean = max(TimeGenerated) by DvcIpAddr
| extend SystemStatus = 'Clean';
let clean_systems2 = McAfeeEPOEvent
| where TimeGenerated > ago(lbperiod_30d - 1h)
| where EventId in ('1034', '3039')
| summarize makeset(DvcIpAddr);
infected_systems
| extend tmp_key = 1
| join (clean_systems
| extend tmp_key = 1) on tmp_key
| where LastScanTimeInfected > LastScanTimeClean or DvcIpAddr !in (clean_systems2)
| project LastScanTimeInfected, DvcIpAddr
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

29
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOMultipleThreats.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: 1ef23489-a840-4b43-b33d-a921da24c85c
name: McAfee ePO - Sources with multiple threats
description: |
'Query searches for sources with several different threats.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- InitialAccess
relevantTechniques:
- T1189
- T1195
query: |
let lbtime = 24h;
let threshold = 1;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where isnotempty(ThreatName)
| where ThreatName != '_'
| summarize ThreatList = makeset(ThreatName) by DvcIpAddr
| where array_len(ThreatList) > threshold
| project DvcIpAddr, ThreatList
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

27
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOObjectsNotScanned.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 5be4adb7-52ee-4416-b39d-0c03cf0fb661
name: McAfee ePO - Objects not scanned
description: |
'Query searches for unscanned objects.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('1051', '34925', '34926')
| extend Reason = case(EventId == '1051', "Unable to scan password protected",
EventId == '34925', "The object was not scanned because the scanner does not have enough rights to read it",
"The object was not scanned because the file size exceeds the configured maximum file size to scan")
| project DvcIpAddr, EventId, Reason, DstFileName
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

35
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOScanErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 901e6982-39ed-4759-9451-de1a3826182f
name: McAfee ePO - Scan Errors
description: |
'Query searches for scan error events.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('3021', '1086', '1059', '1128', '1035', '1051', '1048', '1049', '3053', '3054', '3046')
| extend Reason = case(EventId == '3021', "Scan engine error",
EventId == '1086', "Scan Process Error",
EventId == '1059', "Scan Timed Out",
EventId == '1128', "Scan time exceeded",
EventId == '1035', "Scan was canceled",
EventId == '1051', "Unable to scan password protected",
EventId == '1048', "Scan reports general system error",
EventId == '1049', "Scan reported an internal application error",
EventId == '3053', "Centralized Alerting - Scan reports general system error",
EventId == '3054', "Centralized Alerting - Scan reported an internal application error",
"Centralized Alerting - Scan reports memory allocation error")
| project DvcIpAddr, EventId, Reason
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

36
Solutions/McAfeeePO/Hunting Queries/McAfeeEPOThreatNotBlocked.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: 80c5904d-6a36-4b7c-82d4-180023a1f8b4
name: McAfee ePO - Threats detected and not blocked, cleaned or deleted
description: |
'Query searches for events where threats were detected and not blocked, cleaned or deleted.'
requiredDataConnectors:
- connectorId: McAfeeePO
dataTypes:
- Syslog
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1574
- T1055
query: |
let lbtime = 24h;
McAfeeEPOEvent
| where TimeGenerated > ago(lbtime)
| where EventId in ('1095', '1096', '1099', '34937', '35102', '34938', '35106', '35111', '35117')
| extend EventMessage = case(EventId == '1095', "Access Protection rule violation detected and NOT blocked",
EventId == '1096', "Port blocking rule violation detected and NOT blocked",
EventId == '1099',
"Buffer Overflow detected and NOT blocked",
EventId == '34937', "Script security violation detected, AMSI would block",
EventId == '35102', "Adaptive Threat Protection Would Block",
EventId == '34938', "Script security violation detected, AMSI would delete",
EventId == '35106', "Adaptive Threat Protection Would Clean",
EventId == '35111', "Adaptive Threat Protection Would Contain",
"Adaptive Threat Protection Would Block Source")
| project DvcIpAddr, EventId, EventMessage
| extend IPCustomEntity = DvcIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity

192
Solutions/McAfeeePO/Parsers/McAfeeEPOEvent.txt Normal file
Просмотреть файл

@ -0,0 +1,192 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as McAfeeEPOEvent.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. McAfeeEPOEvent | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let mcafee_epoevent =() {
Syslog
| where SyslogMessage contains '<EPOevent>'
| extend EventVendor = 'McAfee'
| extend EventProduct = 'McAfee ePO'
| extend DvcHostname = extract(@'\<MachineName\>(.*?)\<\/MachineName\>', 1, SyslogMessage)
| extend AgentGuid = extract(@'\<AgentGUID\>(.*?)\<\/AgentGUID\>', 1, SyslogMessage)
| extend DvcIpAddr = extract(@'\<IPAddress\>(.*?)\<\/IPAddress\>', 1, SyslogMessage)
| extend SrcDvcOs = extract(@'\<OSName\>(.*?)\<\/OSName\>', 1, SyslogMessage)
| extend DvcMacAddr = extract(@'\<RawMACAddress\>(.*?)\<\/RawMACAddress\>', 1, SyslogMessage)
| extend SrcUserName = extract(@'\<UserName\>(.*?)\<\/UserName\>', 1, SyslogMessage)
| extend TimeZoneBias = extract(@'\<TimeZoneBias\>(.*?)\<\/TimeZoneBias\>', 1, SyslogMessage)
| extend ProductName = extract(@'ProductName=\"(.*?)\"', 1, SyslogMessage)
| extend ProductFamily = extract(@'ProductFamily=\"(.*?)\"', 1, SyslogMessage)
| extend ProductVersion = extract(@'ProductVersion=\"(.*?)\"', 1, SyslogMessage)
| extend Analyzer = extract(@'\<Analyzer\>(.*?)\<\/Analyzer\>', 1, SyslogMessage)
| extend AnalyzerName = extract(@'\<AnalyzerName\>(.*?)\<\/AnalyzerName\>', 1, SyslogMessage)
| extend AnalyzerVersion = extract(@'\<AnalyzerVersion\>(.*?)\<\/AnalyzerVersion\>', 1, SyslogMessage)
| extend AnalyzerHostName = extract(@'\<AnalyzerHostName\>(.*?)\<\/AnalyzerHostName\>', 1, SyslogMessage)
| extend AnalyzerDatVersion = extract(@'\<AnalyzerDATVersion\>(.*?)\<\/AnalyzerDATVersion\>', 1, SyslogMessage)
| extend AnalyzerEngineVersion = extract(@'\<AnalyzerEngineVersion\>(.*?)\<\/AnalyzerEngineVersion\>', 1, SyslogMessage)
| extend AnalyzerDetectionMethod = extract(@'\<AnalyzerDetectionMethod\>(.*?)\<\/AnalyzerDetectionMethod\>', 1, SyslogMessage)
| extend EventId = extract(@'\<EventID\>(.*?)\<\/EventID\>', 1, SyslogMessage)
| extend EventSeverity = extract(@'\<Severity\>(.*?)\<\/Severity\>', 1, SyslogMessage)
| extend EventSeverity = case(EventSeverity == 1, "Warning",
EventSeverity == 2, "Notice",
EventSeverity == 3, "Alert",
EventSeverity == 4, "Critical",
"Information")
| extend GmtTime = todatetime(extract(@'\<GMTTime\>(.*?)\<\/GMTTime\>', 1, SyslogMessage))
| extend DetectedUtc = todatetime(extract(@'\<DetectedUTC\>(.*?)\<\/DetectedUTC\>', 1, SyslogMessage))
| extend ThreatName = extract(@'\<ThreatName\>(.*?)\<\/ThreatName\>', 1, SyslogMessage)
| extend ThreatType = extract(@'\<ThreatType\>(.*?)\<\/ThreatType\>', 1, SyslogMessage)
| extend ThreatCategory = extract(@'\<ThreatCategory\>(.*?)\<\/ThreatCategory\>', 1, SyslogMessage)
| extend ThreatId = extract(@'\<ThreatEventID\>(.*?)\<\/ThreatEventID\>', 1, SyslogMessage)
| extend ThreatHandled = extract(@'\<ThreatHandled\>(.*?)\<\/ThreatHandled\>', 1, SyslogMessage)
| extend ThreatActionTaken = extract(@'\<ThreatActionTaken\>(.*?)\<\/ThreatActionTaken\>', 1, SyslogMessage)
| extend ThreatSeverity = extract(@'\<ThreatSeverity\>(.*?)\<\/ThreatSeverity\>', 1, SyslogMessage)
| extend SrcUserUpn = extract(@'\<SourceUserName\>(.*?)\<\/SourceUserName\>', 1, SyslogMessage)
| extend SrcProcessName = extract(@'\<SourceProcessName\>(.*?)\<\/SourceProcessName\>', 1, SyslogMessage)
| extend DstDvcHostname = extract(@'\<TargetHostName\>(.*?)\<\/TargetHostName\>', 1, SyslogMessage)
| extend DstUserName = extract(@'\<TargetUserName\>(.*?)\<\/TargetUserName\>', 1, SyslogMessage)
| extend TargetProcessName = extract(@'\<TargetProcessName\>(.*?)\<\/TargetProcessName\>', 1, SyslogMessage)
| extend DstFileName = extract(@'\<TargetFileName\>(.*?)\<\/TargetFileName\>', 1, SyslogMessage)
| extend Target = extract(@'\<CustomFields target=\"(.*?)\"\>', 1, SyslogMessage)
| extend BladeName = extract(@'\<BladeName\>(.*?)\<\/BladeName\>', 1, SyslogMessage)
| extend AnalyzerContentVersion = extract(@'\<AnalyzerContentVersion\>(.*?)\<\/AnalyzerContentVersion\>', 1, SyslogMessage)
| extend AnalyzerContentCreationDate = todatetime(extract(@'\<AnalyzerContentCreationDate\>(.*?)\<\/AnalyzerContentCreationDate\>', 1, SyslogMessage))
| extend AnalyzerRuleName = extract(@'\<AnalyzerRuleName\>(.*?)\<\/AnalyzerRuleName\>', 1, SyslogMessage)
| extend AnalyzerRuleId = extract(@'\<AnalyzerRuleID\>(.*?)\<\/AnalyzerRuleID\>', 1, SyslogMessage)
| extend AnalyzerGtiQuery = extract(@'\<AnalyzerGTIQuery\>(.*?)\<\/AnalyzerGTIQuery\>', 1, SyslogMessage)
| extend ThreatDetectedOnCreation = extract(@'\<ThreatDetectedOnCreation\>(.*?)\<\/ThreatDetectedOnCreation\>', 1, SyslogMessage)
| extend DstFileSize = extract(@'\<TargetFileSize\>(.*?)\<\/TargetFileSize\>', 1, SyslogMessage)
| extend DstFileModifiedTime = extract(@'\<TargetModifyTime\>(.*?)\<\/TargetModifyTime\>', 1, SyslogMessage)
| extend DstFileAccessedTime = extract(@'\<TargetAccessTime\>(.*?)\<\/TargetAccessTime\>', 1, SyslogMessage)
| extend DstFileCreationTime = extract(@'\<TargetCreateTime\>(.*?)\<\/TargetCreateTime\>', 1, SyslogMessage)
| extend Cleanable = extract(@'\<Cleanable\>(.*?)\<\/Cleanable\>', 1, SyslogMessage)
| extend TaskName = extract(@'\<TaskName\>(.*?)\<\/TaskName\>', 1, SyslogMessage)
| extend FirstAttemptedAction = extract(@'\<FirstAttemptedAction\>(.*?)\<\/FirstAttemptedAction\>', 1, SyslogMessage)
| extend FirstActionStatus = extract(@'\<FirstActionStatus\>(.*?)\<\/FirstActionStatus\>', 1, SyslogMessage)
| extend SecondAttemptedAction = extract(@'\<SecondAttemptedAction\>(.*?)\<\/SecondAttemptedAction\>', 1, SyslogMessage)
| extend SecondActionStatus = extract(@'\<SecondActionStatus\>(.*?)\<\/SecondActionStatus\>', 1, SyslogMessage)
| extend ApiName = extract(@'\<APIName\>(.*?)\<\/APIName\>', 1, SyslogMessage)
| extend SourceDescription = extract(@'\<SourceDescription\>(.*?)\<\/SourceDescription\>', 1, SyslogMessage)
| extend SrcProcessId = extract(@'\<SourceProcessID\>(.*?)\<\/SourceProcessID\>', 1, SyslogMessage)
| extend SrcProcessHashMd5 = extract(@'\<SourceProcessHash\>([a-fA-F0-9]{32})\<', 1, SyslogMessage)
| extend AttackVectorType = extract(@'\<AttackVectorType\>(.*?)\<\/AttackVectorType\>', 1, SyslogMessage)
| extend DurationBeforeDetection = extract(@'\<DurationBeforeDetection\>(.*?)\<\/DurationBeforeDetection\>', 1, SyslogMessage)
| extend NaturalLangDescription = extract(@'\<NaturalLangDescription\>(.*?)\<\/NaturalLangDescription\>', 1, SyslogMessage)
| extend AccessRequested = extract(@'\<AccessRequested\>(.*?)\</\AccessRequested\>', 1, SyslogMessage)
| extend DetectionMessage = extract(@'\<DetectionMessage\>(.*?)\</\DetectionMessage\>', 1, SyslogMessage)
| extend AmCoreContentVersion = extract(@'\<AMCoreContentVersion\>(.*?)\</\AMCoreContentVersion\>', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'\<SourceIPV4\>(.*?)\<\/SourceIPV4\>', 1, SyslogMessage)
| extend SrcMacAddr = extract(@'\<SourceMAC\>(.*?)\<\/SourceMAC\>', 1, SyslogMessage)
| extend DstIpAddr = extract(@'\<TargetIPV4\>(.*?)\<\/TargetIPV4\>', 1, SyslogMessage)
| extend DstMacAddr = extract(@'\<TargetMAC\>(.*?)\<\/TargetMAC\>', 1, SyslogMessage)
};
let mcafee_updateevent =() {
Syslog
| where SyslogMessage contains '<UpdateEvents>'
| extend EventVendor = 'McAfee'
| extend EventProduct = 'McAfee ePO'
| extend AgentGuid = extract(@'\<AgentGUID\>(.*?)\<\/AgentGUID\>', 1, SyslogMessage)
| extend DvcHostname = extract(@'\<MachineName\>(.*?)\<\/MachineName\>', 1, SyslogMessage)
| extend DvcMacAddr = extract(@'\<RawMACAddress\>(.*?)\<\/RawMACAddress\>', 1, SyslogMessage)
| extend DvcIpAddr = extract(@'\<IPAddress\>(.*?)\<\/IPAddress\>', 1, SyslogMessage)
| extend AgentVersion = extract(@'\<AgentVersion\>(.*?)\<\/AgentVersion\>', 1, SyslogMessage)
| extend SrcUserName = extract(@'\<UserName\>(.*?)\<\/UserName\>', 1, SyslogMessage)
| extend TimeZoneBias = extract(@'\<TimeZoneBias\>(.*?)\<\/TimeZoneBias\>', 1, SyslogMessage)
| extend ProductName = extract(@'ProductName=\"(.*?)\"', 1, SyslogMessage)
| extend ProductFamily = extract(@'ProductFamily=\"(.*?)\"', 1, SyslogMessage)
| extend ProductVersion = extract(@'ProductVersion=\"(.*?)\"', 1, SyslogMessage)
| extend EventId = extract(@'\<EventID\>(.*?)\<\/EventID\>', 1, SyslogMessage)
| extend EventSeverity = extract(@'\<Severity\>(.*?)\<\/Severity\>', 1, SyslogMessage)
| extend EventSeverity = case(EventSeverity == 1, "Warning",
EventSeverity == 2, "Notice",
EventSeverity == 3, "Alert",
EventSeverity == 4, "Critical",
"Information")
| extend GmtTime = todatetime(extract(@'\<GMTTime\>(.*?)\<\/GMTTime\>', 1, SyslogMessage))
| extend ProductId = extract(@'\<ProductID\>(.*?)\<\/ProductID\>', 1, SyslogMessage)
| extend Locale = extract(@'\<Locale\>(.*?)\<\/Locale\>', 1, SyslogMessage)
| extend Error = extract(@'\<Error\>(.*?)\<\/Error\>', 1, SyslogMessage)
| extend Type = extract(@'\<Type\>(.*?)\<\/Type\>', 1, SyslogMessage)
| extend Version = extract(@'\<Version\>(.*?)\<\/Version\>', 1, SyslogMessage)
| extend InitiatorId = extract(@'\<InitiatorID\>(.*?)\<\/InitiatorID\>', 1, SyslogMessage)
| extend InitiatorType = extract(@'\<InitiatorType\>(.*?)\<\/InitiatorType\>', 1, SyslogMessage)
| extend SiteName = extract(@'\<SiteName\>(.*?)\<\/SiteName\>', 1, SyslogMessage)
| extend Description = extract(@'\<Description\>(.*?)\<\/Description\>', 1, SyslogMessage)
};
union isfuzzy=true mcafee_epoevent, mcafee_updateevent
| project TimeGenerated
, GmtTime
, EventVendor
, EventProduct
, EventId
, EventSeverity
, AgentGuid
, DvcHostname
, DvcIpAddr
, DvcMacAddr
, AgentVersion
, SrcDvcOs
, SrcUserName
, TimeZoneBias
, ProductName
, ProductFamily
, ProductVersion
, Analyzer
, AnalyzerName
, AnalyzerVersion
, AnalyzerHostName
, AnalyzerDatVersion
, AnalyzerEngineVersion
, AnalyzerDetectionMethod
, ThreatName
, ThreatType
, ThreatCategory
, ThreatId
, ThreatHandled
, ThreatActionTaken
, ThreatSeverity
, SrcUserUpn
, SrcProcessName
, DstDvcHostname
, DstUserName
, TargetProcessName
, DstFileName
, Target
, BladeName
, AnalyzerContentVersion
, AnalyzerContentCreationDate
, AnalyzerRuleName
, AnalyzerRuleId
, AnalyzerGtiQuery
, ThreatDetectedOnCreation
, DstFileSize
, DstFileModifiedTime
, DstFileAccessedTime
, DstFileCreationTime
, Cleanable
, TaskName
, FirstAttemptedAction
, FirstActionStatus
, SecondAttemptedAction
, SecondActionStatus
, ApiName
, SourceDescription
, SrcProcessId
, SrcProcessHashMd5
, AttackVectorType
, DurationBeforeDetection
, AccessRequested
, DetectionMessage
, AmCoreContentVersion
, SrcIpAddr
, SrcMacAddr
, DstIpAddr
, DstMacAddr
, ProductId
, Locale
, Error
, Type
, Version
, InitiatorId
, InitiatorType
, SiteName
, Description

740
Workbooks/Corelight.json Normal file
Просмотреть файл

@ -0,0 +1,740 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-Corelight-parser) to create the Kusto function alias **Corelight**."
},
"name": "text - 23"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d723eef6-b3f0-40be-9a56-125421b32619",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Main Dashboard",
"subTarget": "corelight_main_dashboard",
"style": "link"
},
{
"id": "5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Connections",
"subTarget": "corelight_connections",
"style": "link"
},
{
"id": "5336f601-4da3-4da0-8196-332a97636047",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight DNS",
"subTarget": "corelight_dns",
"style": "link"
},
{
"id": "5c26ac35-85e3-4f48-8673-f80d30314d1a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Correlight Files",
"subTarget": "corelight_files",
"style": "link"
},
{
"id": "14595b52-fcaa-402c-9a39-3d236b2aeba9",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Software",
"subTarget": "corelight_software",
"style": "link"
}
]
},
"name": "links - 24"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "c64d5d3d-90c6-484a-ab88-c70652b75b6e",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 300000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "Sensor Events Timechart",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_main_dashboard"
},
"customWidth": "50",
"name": "Sensor Events Timechart"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| summarize Count=count() by EventType | sort by Count desc",
"size": 0,
"title": "Sensor Events Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_main_dashboard"
},
"customWidth": "50",
"name": "Sensor Events Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| where isnotempty(Service)\n| summarize count() by Service | take 10",
"size": 3,
"title": "Top Services",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Services"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| where isnotempty(DstPort)\n| extend dstprt = tostring(DstPort)\n| summarize Count=count() by dstprt | sort by Count desc |take 10",
"size": 3,
"title": "Top Responder Ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Responder Ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where NetworkDirection == \"outbound\"\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(SrcIpBytes) + toint(DstIpBytes)\n| summarize Bytes=sum(bytes) by SrcIpAddr, DstIpAddr, NetworkProtocol | sort by Bytes desc | take 15",
"size": 0,
"title": "Top Outbound Data Flows by Originator Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Outbound Data Flows by Originator Bytes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where NetworkDirection == \"inbound\"\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(SrcIpBytes) + toint(DstIpBytes)\n| summarize Bytes=sum(bytes) by SrcIpAddr, DstIpAddr, NetworkProtocol | sort by Bytes desc | take 15",
"size": 0,
"title": "Top Inbound Data Flows by Originator Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Inbound Data Flows by Originator Bytes - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by SrcIpAddr | sort by Count",
"size": 3,
"title": "Top Originators (sources) by # of connections",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Originators (sources) by # of connections"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by DstIpAddr | sort by Count",
"size": 3,
"title": "Top Responders (destinations) by # of connections",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Responders (destinations) by # of connections - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(Service) and isnotempty(DstPort) and isnotempty(SrcPort)\n| summarize duration=avg(toint(Duration)), make_list(SrcIpAddr), make_list(DstIpAddr), make_list(NetworkProtocol) by EventUid | sort by duration desc | take 50",
"size": 0,
"title": "Open/Active Long Lived Connections (requires Long Connections Pkg)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"sortBy": [
{
"itemKey": "duration",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "duration",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"name": "Open/Active Long Lived Connections (requires Long Connections Pkg)"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryTypeName)\n| where DstPort ==\"53\" | summarize count() by DnsQueryTypeName",
"size": 3,
"title": "Top Query Types",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Query Types"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryName)\n| summarize Count=count() by DnsQueryName | sort by Count desc | take 10\n| join kind = inner (Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryName)\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DnsQueryName)\n on DnsQueryName",
"size": 0,
"title": "Top 10 Queries by Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blueDark"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top 10 Queries by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NXDOMAIN\" and DnsQueryTypeName !=\"PTR\" and DstPort ==\"53\"\n| summarize Count=count() by DnsQueryName | sort by Count desc | take 10\n| join kind = inner (Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DnsQueryName)\n on DnsQueryName",
"size": 0,
"title": "Top 10 Queries by Count to Non-Existent Domains",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DnsQueryName1",
"formatter": 5
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blueDark"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top 10 Queries by Count to Non-Existent Domains"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"dns\"\n| where TimeGenerated {TimeRange}\n| where DstPort == \"53\" and isnotempty(DnsQueryTypeName)\n| summarize Count=count() by SrcIpAddr | sort by Count | take 10",
"size": 0,
"title": "Top Originators by Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Originators by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NOERROR\" and DnsQueryTypeName ==\"PTR\" and DstPort ==\"53\"\n| where DstPort == \"53\" and isnotempty(DnsQueryTypeName)\n| summarize Count=count() by DnsQueryName | sort by Count | take 10",
"size": 0,
"title": "Top Successful Reverse Queries by Count",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Successful Reverse Queries by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NXDOMAIN\" and DnsQueryTypeName == \"PTR\" and DstPort == \"53\"\n| summarize Count=count() by DnsQueryName | sort by Count | take 10",
"size": 0,
"title": "Top Reverse Queries by Count to Non-Existent Domains",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Reverse Queries by Count to Non-Existent Domains"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| summarize Count=count() by MimeType | sort by Count desc | take 20",
"size": 0,
"title": "Top 20 Mime Types by File Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"name": "Top 20 Mime Types by File Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| summarize [\"File Count\"]=count() by Source | sort by [\"File Count\"] desc | take 15",
"size": 0,
"title": "Top File Protocols by File Count",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"name": "Top File Protocols by File Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| extend NetworkDirection = case(LocalOrig == \"true\", \"outbound\", LocalOrig == \"false\", \"inbound\", \"\" )\n|make-series [\"Files Sent\"]=countif(NetworkDirection==\"outbound\"), [\"Files Received\"]=countif(NetworkDirection==\"inbound\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType | project [\"Files Sent\"], [\"Files Received\"], TimeGenerated;",
"size": 0,
"title": "File Flow - # of Files",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"customWidth": "50",
"name": "File Flow - # of Files"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| extend NetworkDirection = case(LocalOrig == \"true\", \"outbound\", LocalOrig == \"false\", \"inbound\", \"\" )\n|make-series [\"Bytes Sent\"]=sumif(toint(ZeekFilesSeenBytes), NetworkDirection==\"outbound\" ), [\"Bytes Received\"]=sumif(toint(ZeekFilesSeenBytes),NetworkDirection==\"inbound\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "File Flow - Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"customWidth": "50",
"name": "File Flow - Bytes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"software\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(SoftwareType)\n| summarize Count=count() by Name | sort by Count | take 20",
"size": 0,
"title": "Top Software",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"name": "Top Software"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"software\"\n| where isnotempty(SoftwareType)\n| summarize Count=count() by Name, UnparsedVersion | sort by Count ",
"size": 0,
"title": "Top Software Versions",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 5
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Name"
],
"expandTopLevel": true
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"customWidth": "50",
"name": "Top Software Versions"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"software\"\n| where isnotempty(SoftwareType)\n| summarize Count=count() by SoftwareType | sort by Count ",
"size": 0,
"title": "Top Software Types",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 5
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Name"
],
"expandTopLevel": true
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"customWidth": "50",
"name": "Top Software Types"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-CorelightWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 137 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsBlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 150 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 147 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 169 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightDNSBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 132 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightDNSWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 163 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 85 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileBlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 53 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 105 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 56 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightMainBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 135 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightMainWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 149 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightSoftwareBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 103 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightSoftwareWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 115 KiB

157
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -101,8 +101,7 @@
"title": "Eset Security Management Center Overview",
"templateRelativePath": "esetSMCWorkbook.json",
"subtitle": "",
"provider": "Community",
"featureFlag": "EsetSMCConnector"
"provider": "Community"
},
{
"workbookKey": "FortigateWorkbook",
@ -729,32 +728,30 @@
"provider": "Symantec"
},
{
"workbookKey": "IllusiveASMWorkbook",
"logoFileName": "illusive_logo_workbook.svg",
"description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
"previewImagesFileNames": [ "IllusiveASMWhite.png", "IllusiveASMBlack.png" ],
"version": "1.0",
"title": "Illusive ASM Dashboard",
"templateRelativePath": "IllusiveASM.json",
"subtitle": "",
"provider": "Illusive",
"featureFlag": "IllusiveConnector"
"workbookKey": "IllusiveASMWorkbook",
"logoFileName": "illusive_logo_workbook.svg",
"description": "Gain insights into your organization's Cyber Hygiene and Attack Surface risk.\nIllusive ASM automates discovery and clean-up of credential violations, allows drill-down inspection of pathways to critical assets, and provides risk insights that inform intelligent decision-making to reduce attacker mobility.",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
"previewImagesFileNames": [ "IllusiveASMWhite.png", "IllusiveASMBlack.png"],
"version": "1.0",
"title": "Illusive ASM Dashboard",
"templateRelativePath": "IllusiveASM.json",
"subtitle": "",
"provider": "Illusive"
},
{
"workbookKey": "IllusiveADSWorkbook",
"logoFileName": "illusive_logo_workbook.svg",
"description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
"previewImagesFileNames": [ "IllusiveADSWhite.png", "IllusiveADSBlack.png" ],
"version": "1.0",
"title": "Illusive ADS Dashboard",
"templateRelativePath": "IllusiveADS.json",
"subtitle": "",
"provider": "Illusive",
"featureFlag": "IllusiveConnector"
"workbookKey": "IllusiveADSWorkbook",
"logoFileName": "illusive_logo_workbook.svg",
"description": "Gain insights into unauthorized lateral movement in your organization's network.\nIllusive ADS is designed to paralyzes attackers and eradicates in-network threats by creating a hostile environment for the attackers across all the layers of the attack surface.",
"dataTypesDependencies": [ "CommonSecurityLog" ],
"dataConnectorsDependencies": [ "illusiveAttackManagementSystem" ],
"previewImagesFileNames": [ "IllusiveADSWhite.png", "IllusiveADSBlack.png"],
"version": "1.0",
"title": "Illusive ADS Dashboard",
"templateRelativePath": "IllusiveADS.json",
"subtitle": "",
"provider": "Illusive"
},
{
"workbookKey": "PulseConnectSecureWorkbook",
@ -767,8 +764,7 @@
"title": "Pulse Connect Secure",
"templateRelativePath": "PulseConnectSecure.json",
"subtitle": "",
"provider": "Pulse Secure",
"featureFlag": "PulseConnectSecureConnector"
"provider": "Pulse Secure"
},
{
"workbookKey": "InfobloxNIOSWorkbook",
@ -781,8 +777,7 @@
"title": "Infoblox NIOS",
"templateRelativePath": "InfobloxNIOS.json",
"subtitle": "",
"provider": "Infoblox",
"featureFlag": "InfobloxNIOSConnector"
"provider": "Infoblox"
},
{
"workbookKey": "SymantecVIPWorkbook",
@ -795,8 +790,7 @@
"title": "Symantec VIP",
"templateRelativePath": "SymantecVIP.json",
"subtitle": "",
"provider": "Symantec",
"featureFlag": "SymantecVIPConnector"
"provider": "Symantec"
},
{
"workbookKey": "VMwareCarbonBlackWorkbook",
@ -809,8 +803,7 @@
"title": "VMware Carbon Black",
"templateRelativePath": "VMwareCarbonBlack.json",
"subtitle": "",
"provider": "VMware",
"featureFlag": "VMwareCarbonBlackConnector"
"provider": "VMware"
},
{
"workbookKey": "ProofPointTAPWorkbook",
@ -823,8 +816,7 @@
"title": "Proofpoint TAP",
"templateRelativePath": "ProofpointTAP.json",
"subtitle": "",
"provider": "Proofpoint",
"featureFlag": "ProofpointTAPConnector"
"provider": "Proofpoint"
},
{
"workbookKey": "QualysVMWorkbook",
@ -837,8 +829,7 @@
"title": "Qualys Vulnerability Management",
"templateRelativePath": "QualysVM.json",
"subtitle": "",
"provider": "Qualys",
"featureFlag": "QualysVulnerabilityManagementConnector"
"provider": "Qualys"
},
{
"workbookKey": "GitHubSecurityWorkbook",
@ -877,8 +868,7 @@
"title": "Sophos XG Firewall",
"templateRelativePath": "SophosXGFirewall.json",
"subtitle": "",
"provider": "Sophos",
"featureFlag": "SophosXGFirewallConnector"
"provider": "Sophos"
},
{
"workbookKey": "OktaSingleSignOnWorkbook",
@ -998,43 +988,43 @@
"provider": "Azure Sentinel community"
},
{
"workbookKey": "MITREATTACKWorkbook",
"logoFileName": "Azure_Sentinel.svg",
"description": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
"dataTypesDependencies": [],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "MITREATTACKWhite1.PNG", "MITREATTACKWhite2.PNG", "MITREATTACKBlack1.PNG", "MITREATTACKBlack2.PNG" ],
"version": "1.0",
"title": "MITRE ATT&CK Workbook",
"templateRelativePath": "MITREAttack.json",
"subtitle": "",
"provider": "Azure Sentinel community"
"workbookKey": "MITREATTACKWorkbook",
"logoFileName": "Azure_Sentinel.svg",
"description": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
"dataTypesDependencies": [],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "MITREATTACKWhite1.PNG", "MITREATTACKWhite2.PNG", "MITREATTACKBlack1.PNG", "MITREATTACKBlack2.PNG" ],
"version": "1.0",
"title": "MITRE ATT&CK Workbook",
"templateRelativePath": "MITREAttack.json",
"subtitle": "",
"provider": "Azure Sentinel community"
},
{
"workbookKey": "BETTERMTDWorkbook",
"logoFileName": "BETTER_MTD_logo.svg",
"description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.",
"dataTypesDependencies": [ "BetterMTDDeviceLog_CL", "BetterMTDAppLog_CL", "BetterMTDIncidentLog_CL", "BetterMTDNetflowLog_CL"],
"dataConnectorsDependencies": [ "BetterMTD" ],
"previewImagesFileNames": [ "BetterMTDWorkbookPreviewWhite1.png", "BetterMTDWorkbookPreviewWhite2.png", "BetterMTDWorkbookPreviewWhite3.png", "BetterMTDWorkbookPreviewBlack1.png", "BetterMTDWorkbookPreviewBlack2.png", "BetterMTDWorkbookPreviewBlack3.png" ],
"version": "1.0",
"title": "BETTER Mobile Threat Defense (MTD)",
"templateRelativePath": "BETTER_MTD_Workbook.json",
"subtitle": "",
"provider": "BETTER Mobile"
},
{
"workbookKey": "BETTERMTDWorkbook",
"logoFileName": "BETTER_MTD_logo.svg",
"description": "Workbook using the BETTER Mobile Threat Defense (MTD) connector, to give insights into your mobile devices, installed application and overall device security posture.",
"dataTypesDependencies": [ "BetterMTDDeviceLog_CL", "BetterMTDAppLog_CL", "BetterMTDIncidentLog_CL", "BetterMTDNetflowLog_CL" ],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "BetterMTDWorkbookPreviewWhite1.png", "BetterMTDWorkbookPreviewWhite2.png", "BetterMTDWorkbookPreviewWhite3.png", "BetterMTDWorkbookPreviewBlack1.png", "BetterMTDWorkbookPreviewBlack2.png", "BetterMTDWorkbookPreviewBlack3.png" ],
"version": "1.0",
"title": "BETTER Mobile Threat Defense (MTD)",
"templateRelativePath": "BETTER_MTD_Workbook.json",
"subtitle": "",
"provider": "BETTER Mobile"
},
{
"workbookKey": "AlsidIoEWorkbook",
"logoFileName": "Alsid.svg",
"description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.",
"dataTypesDependencies": [ "AlsidForADLog_CL" ],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "AlsidIoEBlack1.png", "AlsidIoEBlack2.png", "AlsidIoEBlack3.png", "AlsidIoEWhite1.png", "AlsidIoEWhite2.png", "AlsidIoEWhite3.png" ],
"version": "1.0",
"title": "Alsid for AD | Indicators of Exposure",
"templateRelativePath": "AlsidIoE.json",
"subtitle": "",
"provider": "Alsid"
"workbookKey": "AlsidIoEWorkbook",
"logoFileName": "Alsid.svg",
"description": "Workbook showcasing the state and evolution of your Alsid for AD Indicators of Exposures alerts.",
"dataTypesDependencies": [ "AlsidForADLog_CL" ],
"dataConnectorsDependencies": [ "AlsidForAD" ],
"previewImagesFileNames": [ "AlsidIoEBlack1.png", "AlsidIoEBlack2.png", "AlsidIoEBlack3.png", "AlsidIoEWhite1.png", "AlsidIoEWhite2.png", "AlsidIoEWhite3.png" ],
"version": "1.0",
"title": "Alsid for AD | Indicators of Exposure",
"templateRelativePath": "AlsidIoE.json",
"subtitle": "",
"provider": "Alsid"
},
{
"workbookKey": "InvestigationInsightsWorkbook",
@ -1185,7 +1175,7 @@
"logoFileName": "trendmicro_logo.svg",
"description": "Gain insights from Trend Micro XDR with this overview of the Alerts triggered.",
"dataTypesDependencies": [ "TrendMicro_XDR_CL" ],
"dataConnectorsDependencies": [],
"dataConnectorsDependencies": [ "TrendMicroXDR" ],
"previewImagesFileNames": [ "TrendMicroXDROverviewWhite.png", "TrendMicroXDROverviewBlack.png" ],
"version": "1.0",
"title": "Trend Micro XDR Alert Overview",
@ -1237,7 +1227,7 @@
"logoFileName": "cisco_logo.svg",
"description": "Gain insights into Cisco Umbrella activities, including the DNS, Proxy and Cloud Firewall data. Workbook shows general information along with threat landscape including categories, blocked destinations and URLs.",
"dataTypesDependencies": [ "Cisco_Umbrella_dns_CL", "Cisco_Umbrella_proxy_CL", "Cisco_Umbrella_ip_CL", "Cisco_Umbrella_cloudfirewall_CL" ],
"dataConnectorsDependencies": [ "CiscoUbrella" ],
"dataConnectorsDependencies": [ "CiscoUmbrellaDataConnector" ],
"previewImagesFileNames": [ "CiscoUmbrellaDNSBlack1.png", "CiscoUmbrellaDNSBlack2.png", "CiscoUmbrellaDNSWhite1.png", "CiscoUmbrellaDNSWhite2.png", "CiscoUmbrellaFirewallBlack.png", "CiscoUmbrellaFirewallWhite.png", "CiscoUmbrellaMainBlack1.png", "CiscoUmbrellaMainBlack2.png", "CiscoUmbrellaMainWhite1.png", "CiscoUmbrellaMainWhite2.png", "CiscoUmbrellaProxyBlack1.png", "CiscoUmbrellaProxyBlack2.png", "CiscoUmbrellaProxyWhite1.png", "CiscoUmbrellaProxyWhite2.png" ],
"version": "1.0",
"title": "Cisco Umbrella",
@ -1323,19 +1313,6 @@
"subtitle": "",
"provider": "Azure Sentinel community"
},
{
"workbookKey": "CloudflareWorkbook",
"logoFileName": "cloudflare.svg",
"description": "Gain insights into Cloudflare events. You will get visibility on your Cloudflare web traffic, security, reliability.",
"dataTypesDependencies": [ "Cloudflare_CL" ],
"dataConnectorsDependencies": [ "CloudflareDataConnector" ],
"previewImagesFileNames": [ "CloudflareOverviewWhite01.png", "CloudflareOverviewWhite02.png", "CloudflareOverviewBlack01.png", "CloudflareOverviewBlack02.png" ],
"version": "1.0",
"title": "Cloudflare",
"templateRelativePath": "Cloudflare.json",
"subtitle": "",
"provider": "Cloudflare"
},
{
"workbookKey": "SenservaProAnalyticsWorkbook",
"logoFileName": "SenservaPro_logo.svg",