Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

SophosEP - update smaple data

This commit is contained in:
Vitalii Uslystyi 2021-06-25 11:17:37 +03:00
Родитель be6804b2e8
Коммит ea63b0e459
1 изменённых файлов: 144 добавлений и 152 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

296
Sample Data/Custom/SophosEP_CL.json
Просмотреть файл

@ -1,279 +1,271 @@
[
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 10:25:00.818 AM",
"TimeGenerated": "6/15/2021, 10:25:00.818 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:29:45.191 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "AMSI/Mimikatz-A",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "AMSI",
"EventEndTime [UTC]": "6/15/2021, 7:29:41.837 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:29:45.191 AM",
"source_info_ip": "10.211.55.3",
"threat": "AMSI/Mimikatz-A",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "AMSI",
"when": "6/15/2021, 7:29:41.837 AM",
"amsi_threat_data_processPath_s": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"amsi_threat_data_processId_s": "10588",
"amsi_threat_data_processName_s": "Windows PowerShell",
"amsi_threat_data_parentProcessId_s": "4180",
"amsi_threat_data_parentProcessPath_s": "C:\\Windows\\explorer.exe",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::CoreAmsiBlocked",
"EventMessage": "AMSI Protection blocked a threat: AMSI/Mimikatz-A at C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "8d4e4725-2865-4e52-bc71-2e445ff6bba5",
"ThreatCategory": "RUNTIME_DETECTIONS",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::CoreAmsiBlocked",
"name": "AMSI Protection blocked a threat: AMSI/Mimikatz-A at C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"location": "DESKTOP-420DJQI",
"id": "8d4e4725-2865-4e52-bc71-2e445ff6bba5",
"group": "RUNTIME_DETECTIONS",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 10:25:00.818 AM",
"TimeGenerated": "6/15/2021, 10:25:00.818 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "medium",
"Created [UTC]": "6/15/2021, 7:29:59.307 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "EICAR-AV-Test",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:29:57.000 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "medium",
"created_at": "6/15/2021, 7:29:59.307 AM",
"source_info_ip": "10.211.55.3",
"threat": "EICAR-AV-Test",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:29:57.000 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::Threat::Detected",
"EventMessage": "Malware detected: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "0128b3d3-5b5a-44cb-a038-6807fc16a82c",
"ThreatCategory": "MALWARE",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::Threat::Detected",
"name": "Malware detected: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"location": "DESKTOP-420DJQI",
"id": "0128b3d3-5b5a-44cb-a038-6807fc16a82c",
"group": "MALWARE",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 10:25:00.818 AM",
"TimeGenerated": "6/15/2021, 10:25:00.818 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:29:59.320 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "EICAR-AV-Test",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:29:57.000 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:29:59.320 AM",
"source_info_ip": "10.211.55.3",
"threat": "EICAR-AV-Test",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:29:57.000 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::Threat::CleanedUp",
"EventMessage": "Malware cleaned up: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "4a892176-fffa-4858-b3f8-db4f04806901",
"ThreatCategory": "MALWARE",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::Threat::CleanedUp",
"name": "Malware cleaned up: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"location": "DESKTOP-420DJQI",
"id": "4a892176-fffa-4858-b3f8-db4f04806901",
"group": "MALWARE",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 10:25:00.818 AM",
"TimeGenerated": "6/15/2021, 10:25:00.818 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:31:12.095 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:31:12.083 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:31:12.095 AM",
"source_info_ip": "10.211.55.3",
"threat": "",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:31:12.083 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::UpdateSuccess",
"EventMessage": "Update succeeded",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "58da2d35-0822-4926-971a-1c16a3ca53f9",
"ThreatCategory": "UPDATING",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::UpdateSuccess",
"name": "Update succeeded",
"location": "DESKTOP-420DJQI",
"id": "58da2d35-0822-4926-971a-1c16a3ca53f9",
"group": "UPDATING",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 8:02:19.705 AM",
"TimeGenerated": "6/15/2021, 8:02:19.705 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:29:45.191 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "AMSI/Mimikatz-A",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "AMSI",
"EventEndTime [UTC]": "6/15/2021, 7:29:41.837 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:29:45.191 AM",
"source_info_ip": "10.211.55.3",
"threat": "AMSI/Mimikatz-A",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "AMSI",
"when": "6/15/2021, 7:29:41.837 AM",
"amsi_threat_data_processPath_s": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"amsi_threat_data_processId_s": "10588",
"amsi_threat_data_processName_s": "Windows PowerShell",
"amsi_threat_data_parentProcessId_s": "4180",
"amsi_threat_data_parentProcessPath_s": "C:\\Windows\\explorer.exe",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::CoreAmsiBlocked",
"EventMessage": "AMSI Protection blocked a threat: AMSI/Mimikatz-A at C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "8d4e4725-2865-4e52-bc71-2e445ff6bba5",
"ThreatCategory": "RUNTIME_DETECTIONS",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::CoreAmsiBlocked",
"name": "AMSI Protection blocked a threat: AMSI/Mimikatz-A at C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"location": "DESKTOP-420DJQI",
"id": "8d4e4725-2865-4e52-bc71-2e445ff6bba5",
"group": "RUNTIME_DETECTIONS",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 8:02:19.705 AM",
"TimeGenerated": "6/15/2021, 8:02:19.705 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "medium",
"Created [UTC]": "6/15/2021, 7:29:59.307 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "EICAR-AV-Test",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:29:57.000 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "medium",
"created_at": "6/15/2021, 7:29:59.307 AM",
"source_info_ip": "10.211.55.3",
"threat": "EICAR-AV-Test",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:29:57.000 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::Threat::Detected",
"EventMessage": "Malware detected: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "0128b3d3-5b5a-44cb-a038-6807fc16a82c",
"ThreatCategory": "MALWARE",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::Threat::Detected",
"name": "Malware detected: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"location": "DESKTOP-420DJQI",
"id": "0128b3d3-5b5a-44cb-a038-6807fc16a82c",
"group": "MALWARE",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 8:02:19.705 AM",
"TimeGenerated": "6/15/2021, 8:02:19.705 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:29:59.320 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "EICAR-AV-Test",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:29:57.000 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:29:59.320 AM",
"source_info_ip": "10.211.55.3",
"threat": "EICAR-AV-Test",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:29:57.000 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::Threat::CleanedUp",
"EventMessage": "Malware cleaned up: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "4a892176-fffa-4858-b3f8-db4f04806901",
"ThreatCategory": "MALWARE",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::Threat::CleanedUp",
"name": "Malware cleaned up: 'EICAR-AV-Test' at 'h___s://secure.eicar.org/eicar.com'",
"location": "DESKTOP-420DJQI",
"id": "4a892176-fffa-4858-b3f8-db4f04806901",
"group": "MALWARE",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",
"EventProduct": "Endpoint Protection"
},
{
"TenantId": "9143fd29-fe92-43be-93e9-3f0a4bcaeef4",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated [UTC]": "6/15/2021, 8:02:19.705 AM",
"TimeGenerated": "6/15/2021, 8:02:19.705 AM",
"Computer": "",
"RawData": "",
"DstUserSid": "60b88e8dfd5fd40e3b6eaad2",
"CustomerId": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"EventSeverity": "low",
"Created [UTC]": "6/15/2021, 7:31:12.095 AM",
"SrcIpAddr": "10.211.55.3",
"ThreatName": "",
"EndpointId": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"DvcType": "computer",
"EventSubType": "",
"EventEndTime [UTC]": "6/15/2021, 7:31:12.083 AM",
"user_id": "60b88e8dfd5fd40e3b6eaad2",
"customer_id": "84b93e3c-7299-45ef-81ff-a548fb5754a9",
"severity": "low",
"created_at": "6/15/2021, 7:31:12.095 AM",
"source_info_ip": "10.211.55.3",
"threat": "",
"endpoint_id": "82912e0e-660c-4b84-8e1f-b46c2cd8b041",
"endpoint_type": "computer",
"origin": "",
"when": "6/15/2021, 7:31:12.083 AM",
"amsi_threat_data_processPath_s": "",
"amsi_threat_data_processId_s": "",
"amsi_threat_data_processName_s": "",
"amsi_threat_data_parentProcessId_s": "",
"amsi_threat_data_parentProcessPath_s": "",
"Source": "DESKTOP-420DJQI\\py",
"DvcAction": "Event::Endpoint::UpdateSuccess",
"EventMessage": "Update succeeded",
"DvcHostname": "DESKTOP-420DJQI",
"EventOriginalUid": "58da2d35-0822-4926-971a-1c16a3ca53f9",
"ThreatCategory": "UPDATING",
"EventType": "event",
"source": "DESKTOP-420DJQI\\py",
"type": "Event::Endpoint::UpdateSuccess",
"name": "Update succeeded",
"location": "DESKTOP-420DJQI",
"id": "58da2d35-0822-4926-971a-1c16a3ca53f9",
"group": "UPDATING",
"datastream": "event",
"Type": "SophosEP_CL",
"_ResourceId": "",
"EventVendor": "Sophos",