Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Sample Data/Custom/TrendMicro_XDR_CL.json

241 строка
7.5 KiB
JSON
Исходник Ответственный История

{
"alertProvider": "SAE",
"alertTriggerTimestamp": "2020-11-21T02:21:59.494Z",
"description": "A user has accessed a possible spearphishing link embedded in an email message.",
"impactScope": [
{
"entityId": "sam",
"entityType": "account",
"entityValue": "sam",
"relatedEntities": [
"SAM@JAGUAR.ONMICROSOFT.COM"
],
"relatedIndicators": []
},
{
"entityId": "shockwave\\sam",
"entityType": "account",
"entityValue": "shockwave\\sam",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"SAM@JAGUAR.ONMICROSOFT.COM"
],
"relatedIndicators": []
},
{
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"entityType": "host",
"entityValue": {
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"ips": [
"10.10.58.51"
],
"name": "Nimda"
},
"relatedEntities": [
"shockwave\\sam"
],
"relatedIndicators": [
1,
2,
4,
6,
8,
11
]
},
{
"entityId": "SAM@JAGUAR.ONMICROSOFT.COM",
"entityType": "emailAddress",
"entityValue": "sam@jaguar.onmicrosoft.com",
"relatedEntities": [
"sam",
"shockwave\\sam"
],
"relatedIndicators": [
3,
5,
7,
9
]
},
{
"entityId": "TEST_EMAIL@TRENDMICRO.COM",
"entityType": "emailAddress",
"entityValue": "Test_Email@trendmicro.com",
"relatedEntities": [],
"relatedIndicators": [
3,
5,
7
]
}
],
"impactScope_account": "sam",
"impactScope_accounts": "sam, shockwave\\sam",
"impactScope_emailAddress": "sam@jaguar.onmicrosoft.com",
"impactScope_emailAddresss": "sam@jaguar.onmicrosoft.com, test_email@trendmicro.com",
"impactScope_host": "10.10.58.51",
"impactScope_hostGuid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"impactScope_hostname": "Nimda",
"impactScope_hosts": "10.10.58.51",
"indicators": [
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 1,
"objectType": "command_line",
"objectValue": "c:\\program files (x86)\\internet explorer\\iexplore.exe scodef:22092 credat:9620 /prefetch:2",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 2,
"objectType": "url",
"objectValue": "http://www.bdfecfitddfg.com/ds8002.zip",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId": [
"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e"
],
"id": 3,
"objectType": "email_subject",
"objectValue": "[Emergency] Important information",
"relatedEntities": [
"TED_LEE@TRENDMICRO.COM",
"SAM@JAGUARTMPEGGY.ONMICROSOFT.COM"
]
},
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 4,
"objectType": "ip",
"objectValue": "10.10.58.51",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId": [
"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e"
],
"id": 5,
"objectType": "email_message_id",
"objectValue": "<5d70b5da54984d0ea7e8710da1fced60@gmmgr01r>",
"relatedEntities": [
"TED_LEE@TRENDMICRO.COM",
"SAM@JAGUARTMPEGGY.ONMICROSOFT.COM"
]
},
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 6,
"objectType": "fullpath",
"objectValue": "c:\\program files (x86)\\internet explorer\\iexplore.exe",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId": [
"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e"
],
"id": 7,
"objectType": "url",
"objectValue": "http://www.zwtsrsikah.com/ds7002.zip",
"relatedEntities": [
"TED_LEE@TRENDMICRO.COM",
"SAM@JAGUARTMPEGGY.ONMICROSOFT.COM"
]
},
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 8,
"objectType": "port",
"objectValue": "80",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId": [
"ccf86fc1-688f-4131-a46f-1d7a6ee2f88e"
],
"id": 9,
"objectType": "email_sender",
"objectValue": "Ted_Lee@trendmicro.com",
"relatedEntities": [
"SAM@JAGUARTMPEGGY.ONMICROSOFT.COM"
]
},
{
"filterId": [],
"id": 10,
"objectType": "filename",
"objectValue": "iexplore.exe",
"relatedEntities": []
},
{
"filterId": [
"ac16433d-1bfe-419b-913c-541662e1f8b6"
],
"id": 11,
"objectType": "domain",
"objectValue": "www.bdfecfitddfg.com",
"relatedEntities": [
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
}
],
"matchedRules": [
{
"id": "538515e2-a62d-41e2-ad17-e49041b0f418",
"matchedFilters": [
{
"id": "ac16433d-1bfe-419b-913c-541662e1f8b6",
"mitreTechniques": [
"T1071"
],
"name": "Rarely Accessed and Noteworthy Domain",
"timestamp": "2020-11-19T03:38:48.000Z"
}
],
"name": "Suspicious Web Access"
},
{
"id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b",
"matchedFilters": [
{
"id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e",
"mitreTechniques": [
"T1192"
],
"name": "Possible Spearphishing Link",
"timestamp": "2020-11-19T14:23:37.000Z"
}
],
"name": "Possible SpearPhishing Email"
}
],
"model": "Suspicious Web Access After Suspicious Email",
"modelSeverity": "medium",
"schemaVersion": "1.4",
"score": "33",
"workbenchCompleteTimestamp": "2020-11-21T02:29:02Z",
"workbenchId": "WB-12345-20201121-0005",
"workbenchLink": "https://portal.xdr.trendmicro.com/index.html#/workbench?workbenchId=WB-12345-20201121-0005&ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку