Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Sample Data/Custom/TrendMicro_XDR_WORKBENCH_CL...

307 строки
9.5 KiB
JSON
Исходник Ответственный История

[
{
"priorityScore": 60,
"investigationStatus": 1,
"workbenchName": "Heartbeat Model",
"workbenchId": "WB-2-20200214-0003",
"workbenchLink": "https://THE_WORKBENCH_URL",
"createdTime": "2020-02-14T10:05:09Z",
"updatedTime": "2020-02-15T10:05:09Z",
"severity": "critical",
"alertProvider": "SAE",
"model": "Possible APT Attack",
"description": "Suspicious email followed by a possible backdoor implantation",
"impactScope":
[
{
"entityId": "shockwave\\testAccount1",
"entityType": "account",
"entityValue": "shockwave\\testAccount1",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"sanitized@sanitized.com"
],
"relatedIndicators":
[
4
]
},
{
"entityId": "shockwave\\debbie",
"entityType": "account",
"entityValue": "shockwave\\debbie",
"relatedEntities":
[
"sanitized@sanitized.com"
],
"relatedIndicators":
[
5
]
},
{
"entityId": "testDomain\\testAccount2",
"entityType": "account",
"entityValue": "testDomain\\testAccount2",
"relatedEntities":
[
"sanitized@sanitized.com"
],
"relatedIndicators":
[
5
]
},
{
"entityId": "testAccount3",
"entityType": "account",
"entityValue": "testAccount3",
"relatedEntities":
[
"sanitized@sanitized.com"
],
"relatedIndicators":
[
5
]
},
{
"entityId": "25FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"entityType": "host",
"entityValue":
{
"guid": "25FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"ips":
[
"10.0.0.1",
"10.0.0.2"
],
"name": "test-1"
},
"relatedEntities":
[
"hihi\\shockwave\\debbie"
],
"relatedIndicators":
[
1
]
},
{
"entityId": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"entityType": "host",
"entityValue":
{
"guid": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E",
"ips":
[
"10.0.0.3",
"10.0.0.4"
],
"name": "test-2"
},
"relatedEntities":
[
"shockwave\\debbie"
],
"relatedIndicators":
[
1
]
},
{
"entityId": "sanitized@sanitized.com",
"entityType": "emailAddress",
"entityValue": "sanitized@sanitized.com",
"relatedEntities":
[
"debbie",
"shockwave\\debbie"
],
"relatedIndicators":
[
6
]
},
{
"entityId": "sanitized@sanitized.com",
"entityType": "emailAddress",
"entityValue": "sanitized@sanitized.com",
"relatedEntities":
[],
"relatedIndicators":
[
7
]
}
],
"indicators":
[
{
"id": 1,
"objectType": "process_id",
"objectValue": "6964",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
],
"filterId":
[
"0413d324-816e-4b75-b55c-a849d386a12b"
]
},
{
"filterId":
[
"f862df72-7f5e-4b2b-9f7f-9148e875f908"
],
"id": 1,
"objectType": "command_line",
"objectValue": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId":
[
"f862df72-7f5e-4b2b-9f7f-9148e875f909"
],
"id": 1,
"objectType": "command_line",
"objectValue": "c:\\notepad.exe",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CCEEE"
]
},
{
"filterId":
[
"02ea96c9-d3c5-41ff-bb13-126b1b860948"
],
"id": 2,
"objectType": "fullpath",
"objectValue": "c:\\users\\debbie\\appdata\\local\\temp\\ds7002.pdf.lnk",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
},
{
"filterId":
[],
"id": 3,
"objectType": "filename",
"objectValue": "ds7002.pdf.lnk",
"relatedEntities":
[
"35FA11DA-A24E-40CF-8B56-BAF8828CC15E"
]
}
],
"matchedRules":
[
{
"id": "5f52d1f1-53e7-411a-b74f-745ee81fa30b",
"matchedFilters":
[
{
"id": "ccf86fc1-688f-4131-a46f-1d7a6ee2f88e",
"mitreTechniques":
[
"T1192"
],
"name": "Possible Spearphishing Link",
"timestamp": "2021-03-31T14:23:37Z"
}
],
"name": "Possible SpearPhishing Email"
},
{
"id": "8c220d1b-15a1-426c-9e82-36189cabfa85",
"matchedFilters":
[
{
"id": "0413d324-816e-4b75-b55c-a849d386a12b",
"mitreTechniques":
[
"T1086"
],
"name": "Uncommon Powershell Parameters Used in Command Line",
"timestamp": "2021-03-31T06:33:57Z"
}
],
"name": "Suspicious powershell parameters"
},
{
"id": "538515e2-a62d-41e2-ad17-e49041b0f418",
"matchedFilters":
[
{
"id": "ac16433d-1bfe-419b-913c-541662e1f8b6",
"mitreTechniques":
[
"T1071"
],
"name": "Rarely Accessed and Noteworthy Domain",
"timestamp": "2021-03-31T06:33:57Z"
}
],
"name": "Suspicious Web Access"
},
{
"id": "81e7dcde-e8f2-4d18-9eca-e4c8a8b3c69e",
"matchedFilters":
[
{
"id": "34e8005e-485c-42b6-8f5b-4bbd7c5b50d7",
"mitreTechniques":
[
"T1060"
],
"name": "Uncommon Run/RunOnce Registry Entry Creation",
"timestamp": "2021-03-31T06:33:57Z"
}
],
"name": "Possible Persistence Implementation"
}
],
"alertTriggerTimestamp": "2020-04-30T00:01:15.000Z",
"workbenchCompleteTimestamp": "2030-04-30T00:01:16Z",
"xdrCustomerID": "8c840873-3145-4e5a-aede-021679ce23d8",
"impactScope_Summary": "{\"desktopCount\": 10, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0}",
"UserAccountNTDomain":
[
"shockwave",
"testDomain"
],
"UserAccountName":
[
"testAccount1",
"debbie",
"testAccount2",
"testAccount3"
],
"HostHostName":
[
"test-1",
"test-2"
],
"ProcessCommandLine":
[
"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"c:\\notepad.exe"
],
"FileDirectory":
[
"c:\\users\\debbie\\appdata\\local\\temp\\ds7002.pdf.lnk"
],
"FileName":
[
"ds7002.pdf.lnk"
]
}
]
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку