Lookout Mobile Endpoint Security
Overview
Lookout Mobile Endpoint Security is a robust solution designed to protect devices from threats and data breaches in real time. It combines advanced threat intelligence with deep visibility, ensuring that enterprises can secure their mobile environments and maintain compliance effortlessly.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Supported environment: SaaS
- Detection based on: Alerts, Audit
- Supported application or feature:
- Device events
- Threat events
- Audit logs
Configure
How to create an Application Key
- Log in the Lookout Mobile Endpoint Protection Console as an administrator.
- Go to
System>Application Keys - Click
GENERATE KEY - Type a label name
- Click
Next - Copy the Application Key
Create your intake
- Go to the intake page and create a new intake from the
Lookout Mobile Endpoint Security - Use the Application Key generated on the previous step
Enjoy your events on the Events page
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Third-party application logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"id\": \"f3511385-62ff-4664-b8be-1ffb862e715e\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:55:18.817+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"a8da3393-7896-431b-875d-945993cfdbf3\", \"status\": \"OPEN\", \"severity\": \"LOW\", \"type\": \"APPLICATION\", \"classifications\": [\"RISKWARE\"], \"details\": {\"application_name\": \"\\u062f\\u0639\\u0627 \\u0648 \\u0642\\u0631\\u0622\\u0646 \\u0648 \\u0627\\u062f\\u0639\\u06cc\\u0647 \\u0645\\u0646\\u062a\\u062e\\u0628\", \"package_name\": \"com.doa.start\", \"package_sha\": \"ae2a0185c49958a6e7c94282210ce32fddcb837b\", \"path\": \"package://com.doa.start\", \"file_name\": \"com.doa.start\"}}, \"target\": {\"guid\": \"951294c6-d9c9-482b-955c-8879410a76b1\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"951294c6-d9c9-482b-955c-8879410a76b1\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "com.doa.start",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:55:18.817000Z",
"device": {
"id": "951294c6-d9c9-482b-955c-8879410a76b1"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "f3511385-62ff-4664-b8be-1ffb862e715e",
"type": "CREATED"
},
"threat": {
"classifications": [
"RISKWARE"
],
"severity": "LOW",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ae2a0185c49958a6e7c94282210ce32fddcb837b",
"name": "com.doa.start",
"path": "package://com.doa.start"
}
}
{
"message": "{\"id\": \"1b0f431a-d6a1-469c-84f3-15898217c359\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-01-15T11:49:14.479+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"4bf60e2a-3bf8-40dd-9088-f3c819c312bc\", \"status\": \"RESOLVED\", \"severity\": \"HIGH\", \"type\": \"APPLICATION\", \"classifications\": [\"TROJAN\"], \"assessments\": [{\"classification\": \"TROJAN\"}, {\"classification\": \"TROJAN\"}], \"details\": {\"application_name\": \"Bank Balance Check All Enquiry\", \"package_name\": \"com.manageyourbank.accountbalancecheck\", \"package_sha\": \"ffd1fcabdd250d9168214fc5cf1a00555bf37d11\", \"path\": \"package://com.manageyourbank.accountbalancecheck\", \"file_name\": \"com.manageyourbank.accountbalancecheck\"}}, \"target\": {\"guid\": \"0bd2deac-7609-4c3b-88fe-9c61d50a0f56\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"0bd2deac-7609-4c3b-88fe-9c61d50a0f56\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"reason": "com.manageyourbank.accountbalancecheck",
"type": [
"info"
]
},
"@timestamp": "2025-01-15T11:49:14.479000Z",
"device": {
"id": "0bd2deac-7609-4c3b-88fe-9c61d50a0f56"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "1b0f431a-d6a1-469c-84f3-15898217c359",
"type": "UPDATED"
},
"threat": {
"classifications": [
"TROJAN"
],
"severity": "HIGH",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ffd1fcabdd250d9168214fc5cf1a00555bf37d11",
"name": "com.manageyourbank.accountbalancecheck",
"path": "package://com.manageyourbank.accountbalancecheck"
}
}
{
"message": "{\"id\": \"4c1d4c0a-a5a5-43b6-a9af-2ae2fe6a5a17\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-02T20:08:28.515+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"a3c299bf-d008-4b93-aa1a-9f3d6ca2af81\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"OUT_OF_DATE_ASPL\"], \"details\": {\"minimum_os_version\": \"2025-01-05\", \"version_type\": \"ASPL\"}}, \"target\": {\"guid\": \"583d7b8d-a543-4f8f-a736-0fd46d91c876\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"583d7b8d-a543-4f8f-a736-0fd46d91c876\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "ASPL",
"type": [
"info"
]
},
"@timestamp": "2025-03-02T20:08:28.515000Z",
"device": {
"id": "583d7b8d-a543-4f8f-a736-0fd46d91c876"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "4c1d4c0a-a5a5-43b6-a9af-2ae2fe6a5a17",
"type": "CREATED"
},
"minimum": {
"os": {
"version": "2025-01-05"
}
},
"threat": {
"classifications": [
"OUT_OF_DATE_ASPL"
],
"external_id": "a3c299bf-d008-4b93-aa1a-9f3d6ca2af81",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"b26dfab0-a18e-4f0d-9cbc-bee1ab088ae8\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:08:40.714+00:00\", \"type\": \"AUDIT\", \"change_type\": \"PURGED\", \"audit\": {\"type\": \"ENTERPRISE\"}, \"target\": {\"guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"type\": \"ENTERPRISE\"}, \"actor\": {\"type\": \"SYSTEM\"}}",
"event": {
"action": "PURGED",
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:08:40.714000Z",
"device": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"lookout": {
"mes": {
"audit": {
"type": "ENTERPRISE"
},
"event": {
"category": "AUDIT",
"id": "b26dfab0-a18e-4f0d-9cbc-bee1ab088ae8",
"type": "PURGED"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"317b660c-08d0-4a4e-b8b8-e59916711430\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-03T16:06:07.275+00:00\", \"type\": \"SMISHING_ALERT\", \"change_type\": \"CREATED\", \"target\": {\"guid\": \"cc4d037a-9246-4fdf-8abb-4bf8b20bf905\", \"type\": \"SMISHING_ALERT\"}, \"actor\": {\"guid\": \"cc4d037a-9246-4fdf-8abb-4bf8b20bf905\", \"type\": \"DEVICE\"}, \"smishing_alert\": {\"guid\": \"7b274c48-f82a-4e69-b683-28c0abcdf5fc\", \"detections\": [{\"category\": \"CEO_FRAUD\", \"alert_type\": \"FRAUD_DETECTION\", \"impersonated_employee\": \"John Doe\"}]}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-03-03T16:06:07.275000Z",
"device": {
"id": "cc4d037a-9246-4fdf-8abb-4bf8b20bf905"
},
"lookout": {
"mes": {
"event": {
"category": "SMISHING_ALERT",
"id": "317b660c-08d0-4a4e-b8b8-e59916711430",
"type": "CREATED"
},
"threat": {
"classifications": "CEO_FRAUD",
"external_id": "7b274c48-f82a-4e69-b683-28c0abcdf5fc"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"706776f8-fd4c-46be-9385-18ac353259b9\", \"enterprise_guid\": \"ba452537-0aa3-4e14-b0aa-7669165a0b16\", \"created_time\": \"2025-02-24T09:59:04.734+00:00\", \"type\": \"DEVICE\", \"change_type\": \"UPDATED\", \"device\": {\"guid\": \"f1557f3b-f90a-4260-a7c5-5a7bf975524c\", \"platform\": \"ANDROID\", \"profile_type\": \"WORK\", \"info\": {\"external_id\": \"33184684-d443-4db2-a6ca-88b78df8f1e7\", \"mdm_connector_id\": \"432293\"}, \"status\": {\"security_status\": \"SECURE\", \"activation_status\": \"ACTIVATED\", \"protection_status\": \"PROTECTED\"}, \"hardware\": {\"manufacturer\": \"samsung\", \"model\": \"sm-a346b\"}, \"software\": {\"os_version\": \"14\", \"sdk_version\": \"34\", \"security_patch_level\": \"2025-02-01\"}, \"client\": {\"ota_version\": \"1739993983036\", \"package_name\": \"com.lookout.enterprise\", \"package_version\": \"9.1.1.1517\"}, \"parent_status\": {\"parent_device_guid\": \"72ce7979-5b9c-4894-88ab-43aaed97fd1d\", \"activation_status\": \"ACTIVATED\", \"security_status\": \"SECURE\", \"protection_status\": \"PROTECTED\"}}, \"target\": {\"guid\": \"5ee38df4-7b1d-466d-820f-e2e5e1e0d664\", \"type\": \"DEVICE\"}, \"actor\": {\"guid\": \"5ee38df4-7b1d-466d-820f-e2e5e1e0d664\", \"type\": \"DEVICE\"}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-24T09:59:04.734000Z",
"device": {
"id": "5ee38df4-7b1d-466d-820f-e2e5e1e0d664",
"manufacturer": "samsung",
"model": {
"identifier": "sm-a346b"
}
},
"host": {
"os": {
"platform": "ANDROID",
"version": "14"
}
},
"lookout": {
"mes": {
"android": {
"profile": {
"type": "WORK"
}
},
"event": {
"category": "DEVICE",
"id": "706776f8-fd4c-46be-9385-18ac353259b9",
"type": "UPDATED"
}
}
},
"organization": {
"id": "ba452537-0aa3-4e14-b0aa-7669165a0b16"
},
"package": {
"name": "com.lookout.enterprise",
"version": "9.1.1.1517"
}
}
{
"message": "{\"id\": \"e5a77984-1233-4732-af0e-5850df6ae2db\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-01-15T12:00:29.723+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"efb04bc3-6875-4c4e-bbe5-04080d989a08\", \"status\": \"RESOLVED\", \"severity\": \"HIGH\", \"type\": \"WEB_CONTENT\", \"classifications\": [\"MALICIOUS_CONTENT\"], \"details\": {\"url\": \"malicousdomain.com\", \"reason\": \"MALICIOUS\", \"response\": \"BLOCKED\", \"reputation\": 0.1}}, \"target\": {\"guid\": \"8595b5c2-e78b-494a-b0fa-9ab37431589e\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"8595b5c2-e78b-494a-b0fa-9ab37431589e\", \"type\": \"DEVICE\"}}",
"event": {
"action": "BLOCKED",
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"reason": "MALICIOUS",
"type": [
"info"
]
},
"@timestamp": "2025-01-15T12:00:29.723000Z",
"device": {
"id": "8595b5c2-e78b-494a-b0fa-9ab37431589e"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "e5a77984-1233-4732-af0e-5850df6ae2db",
"type": "CREATED"
},
"threat": {
"classifications": [
"MALICIOUS_CONTENT"
],
"external_id": "efb04bc3-6875-4c4e-bbe5-04080d989a08",
"severity": "HIGH",
"type": "WEB_CONTENT"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"url": {
"original": "malicousdomain.com",
"path": "malicousdomain.com"
}
}
{
"message": "{\"id\": \"d25481e8-b598-4618-a21e-19ecba109e68\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T11:51:18.646+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"fe8480db-4da1-49d6-b950-7f71a18fd36f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"FILE\", \"classifications\": [\"VULNERABILITY\"], \"details\": {\"path\": \"file:///sdcard/Download/com.whatsapp.apk\", \"file_name\": \"com.whatsapp.apk\"}}, \"target\": {\"guid\": \"e98bfb45-5615-4cd5-bf2e-266178629549\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"e98bfb45-5615-4cd5-bf2e-266178629549\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "com.whatsapp.apk",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T11:51:18.646000Z",
"device": {
"id": "e98bfb45-5615-4cd5-bf2e-266178629549"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "d25481e8-b598-4618-a21e-19ecba109e68",
"type": "CREATED"
},
"threat": {
"classifications": [
"VULNERABILITY"
],
"severity": "ADVISORY",
"type": "FILE"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"name": "com.whatsapp.apk",
"path": "file:///sdcard/Download/com.whatsapp.apk"
}
}
{
"message": "{\"id\": \"d06ac859-b42a-472d-8ffc-7cf884d72779\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T12:10:20.204+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"2238d841-5d7e-4768-9d49-cfd89e28c14f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"NETWORK\", \"classifications\": [\"PORT_SCAN\"], \"details\": {}}, \"target\": {\"guid\": \"03ff47c2-fe85-4cd2-b8af-39908198ae19\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"03ff47c2-fe85-4cd2-b8af-39908198ae19\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T12:10:20.204000Z",
"device": {
"id": "03ff47c2-fe85-4cd2-b8af-39908198ae19"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "d06ac859-b42a-472d-8ffc-7cf884d72779",
"type": "CREATED"
},
"threat": {
"classifications": [
"PORT_SCAN"
],
"external_id": "2238d841-5d7e-4768-9d49-cfd89e28c14f",
"severity": "ADVISORY",
"type": "NETWORK"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"16b028cf-41f3-4a7f-b77c-a6610b15d6e4\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T12:10:22.507+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"b436c2d3-1cb8-4197-9c29-22378992dd37\", \"status\": \"RESOLVED\", \"severity\": \"ADVISORY\", \"type\": \"NETWORK\", \"classifications\": [\"PORT_SCAN\"], \"assessments\": [{\"classification\": \"PORT_SCAN\"}, {\"classification\": \"PORT_SCAN\"}], \"details\": {}}, \"target\": {\"guid\": \"f25de64e-c2e4-4a73-bd92-533e8e3644ce\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"f25de64e-c2e4-4a73-bd92-533e8e3644ce\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T12:10:22.507000Z",
"device": {
"id": "f25de64e-c2e4-4a73-bd92-533e8e3644ce"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "16b028cf-41f3-4a7f-b77c-a6610b15d6e4",
"type": "UPDATED"
},
"threat": {
"classifications": [
"PORT_SCAN"
],
"external_id": "b436c2d3-1cb8-4197-9c29-22378992dd37",
"severity": "ADVISORY",
"type": "NETWORK"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"7cbc318b-13a5-4b31-8ba9-d5434754c749\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-03T04:56:26.265+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"1ac559e8-e876-4aa9-8608-b8f25f22d76f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"details\": {}}, \"target\": {\"guid\": \"0a3b5fdb-ec8d-48b0-843f-ce934c2a656e\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"0a3b5fdb-ec8d-48b0-843f-ce934c2a656e\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-03-03T04:56:26.265000Z",
"device": {
"id": "0a3b5fdb-ec8d-48b0-843f-ce934c2a656e"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "7cbc318b-13a5-4b31-8ba9-d5434754c749",
"type": "CREATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "1ac559e8-e876-4aa9-8608-b8f25f22d76f",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"2b1f5972-ee6d-4192-89a4-f79ae2b0df77\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T10:02:18.317+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"38607353-62bd-4ebf-962b-4bd248165211\", \"status\": \"RESOLVED\", \"severity\": \"LOW\", \"type\": \"APPLICATION\", \"classifications\": [\"RISKWARE\"], \"assessments\": [{\"classification\": \"RISKWARE\"}, {\"classification\": \"RISKWARE\"}], \"details\": {\"application_name\": \"\\u062f\\u0639\\u0627 \\u0648 \\u0642\\u0631\\u0622\\u0646 \\u0648 \\u0627\\u062f\\u0639\\u06cc\\u0647 \\u0645\\u0646\\u062a\\u062e\\u0628\", \"package_name\": \"com.doa.start\", \"package_sha\": \"ae2a0185c49958a6e7c94282210ce32fddcb837b\", \"path\": \"package://com.doa.start\", \"file_name\": \"com.doa.start\"}}, \"target\": {\"guid\": \"a2cf0007-ffe8-4775-9a22-019a04485b0d\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"a2cf0007-ffe8-4775-9a22-019a04485b0d\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"reason": "com.doa.start",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T10:02:18.317000Z",
"device": {
"id": "a2cf0007-ffe8-4775-9a22-019a04485b0d"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "2b1f5972-ee6d-4192-89a4-f79ae2b0df77",
"type": "UPDATED"
},
"threat": {
"classifications": [
"RISKWARE"
],
"severity": "LOW",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ae2a0185c49958a6e7c94282210ce32fddcb837b",
"name": "com.doa.start",
"path": "package://com.doa.start"
}
}
{
"message": "{\"id\": \"5e47b89b-dfb5-4547-b8ad-ae5e946160a5\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:07:02.385+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"626ebc9c-9948-4ada-a9f2-e5b7fb6b99c6\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"details\": {}}, \"target\": {\"guid\": \"ffe8cb32-3c82-46f4-9bf3-38627bebb698\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"ffe8cb32-3c82-46f4-9bf3-38627bebb698\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:07:02.385000Z",
"device": {
"id": "ffe8cb32-3c82-46f4-9bf3-38627bebb698"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "5e47b89b-dfb5-4547-b8ad-ae5e946160a5",
"type": "CREATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "626ebc9c-9948-4ada-a9f2-e5b7fb6b99c6",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"adf77529-633d-40f9-9e7d-361568584c6b\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-24T05:50:01.726+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"755c874a-48a9-4157-af4b-e5c41bb592aa\", \"status\": \"OPEN\", \"severity\": \"MEDIUM\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"assessments\": [{\"classification\": \"PCP_PAUSED\"}, {\"classification\": \"PCP_PAUSED\"}], \"details\": {}}, \"target\": {\"guid\": \"4b916651-5488-42d8-bd38-c3d0d78a102c\", \"type\": \"THREAT\"}, \"actor\": {\"type\": \"SYSTEM\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-24T05:50:01.726000Z",
"device": {
"id": "4b916651-5488-42d8-bd38-c3d0d78a102c"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "adf77529-633d-40f9-9e7d-361568584c6b",
"type": "UPDATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "755c874a-48a9-4157-af4b-e5c41bb592aa",
"severity": "MEDIUM",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"f7fbe152-90a6-4c61-827c-4b3cb864fc62\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T10:32:11.643+00:00\", \"type\": \"SMISHING_ALERT\", \"change_type\": \"CREATED\", \"target\": {\"guid\": \"2b4b2c10-68a0-4f10-a34e-8ef57299625c\", \"type\": \"SMISHING_ALERT\"}, \"actor\": {\"guid\": \"2b4b2c10-68a0-4f10-a34e-8ef57299625c\", \"type\": \"DEVICE\"}, \"smishing_alert\": {\"guid\": \"ab2bd1d7-63d6-4659-9128-2030fec86aa4\", \"detections\": [{\"category\": \"EMBEDDED_PHISHING_URL\", \"alert_type\": \"URL_DETECTION\", \"original_url\": \"https://bit.ly/3Bl9YE7\"}]}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-20T10:32:11.643000Z",
"device": {
"id": "2b4b2c10-68a0-4f10-a34e-8ef57299625c"
},
"lookout": {
"mes": {
"event": {
"category": "SMISHING_ALERT",
"id": "f7fbe152-90a6-4c61-827c-4b3cb864fc62",
"type": "CREATED"
},
"threat": {
"classifications": "EMBEDDED_PHISHING_URL",
"external_id": "ab2bd1d7-63d6-4659-9128-2030fec86aa4"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"url": {
"domain": "bit.ly",
"original": "https://bit.ly/3Bl9YE7",
"path": "/3Bl9YE7",
"port": 443,
"registered_domain": "bit.ly",
"scheme": "https",
"top_level_domain": "ly"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.mac |
keyword |
MAC address of the destination. |
event.action |
keyword |
The action captured by the event. |
event.agent_id_status |
keyword |
Validation status of the event's agent.id field. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.os.platform |
keyword |
Operating system platform (such centos, ubuntu, windows). |
host.os.version |
keyword |
Operating system version as a raw string. |
lookout.mes.android.profile.type |
keyword |
Android profile type : Personal or Work Profile |
lookout.mes.audit.type |
keyword |
Audit action |
lookout.mes.event.category |
keyword |
Type of categories |
lookout.mes.event.id |
keyword |
Lookout Event ID |
lookout.mes.event.type |
keyword |
Type of events |
lookout.mes.minimum.os.version |
keyword |
Minimum ASPL version |
lookout.mes.threat.classifications |
keyword |
Classifications of the threat |
lookout.mes.threat.external_id |
keyword |
Identifier of the threat |
lookout.mes.threat.severity |
keyword |
Threat severity level |
lookout.mes.threat.type |
keyword |
Type of detection |
network.name |
keyword |
Name given by operators to sections of their network. |
organization.id |
keyword |
Unique identifier for the organization. |
package.checksum |
keyword |
Checksum of the installed package for verification. |
package.name |
keyword |
Package name |
package.path |
keyword |
Path where the package is installed. |
package.version |
keyword |
Package version |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Third-party application logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"id\": \"f3511385-62ff-4664-b8be-1ffb862e715e\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:55:18.817+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"a8da3393-7896-431b-875d-945993cfdbf3\", \"status\": \"OPEN\", \"severity\": \"LOW\", \"type\": \"APPLICATION\", \"classifications\": [\"RISKWARE\"], \"details\": {\"application_name\": \"\\u062f\\u0639\\u0627 \\u0648 \\u0642\\u0631\\u0622\\u0646 \\u0648 \\u0627\\u062f\\u0639\\u06cc\\u0647 \\u0645\\u0646\\u062a\\u062e\\u0628\", \"package_name\": \"com.doa.start\", \"package_sha\": \"ae2a0185c49958a6e7c94282210ce32fddcb837b\", \"path\": \"package://com.doa.start\", \"file_name\": \"com.doa.start\"}}, \"target\": {\"guid\": \"951294c6-d9c9-482b-955c-8879410a76b1\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"951294c6-d9c9-482b-955c-8879410a76b1\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "com.doa.start",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:55:18.817000Z",
"device": {
"id": "951294c6-d9c9-482b-955c-8879410a76b1"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "f3511385-62ff-4664-b8be-1ffb862e715e",
"type": "CREATED"
},
"threat": {
"classifications": [
"RISKWARE"
],
"severity": "LOW",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ae2a0185c49958a6e7c94282210ce32fddcb837b",
"name": "com.doa.start",
"path": "package://com.doa.start"
}
}
{
"message": "{\"id\": \"1b0f431a-d6a1-469c-84f3-15898217c359\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-01-15T11:49:14.479+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"4bf60e2a-3bf8-40dd-9088-f3c819c312bc\", \"status\": \"RESOLVED\", \"severity\": \"HIGH\", \"type\": \"APPLICATION\", \"classifications\": [\"TROJAN\"], \"assessments\": [{\"classification\": \"TROJAN\"}, {\"classification\": \"TROJAN\"}], \"details\": {\"application_name\": \"Bank Balance Check All Enquiry\", \"package_name\": \"com.manageyourbank.accountbalancecheck\", \"package_sha\": \"ffd1fcabdd250d9168214fc5cf1a00555bf37d11\", \"path\": \"package://com.manageyourbank.accountbalancecheck\", \"file_name\": \"com.manageyourbank.accountbalancecheck\"}}, \"target\": {\"guid\": \"0bd2deac-7609-4c3b-88fe-9c61d50a0f56\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"0bd2deac-7609-4c3b-88fe-9c61d50a0f56\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"reason": "com.manageyourbank.accountbalancecheck",
"type": [
"info"
]
},
"@timestamp": "2025-01-15T11:49:14.479000Z",
"device": {
"id": "0bd2deac-7609-4c3b-88fe-9c61d50a0f56"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "1b0f431a-d6a1-469c-84f3-15898217c359",
"type": "UPDATED"
},
"threat": {
"classifications": [
"TROJAN"
],
"severity": "HIGH",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ffd1fcabdd250d9168214fc5cf1a00555bf37d11",
"name": "com.manageyourbank.accountbalancecheck",
"path": "package://com.manageyourbank.accountbalancecheck"
}
}
{
"message": "{\"id\": \"4c1d4c0a-a5a5-43b6-a9af-2ae2fe6a5a17\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-02T20:08:28.515+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"a3c299bf-d008-4b93-aa1a-9f3d6ca2af81\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"OUT_OF_DATE_ASPL\"], \"details\": {\"minimum_os_version\": \"2025-01-05\", \"version_type\": \"ASPL\"}}, \"target\": {\"guid\": \"583d7b8d-a543-4f8f-a736-0fd46d91c876\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"583d7b8d-a543-4f8f-a736-0fd46d91c876\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "ASPL",
"type": [
"info"
]
},
"@timestamp": "2025-03-02T20:08:28.515000Z",
"device": {
"id": "583d7b8d-a543-4f8f-a736-0fd46d91c876"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "4c1d4c0a-a5a5-43b6-a9af-2ae2fe6a5a17",
"type": "CREATED"
},
"minimum": {
"os": {
"version": "2025-01-05"
}
},
"threat": {
"classifications": [
"OUT_OF_DATE_ASPL"
],
"external_id": "a3c299bf-d008-4b93-aa1a-9f3d6ca2af81",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"b26dfab0-a18e-4f0d-9cbc-bee1ab088ae8\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:08:40.714+00:00\", \"type\": \"AUDIT\", \"change_type\": \"PURGED\", \"audit\": {\"type\": \"ENTERPRISE\"}, \"target\": {\"guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"type\": \"ENTERPRISE\"}, \"actor\": {\"type\": \"SYSTEM\"}}",
"event": {
"action": "PURGED",
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:08:40.714000Z",
"device": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"lookout": {
"mes": {
"audit": {
"type": "ENTERPRISE"
},
"event": {
"category": "AUDIT",
"id": "b26dfab0-a18e-4f0d-9cbc-bee1ab088ae8",
"type": "PURGED"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"317b660c-08d0-4a4e-b8b8-e59916711430\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-03T16:06:07.275+00:00\", \"type\": \"SMISHING_ALERT\", \"change_type\": \"CREATED\", \"target\": {\"guid\": \"cc4d037a-9246-4fdf-8abb-4bf8b20bf905\", \"type\": \"SMISHING_ALERT\"}, \"actor\": {\"guid\": \"cc4d037a-9246-4fdf-8abb-4bf8b20bf905\", \"type\": \"DEVICE\"}, \"smishing_alert\": {\"guid\": \"7b274c48-f82a-4e69-b683-28c0abcdf5fc\", \"detections\": [{\"category\": \"CEO_FRAUD\", \"alert_type\": \"FRAUD_DETECTION\", \"impersonated_employee\": \"John Doe\"}]}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-03-03T16:06:07.275000Z",
"device": {
"id": "cc4d037a-9246-4fdf-8abb-4bf8b20bf905"
},
"lookout": {
"mes": {
"event": {
"category": "SMISHING_ALERT",
"id": "317b660c-08d0-4a4e-b8b8-e59916711430",
"type": "CREATED"
},
"threat": {
"classifications": "CEO_FRAUD",
"external_id": "7b274c48-f82a-4e69-b683-28c0abcdf5fc"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"706776f8-fd4c-46be-9385-18ac353259b9\", \"enterprise_guid\": \"ba452537-0aa3-4e14-b0aa-7669165a0b16\", \"created_time\": \"2025-02-24T09:59:04.734+00:00\", \"type\": \"DEVICE\", \"change_type\": \"UPDATED\", \"device\": {\"guid\": \"f1557f3b-f90a-4260-a7c5-5a7bf975524c\", \"platform\": \"ANDROID\", \"profile_type\": \"WORK\", \"info\": {\"external_id\": \"33184684-d443-4db2-a6ca-88b78df8f1e7\", \"mdm_connector_id\": \"432293\"}, \"status\": {\"security_status\": \"SECURE\", \"activation_status\": \"ACTIVATED\", \"protection_status\": \"PROTECTED\"}, \"hardware\": {\"manufacturer\": \"samsung\", \"model\": \"sm-a346b\"}, \"software\": {\"os_version\": \"14\", \"sdk_version\": \"34\", \"security_patch_level\": \"2025-02-01\"}, \"client\": {\"ota_version\": \"1739993983036\", \"package_name\": \"com.lookout.enterprise\", \"package_version\": \"9.1.1.1517\"}, \"parent_status\": {\"parent_device_guid\": \"72ce7979-5b9c-4894-88ab-43aaed97fd1d\", \"activation_status\": \"ACTIVATED\", \"security_status\": \"SECURE\", \"protection_status\": \"PROTECTED\"}}, \"target\": {\"guid\": \"5ee38df4-7b1d-466d-820f-e2e5e1e0d664\", \"type\": \"DEVICE\"}, \"actor\": {\"guid\": \"5ee38df4-7b1d-466d-820f-e2e5e1e0d664\", \"type\": \"DEVICE\"}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-24T09:59:04.734000Z",
"device": {
"id": "5ee38df4-7b1d-466d-820f-e2e5e1e0d664",
"manufacturer": "samsung",
"model": {
"identifier": "sm-a346b"
}
},
"host": {
"os": {
"platform": "ANDROID",
"version": "14"
}
},
"lookout": {
"mes": {
"android": {
"profile": {
"type": "WORK"
}
},
"event": {
"category": "DEVICE",
"id": "706776f8-fd4c-46be-9385-18ac353259b9",
"type": "UPDATED"
}
}
},
"organization": {
"id": "ba452537-0aa3-4e14-b0aa-7669165a0b16"
},
"package": {
"name": "com.lookout.enterprise",
"version": "9.1.1.1517"
}
}
{
"message": "{\"id\": \"e5a77984-1233-4732-af0e-5850df6ae2db\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-01-15T12:00:29.723+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"efb04bc3-6875-4c4e-bbe5-04080d989a08\", \"status\": \"RESOLVED\", \"severity\": \"HIGH\", \"type\": \"WEB_CONTENT\", \"classifications\": [\"MALICIOUS_CONTENT\"], \"details\": {\"url\": \"malicousdomain.com\", \"reason\": \"MALICIOUS\", \"response\": \"BLOCKED\", \"reputation\": 0.1}}, \"target\": {\"guid\": \"8595b5c2-e78b-494a-b0fa-9ab37431589e\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"8595b5c2-e78b-494a-b0fa-9ab37431589e\", \"type\": \"DEVICE\"}}",
"event": {
"action": "BLOCKED",
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"reason": "MALICIOUS",
"type": [
"info"
]
},
"@timestamp": "2025-01-15T12:00:29.723000Z",
"device": {
"id": "8595b5c2-e78b-494a-b0fa-9ab37431589e"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "e5a77984-1233-4732-af0e-5850df6ae2db",
"type": "CREATED"
},
"threat": {
"classifications": [
"MALICIOUS_CONTENT"
],
"external_id": "efb04bc3-6875-4c4e-bbe5-04080d989a08",
"severity": "HIGH",
"type": "WEB_CONTENT"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"url": {
"original": "malicousdomain.com",
"path": "malicousdomain.com"
}
}
{
"message": "{\"id\": \"d25481e8-b598-4618-a21e-19ecba109e68\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T11:51:18.646+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"fe8480db-4da1-49d6-b950-7f71a18fd36f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"FILE\", \"classifications\": [\"VULNERABILITY\"], \"details\": {\"path\": \"file:///sdcard/Download/com.whatsapp.apk\", \"file_name\": \"com.whatsapp.apk\"}}, \"target\": {\"guid\": \"e98bfb45-5615-4cd5-bf2e-266178629549\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"e98bfb45-5615-4cd5-bf2e-266178629549\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"reason": "com.whatsapp.apk",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T11:51:18.646000Z",
"device": {
"id": "e98bfb45-5615-4cd5-bf2e-266178629549"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "d25481e8-b598-4618-a21e-19ecba109e68",
"type": "CREATED"
},
"threat": {
"classifications": [
"VULNERABILITY"
],
"severity": "ADVISORY",
"type": "FILE"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"name": "com.whatsapp.apk",
"path": "file:///sdcard/Download/com.whatsapp.apk"
}
}
{
"message": "{\"id\": \"d06ac859-b42a-472d-8ffc-7cf884d72779\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T12:10:20.204+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"2238d841-5d7e-4768-9d49-cfd89e28c14f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"NETWORK\", \"classifications\": [\"PORT_SCAN\"], \"details\": {}}, \"target\": {\"guid\": \"03ff47c2-fe85-4cd2-b8af-39908198ae19\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"03ff47c2-fe85-4cd2-b8af-39908198ae19\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T12:10:20.204000Z",
"device": {
"id": "03ff47c2-fe85-4cd2-b8af-39908198ae19"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "d06ac859-b42a-472d-8ffc-7cf884d72779",
"type": "CREATED"
},
"threat": {
"classifications": [
"PORT_SCAN"
],
"external_id": "2238d841-5d7e-4768-9d49-cfd89e28c14f",
"severity": "ADVISORY",
"type": "NETWORK"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"16b028cf-41f3-4a7f-b77c-a6610b15d6e4\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T12:10:22.507+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"b436c2d3-1cb8-4197-9c29-22378992dd37\", \"status\": \"RESOLVED\", \"severity\": \"ADVISORY\", \"type\": \"NETWORK\", \"classifications\": [\"PORT_SCAN\"], \"assessments\": [{\"classification\": \"PORT_SCAN\"}, {\"classification\": \"PORT_SCAN\"}], \"details\": {}}, \"target\": {\"guid\": \"f25de64e-c2e4-4a73-bd92-533e8e3644ce\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"f25de64e-c2e4-4a73-bd92-533e8e3644ce\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T12:10:22.507000Z",
"device": {
"id": "f25de64e-c2e4-4a73-bd92-533e8e3644ce"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "16b028cf-41f3-4a7f-b77c-a6610b15d6e4",
"type": "UPDATED"
},
"threat": {
"classifications": [
"PORT_SCAN"
],
"external_id": "b436c2d3-1cb8-4197-9c29-22378992dd37",
"severity": "ADVISORY",
"type": "NETWORK"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"7cbc318b-13a5-4b31-8ba9-d5434754c749\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-03-03T04:56:26.265+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"1ac559e8-e876-4aa9-8608-b8f25f22d76f\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"details\": {}}, \"target\": {\"guid\": \"0a3b5fdb-ec8d-48b0-843f-ce934c2a656e\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"0a3b5fdb-ec8d-48b0-843f-ce934c2a656e\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-03-03T04:56:26.265000Z",
"device": {
"id": "0a3b5fdb-ec8d-48b0-843f-ce934c2a656e"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "7cbc318b-13a5-4b31-8ba9-d5434754c749",
"type": "CREATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "1ac559e8-e876-4aa9-8608-b8f25f22d76f",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"2b1f5972-ee6d-4192-89a4-f79ae2b0df77\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T10:02:18.317+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"38607353-62bd-4ebf-962b-4bd248165211\", \"status\": \"RESOLVED\", \"severity\": \"LOW\", \"type\": \"APPLICATION\", \"classifications\": [\"RISKWARE\"], \"assessments\": [{\"classification\": \"RISKWARE\"}, {\"classification\": \"RISKWARE\"}], \"details\": {\"application_name\": \"\\u062f\\u0639\\u0627 \\u0648 \\u0642\\u0631\\u0622\\u0646 \\u0648 \\u0627\\u062f\\u0639\\u06cc\\u0647 \\u0645\\u0646\\u062a\\u062e\\u0628\", \"package_name\": \"com.doa.start\", \"package_sha\": \"ae2a0185c49958a6e7c94282210ce32fddcb837b\", \"path\": \"package://com.doa.start\", \"file_name\": \"com.doa.start\"}}, \"target\": {\"guid\": \"a2cf0007-ffe8-4775-9a22-019a04485b0d\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"a2cf0007-ffe8-4775-9a22-019a04485b0d\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "RESOLVED",
"category": [
"intrusion_detection"
],
"outcome": "RESOLVED",
"reason": "com.doa.start",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T10:02:18.317000Z",
"device": {
"id": "a2cf0007-ffe8-4775-9a22-019a04485b0d"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "2b1f5972-ee6d-4192-89a4-f79ae2b0df77",
"type": "UPDATED"
},
"threat": {
"classifications": [
"RISKWARE"
],
"severity": "LOW",
"type": "APPLICATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"package": {
"checksum": "ae2a0185c49958a6e7c94282210ce32fddcb837b",
"name": "com.doa.start",
"path": "package://com.doa.start"
}
}
{
"message": "{\"id\": \"5e47b89b-dfb5-4547-b8ad-ae5e946160a5\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T09:07:02.385+00:00\", \"type\": \"THREAT\", \"change_type\": \"CREATED\", \"threat\": {\"guid\": \"626ebc9c-9948-4ada-a9f2-e5b7fb6b99c6\", \"status\": \"OPEN\", \"severity\": \"ADVISORY\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"details\": {}}, \"target\": {\"guid\": \"ffe8cb32-3c82-46f4-9bf3-38627bebb698\", \"type\": \"THREAT\"}, \"actor\": {\"guid\": \"ffe8cb32-3c82-46f4-9bf3-38627bebb698\", \"type\": \"DEVICE\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-20T09:07:02.385000Z",
"device": {
"id": "ffe8cb32-3c82-46f4-9bf3-38627bebb698"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "5e47b89b-dfb5-4547-b8ad-ae5e946160a5",
"type": "CREATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "626ebc9c-9948-4ada-a9f2-e5b7fb6b99c6",
"severity": "ADVISORY",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"adf77529-633d-40f9-9e7d-361568584c6b\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-24T05:50:01.726+00:00\", \"type\": \"THREAT\", \"change_type\": \"UPDATED\", \"threat\": {\"guid\": \"755c874a-48a9-4157-af4b-e5c41bb592aa\", \"status\": \"OPEN\", \"severity\": \"MEDIUM\", \"type\": \"CONFIGURATION\", \"classifications\": [\"PCP_PAUSED\"], \"assessments\": [{\"classification\": \"PCP_PAUSED\"}, {\"classification\": \"PCP_PAUSED\"}], \"details\": {}}, \"target\": {\"guid\": \"4b916651-5488-42d8-bd38-c3d0d78a102c\", \"type\": \"THREAT\"}, \"actor\": {\"type\": \"SYSTEM\"}}",
"event": {
"agent_id_status": "OPEN",
"category": [
"intrusion_detection"
],
"outcome": "OPEN",
"type": [
"info"
]
},
"@timestamp": "2025-02-24T05:50:01.726000Z",
"device": {
"id": "4b916651-5488-42d8-bd38-c3d0d78a102c"
},
"lookout": {
"mes": {
"event": {
"category": "THREAT",
"id": "adf77529-633d-40f9-9e7d-361568584c6b",
"type": "UPDATED"
},
"threat": {
"classifications": [
"PCP_PAUSED"
],
"external_id": "755c874a-48a9-4157-af4b-e5c41bb592aa",
"severity": "MEDIUM",
"type": "CONFIGURATION"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
}
}
{
"message": "{\"id\": \"f7fbe152-90a6-4c61-827c-4b3cb864fc62\", \"enterprise_guid\": \"703d284e-c7dd-4dd0-bd0d-12bfade8095c\", \"created_time\": \"2025-02-20T10:32:11.643+00:00\", \"type\": \"SMISHING_ALERT\", \"change_type\": \"CREATED\", \"target\": {\"guid\": \"2b4b2c10-68a0-4f10-a34e-8ef57299625c\", \"type\": \"SMISHING_ALERT\"}, \"actor\": {\"guid\": \"2b4b2c10-68a0-4f10-a34e-8ef57299625c\", \"type\": \"DEVICE\"}, \"smishing_alert\": {\"guid\": \"ab2bd1d7-63d6-4659-9128-2030fec86aa4\", \"detections\": [{\"category\": \"EMBEDDED_PHISHING_URL\", \"alert_type\": \"URL_DETECTION\", \"original_url\": \"https://bit.ly/3Bl9YE7\"}]}}",
"event": {
"category": [
"intrusion_detection"
],
"type": [
"info"
]
},
"@timestamp": "2025-02-20T10:32:11.643000Z",
"device": {
"id": "2b4b2c10-68a0-4f10-a34e-8ef57299625c"
},
"lookout": {
"mes": {
"event": {
"category": "SMISHING_ALERT",
"id": "f7fbe152-90a6-4c61-827c-4b3cb864fc62",
"type": "CREATED"
},
"threat": {
"classifications": "EMBEDDED_PHISHING_URL",
"external_id": "ab2bd1d7-63d6-4659-9128-2030fec86aa4"
}
}
},
"organization": {
"id": "703d284e-c7dd-4dd0-bd0d-12bfade8095c"
},
"url": {
"domain": "bit.ly",
"original": "https://bit.ly/3Bl9YE7",
"path": "/3Bl9YE7",
"port": 443,
"registered_domain": "bit.ly",
"scheme": "https",
"top_level_domain": "ly"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.mac |
keyword |
MAC address of the destination. |
event.action |
keyword |
The action captured by the event. |
event.agent_id_status |
keyword |
Validation status of the event's agent.id field. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.os.platform |
keyword |
Operating system platform (such centos, ubuntu, windows). |
host.os.version |
keyword |
Operating system version as a raw string. |
lookout.mes.android.profile.type |
keyword |
Android profile type : Personal or Work Profile |
lookout.mes.audit.type |
keyword |
Audit action |
lookout.mes.event.category |
keyword |
Type of categories |
lookout.mes.event.id |
keyword |
Lookout Event ID |
lookout.mes.event.type |
keyword |
Type of events |
lookout.mes.minimum.os.version |
keyword |
Minimum ASPL version |
lookout.mes.threat.classifications |
keyword |
Classifications of the threat |
lookout.mes.threat.external_id |
keyword |
Identifier of the threat |
lookout.mes.threat.severity |
keyword |
Threat severity level |
lookout.mes.threat.type |
keyword |
Type of detection |
network.name |
keyword |
Name given by operators to sections of their network. |
organization.id |
keyword |
Unique identifier for the organization. |
package.checksum |
keyword |
Checksum of the installed package for verification. |
package.name |
keyword |
Package name |
package.path |
keyword |
Path where the package is installed. |
package.version |
keyword |
Package version |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.