Pradeo MTD
Overview
Pradeo Mobile Threat Defense (MTD) is a comprehensive security solution designed to protect mobile devices from various threats such as malware, phishing, and network attacks. This setup guide explains how to forward and collect the detections and activity logs of your Pradeo MTD to Sekoia.io.
- Vendor: Pradeo
- Supported environment: SaaS
- Detection based on: Alert
- Supported application or feature:
- Detections
- Audit Events
Specification
Prerequisites
- Permissions:
- Administrator access to the Pradeo Security console
Step-by-Step Configuration Procedure
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create. - You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Instructions on the 3rd Party Solution
This setup guide will show you how to forward events from Pradeo Security to Sekoia.io.
Set up the Integration in Pradeo Security Console
- Log in to the Pradeo Security platform.
- From the main dashboard, select
Integrationoption. - Click
SIEM Integrations. - Select
Sekoiaas your preferred SIEM system. - Copy the intake key in the appropriate input.
- Select
DetectionsandAudit logsas event types. - Select the desired fields to export.
- Save your configuration.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"id": "jyFgy57XQGm0oEk6V_6tdA",
"creationDate": "2024-07-23T13:28:32.594Z",
"source": "admin",
"category": null,
"type": "MessageCreated",
"content": {
"message": {
"id": "u7GTsigSS1CWtS_y80zpgw",
"title": "test",
"content": "envoye a 15:28",
"creationDate": "2024-07-23T13:28:32.578Z"
}
},
"user": {
"id": "gA0jK6lCSBWZ3-ZMR9IoFw",
"email": "alan.smithee@pradeo.com",
"firstName": "Alan",
"lastName": "Smithee",
"jobTitle": null,
"phoneNumber": null,
"language": "English",
"isDeactivated": false,
"isFirstConnection": true,
"toNotify": false,
"lastConnectionDate": "2024-07-23T14:56:26.000Z",
"creationDate": "2024-07-03T12:24:48.924Z",
"lastModificationDate": "2024-07-23T14:56:26.000Z"
},
"device": null,
"company": {
"id": "bufQJXK_RNamdgiPmXzpFg",
"name": "Mobile boat",
"creationDate": "2024-07-03T10:01:02.043Z",
"lastModificationDate": "2024-07-04T07:19:50.000Z",
"deletedAt": null
}
}
{
"id": "8bnDz9zBI0S25lsXD22nxg",
"creationDate": "2024-07-02T07:02:15.721Z",
"source": "device",
"category": null,
"type": "ApplicationCreated",
"content": {
"application": {
"id": "6DN0jTLmX8-958o-fa3pnQ",
"version": "1.10.2",
"md5": "673937eab709d3e3999b25bc564902c4",
"sha1": "639f1ebc03aac79374e70123d15bd00fc68d37af",
"sha256": "8ddb8f0098f6159fba0a56444fe67634adb7903770eaa646ef202f8d8f32d3df",
"name": "Sonic 2",
"versionCode": "217",
"size": 83816851,
"package": {
"id": "N4N-N9ByVrKDs-WCpxSj6Q",
"package": "com.sega.sonic2.runner",
"system": "Android"
}
}
}
}
{
"id": "_czh5ptATAa0TDv8cCR75g",
"creationDate": "2024-07-02T12:20:01.795Z",
"source": "system",
"category": null,
"type": "DetectionPolicyUpdated",
"content": {
"detectionPolicy": {
"id": "R-cZz0iUSyujQ954d3qytw",
"name": "iO Si Senor",
"creationDate": "2023-11-13T17:58:03.000Z",
"lastModificationDate": "2024-05-27T08:14:01.531Z",
"company": {
"id": "JmidYbyCRpegHOjnpK4uag",
"name": "Pradeo",
"creationDate": "2023-09-11T13:15:14.000Z",
"lastModificationDate": "2024-04-19T10:03:30.000Z",
"deletedAt": null
},
"inheritable": false,
"dataRules": [],
"featureRules": [],
"communicationRules": [],
"systemStatusLevels": [],
"networkStatusLevels": [],
"deviceGroups": [],
"handledCompanies": [],
"version": 1
}
}
}
{
"id": "XjR27UNPT7ixTAV6M4YBEA",
"creationDate": "2024-07-01T17:24:54.784Z",
"source": "system",
"category": null,
"type": "DeviceComplianceUpdated",
"content": {
"deviceCompliance": {
"id": "tw0T69jkS1SOdBc-QFat8A",
"status": "Approved",
"computed": true,
"creationDate": "2024-07-01T17:01:20.075Z",
"lastModificationDate": "2024-07-01T17:02:02.000Z",
"device": {
"id": "kfvsh37xT2GUUlQHBZSIZw",
"serialNumber": null,
"imei": "356568109376877",
"name": "remy iPhone iOS 17.5.1 N736",
"email": null,
"singleEnrollmentKey": "00008030-0006404C2EE1802E",
"byod": false,
"lockPassword": null,
"knoxVersion": null,
"declaredOperatingSystem": null,
"declaredOperatingSystemVersion": null,
"declaredOperatingSystemSecurityPatchDate": null,
"declaredModel": null,
"group": {
"id": "NndTZCHjSMyUKP3XlCBosQ",
"name": "R&D",
"createdAt": "2024-04-18T12:31:32.000Z",
"emmGroupInfo": null,
"detectionPolicy": {
"id": "JIiW6eyUWoe9COTVCR4rww",
"name": "Standard",
"type": "Application and device threat",
"creationDate": "2024-01-21T22:47:37.034Z",
"lastModificationDate": "2024-01-21T22:47:37.034Z",
"inheritable": true,
"version": 1
}
},
"enrollmentStatus": {
"id": "FchrtdT-QT-xknMShye0eQ",
"lastConnection": null,
"coupled": false
},
"emmDeviceInfo": {
"id": "2vZdUKtuRCWHl4TDp8uTaw",
"externalId": "00008030-0006404C2EE1802E",
"emm": "airwatch"
}
},
"matchedResponseRules": []
}
}
}
{
"id": "QFtxnwWFCERsCvYI599bSv",
"creationDate": "2024-07-01T14:28:11.000Z",
"source": "system",
"category": "null",
"type": "DeviceCorrelationUpdated",
"content": {
"id": "android:p-2MTZU_S1jQsqz9Ommy_A",
"last_name": "m",
"first_name": "m",
"email": "",
"metric": "match_bluetooth",
"type": "BlueTooth activation",
"status": "END"
}
}
{
"id": "QFtxnwWFCERsCvYI599bSv",
"creationDate": "2024-07-01T14:28:11.000Z",
"source": "admin",
"category": "Network",
"type": "DeviceDetection",
"content": {
"id": "android:p-2MTZU_S1jQsqz9Ommy_A",
"last_name": "m",
"first_name": "m",
"email": "",
"metric": "match_bluetooth",
"type": "BlueTooth activation",
"status": "END"
}
}
{
"id": "---tmfIPM0q8uo0bGtreRA",
"creationDate": "2024-07-05T08:58:43.325Z",
"source": "device",
"category": null,
"type": "DeviceStatusHistoryUpdated",
"content": {
"deviceId": "3DGAsW2pRhKZLArNUGBo4Q",
"event": {
"kind": "RogueCellTower",
"value": 2
}
},
"user": null,
"device": {
"id": "3DGAsW2pRhKZLArNUGBo4Q",
"serialNumber": "unknown",
"imei": null,
"name": null,
"email": null,
"singleEnrollmentKey": "{sa?LW]p:gWoGR}),ishy@)7XPoMI-)LH&n)g5v{aY{Wqi4b",
"byod": false,
"lockPassword": null,
"knoxVersion": null,
"declaredOperatingSystem": "Android",
"declaredOperatingSystemVersion": "13",
"declaredOperatingSystemSecurityPatchDate": "2023-11-05T00:00:00.000Z",
"declaredModel": "EB2103",
"enrollmentStatus": {
"id": "etw6fGIcQtyKQDB3hbpXUQ",
"lastConnection": "2024-07-05T13:05:05.000Z",
"coupled": false
},
"emmDeviceInfo": null
},
"company": {
"id": "bufQJXK_RNamdgiPmXzpFg",
"name": "Mobile boat",
"creationDate": "2024-07-03T10:01:02.043Z",
"lastModificationDate": "2024-07-04T07:19:50.000Z",
"deletedAt": null
}
}
{
"id": "SQU4ZdbZSxqEIi1ioYP6mw",
"creationDate": "2024-07-01T14:28:20.233Z",
"source": "system",
"category": null,
"type": "DeviceNetworkStatusRecordUpdated",
"content": {
"deviceNetworkStatusRecord": {
"id": "7tUjB6riQGqo2Tqz4AmVPw",
"device": {
"id": "R96VSXfLT4i1UDNKioactw",
"serialNumber": "unknown",
"imei": null,
"name": "m m",
"email": null,
"singleEnrollmentKey": null,
"byod": false,
"lockPassword": null,
"knoxVersion": null,
"declaredOperatingSystem": null,
"declaredOperatingSystemVersion": null,
"declaredOperatingSystemSecurityPatchDate": null,
"declaredModel": null,
"company": {
"id": "JmidYbyCRpegHOjnpK4uag",
"name": "Pradeo",
"creationDate": "2023-09-11T13:15:14.000Z",
"lastModificationDate": "2024-04-19T10:03:30.000Z",
"deletedAt": null
},
"enrollmentStatus": {
"id": "2GxYOm6GR8qXdDRMrCjJwQ",
"lastConnection": "2024-07-01T09:54:07.000Z",
"coupled": true
},
"emmDeviceInfo": null,
"configuration": {
"id": "XXWAKzLmTIydNDbSbpLuWw",
"advancedMode": false,
"notificationPermission": "Undefined",
"geolocationPermission": "Undefined",
"callPermission": "Undefined",
"knoxPermission": "Undefined",
"vpnPermission": "Undefined",
"bluetoothPermission": "Undefined",
"deviceAdminPermission": "Undefined",
"overlayPermission": "Undefined",
"usageStatisticsPermission": "Undefined",
"accessibilityPermission": "Undefined",
"ignoreBatteryOptimizationPermission": "Undefined"
}
},
"deviceNetworkStatus": {
"id": "WgEwwyksUIS2T5AFjKtGvg",
"name": "Bluetooth"
},
"value": 0
}
}
}
{
"id": "Chp2bFsQTEGAJd67m_Na2w",
"creationDate": "2024-07-01T14:28:20.139Z",
"source": "system",
"category": null,
"type": "DeviceStatusHistoryUpdated",
"content": {
"deviceId": "R96VSXfLT4i1UDNKioactw",
"event": {
"id": "Aw9PSSUpT0idoAdhaiACbg",
"device": {
"id": "R96VSXfLT4i1UDNKioactw",
"serialNumber": "unknown",
"imei": null,
"name": "m m",
"email": null,
"singleEnrollmentKey": null,
"byod": false,
"lockPassword": null,
"knoxVersion": null,
"declaredOperatingSystem": null,
"declaredOperatingSystemVersion": null,
"declaredOperatingSystemSecurityPatchDate": null,
"declaredModel": null,
"company": {
"id": "JmidYbyCRpegHOjnpK4uag",
"name": "Pradeo",
"creationDate": "2023-09-11T13:15:14.000Z",
"lastModificationDate": "2024-04-19T10:03:30.000Z",
"deletedAt": null
},
"enrollmentStatus": {
"id": "2GxYOm6GR8qXdDRMrCjJwQ",
"lastConnection": "2024-07-01T09:54:07.000Z",
"coupled": true
},
"emmDeviceInfo": null
},
"kind": "Bluetooth",
"value": 0,
"eventDate": "2024-07-01T14:28:20.124Z"
}
}
}
{
"id": "hWjVNq-WRiefU1vqfrbeyQ",
"creationDate": "2024-06-27T11:24:13.592Z",
"source": "system",
"category": null,
"type": "DeviceSystemStatusRecordUpdated",
"content": {
"deviceSystemStatusRecord": {
"id": "2jA8-gQ6TCuGIgR9EMcbYQ",
"device": {
"id": "EeFFJKtPS0Gl52z5uzijKg",
"serialNumber": null,
"imei": null,
"name": " cs Ivanti EID2",
"email": null,
"singleEnrollmentKey": null,
"byod": true,
"lockPassword": null,
"knoxVersion": null,
"declaredOperatingSystem": null,
"declaredOperatingSystemVersion": null,
"declaredOperatingSystemSecurityPatchDate": null,
"declaredModel": null,
"company": {
"id": "JmidYbyCRpegHOjnpK4uag",
"name": "Pradeo",
"creationDate": "2023-09-11T13:15:14.000Z",
"lastModificationDate": "2024-04-19T10:03:30.000Z",
"deletedAt": null
},
"enrollmentStatus": {
"id": "ZWxQtoMWTKegjcvMinHaZg",
"lastConnection": "2024-06-21T12:07:57.000Z",
"coupled": true
},
"emmDeviceInfo": null,
"configuration": {
"id": "4oQgfWybS46D2huT1ggWLA",
"advancedMode": false,
"notificationPermission": "Undefined",
"geolocationPermission": "Undefined",
"callPermission": "Undefined",
"knoxPermission": "Undefined",
"vpnPermission": "Undefined",
"bluetoothPermission": "Undefined",
"deviceAdminPermission": "Undefined",
"overlayPermission": "Undefined",
"usageStatisticsPermission": "Undefined",
"accessibilityPermission": "Undefined",
"ignoreBatteryOptimizationPermission": "Undefined"
}
},
"deviceSystemStatus": {
"id": "AV84fYHQXbyKjXZ52iuHLg",
"name": "DeveloperMode"
},
"value": 1
}
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Anti-virus |
PradeoSecurity analyses applications to prevent malicious actions. |
Network device configuration |
PradeoSecurity analyses device network configuration to prevent malicious actions. |
Data loss prevention |
PradeoSecurity analyses applications to identify data leaks. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | configuration, process |
| Type | change, info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"id\":\"jyFgy57XQGm0oEk6V_6tdA\",\"creationDate\":\"2024-07-23T13:28:32.594Z\",\"source\":\"admin\",\"category\":null,\"type\":\"MessageCreated\",\"content\":{\"message\":{\"id\":\"u7GTsigSS1CWtS_y80zpgw\",\"title\":\"test\",\"content\":\"envoye a 15:28\",\"creationDate\":\"2024-07-23T13:28:32.578Z\"}},\"user\":{\"id\":\"gA0jK6lCSBWZ3-ZMR9IoFw\",\"email\":\"alan.smithee@pradeo.com\",\"firstName\":\"Alan\",\"lastName\":\"Smithee\",\"jobTitle\":null,\"phoneNumber\":null,\"language\":\"English\",\"isDeactivated\":false,\"isFirstConnection\":true,\"toNotify\":false,\"lastConnectionDate\":\"2024-07-23T14:56:26.000Z\",\"creationDate\":\"2024-07-03T12:24:48.924Z\",\"lastModificationDate\":\"2024-07-23T14:56:26.000Z\"},\"device\":null,\"company\":{\"id\":\"bufQJXK_RNamdgiPmXzpFg\",\"name\":\"Mobile boat\",\"creationDate\":\"2024-07-03T10:01:02.043Z\",\"lastModificationDate\":\"2024-07-04T07:19:50.000Z\",\"deletedAt\":null}}",
"event": {
"action": "MessageCreated"
},
"@timestamp": "2024-07-23T13:28:32.594000Z",
"pradeo": {
"metadata": {
"creationDate": "2024-07-23T13:28:32.594000Z",
"id": "jyFgy57XQGm0oEk6V_6tdA",
"source": "admin",
"type": "MessageCreated"
}
},
"user": {
"email": "alan.smithee@pradeo.com",
"full_name": "Alan Smithee",
"id": "gA0jK6lCSBWZ3-ZMR9IoFw"
}
}
{
"message": "{\"id\":\"8bnDz9zBI0S25lsXD22nxg\",\"creationDate\":\"2024-07-02T07:02:15.721Z\",\"source\":\"device\",\"category\":null,\"type\":\"ApplicationCreated\",\"content\":{\"application\":{\"id\":\"6DN0jTLmX8-958o-fa3pnQ\",\"version\":\"1.10.2\",\"md5\":\"673937eab709d3e3999b25bc564902c4\",\"sha1\":\"639f1ebc03aac79374e70123d15bd00fc68d37af\",\"sha256\":\"8ddb8f0098f6159fba0a56444fe67634adb7903770eaa646ef202f8d8f32d3df\",\"name\":\"Sonic 2\",\"versionCode\":\"217\",\"size\":83816851,\"package\":{\"id\":\"N4N-N9ByVrKDs-WCpxSj6Q\",\"package\":\"com.sega.sonic2.runner\",\"system\":\"Android\"}}}}",
"event": {
"action": "ApplicationCreated"
},
"@timestamp": "2024-07-02T07:02:15.721000Z",
"pradeo": {
"metadata": {
"creationDate": "2024-07-02T07:02:15.721000Z",
"id": "8bnDz9zBI0S25lsXD22nxg",
"source": "device",
"type": "ApplicationCreated"
}
}
}
{
"message": "{\"id\":\"_czh5ptATAa0TDv8cCR75g\",\"creationDate\":\"2024-07-02T12:20:01.795Z\",\"source\":\"system\",\"category\":null,\"type\":\"DetectionPolicyUpdated\",\"content\":{\"detectionPolicy\":{\"id\":\"R-cZz0iUSyujQ954d3qytw\",\"name\":\"iO Si Senor\",\"creationDate\":\"2023-11-13T17:58:03.000Z\",\"lastModificationDate\":\"2024-05-27T08:14:01.531Z\",\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"inheritable\":false,\"dataRules\":[],\"featureRules\":[],\"communicationRules\":[],\"systemStatusLevels\":[],\"networkStatusLevels\":[],\"deviceGroups\":[],\"handledCompanies\":[],\"version\":1}}}",
"event": {
"action": "DetectionPolicyUpdated"
},
"@timestamp": "2024-07-02T12:20:01.795000Z",
"pradeo": {
"metadata": {
"creationDate": "2024-07-02T12:20:01.795000Z",
"id": "_czh5ptATAa0TDv8cCR75g",
"source": "system",
"type": "DetectionPolicyUpdated"
}
}
}
{
"message": "{\"id\":\"XjR27UNPT7ixTAV6M4YBEA\",\"creationDate\":\"2024-07-01T17:24:54.784Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceComplianceUpdated\",\"content\":{\"deviceCompliance\":{\"id\":\"tw0T69jkS1SOdBc-QFat8A\",\"status\":\"Approved\",\"computed\":true,\"creationDate\":\"2024-07-01T17:01:20.075Z\",\"lastModificationDate\":\"2024-07-01T17:02:02.000Z\",\"device\":{\"id\":\"kfvsh37xT2GUUlQHBZSIZw\",\"serialNumber\":null,\"imei\":\"356568109376877\",\"name\":\"remy iPhone iOS 17.5.1 N736\",\"email\":null,\"singleEnrollmentKey\":\"00008030-0006404C2EE1802E\",\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"group\":{\"id\":\"NndTZCHjSMyUKP3XlCBosQ\",\"name\":\"R&D\",\"createdAt\":\"2024-04-18T12:31:32.000Z\",\"emmGroupInfo\":null,\"detectionPolicy\":{\"id\":\"JIiW6eyUWoe9COTVCR4rww\",\"name\":\"Standard\",\"type\":\"Application and device threat\",\"creationDate\":\"2024-01-21T22:47:37.034Z\",\"lastModificationDate\":\"2024-01-21T22:47:37.034Z\",\"inheritable\":true,\"version\":1}},\"enrollmentStatus\":{\"id\":\"FchrtdT-QT-xknMShye0eQ\",\"lastConnection\":null,\"coupled\":false},\"emmDeviceInfo\":{\"id\":\"2vZdUKtuRCWHl4TDp8uTaw\",\"externalId\":\"00008030-0006404C2EE1802E\",\"emm\":\"airwatch\"}},\"matchedResponseRules\":[]}}}",
"event": {
"action": "DeviceComplianceUpdated",
"category": [
"process"
],
"type": [
"change"
]
},
"@timestamp": "2024-07-01T17:24:54.784000Z",
"pradeo": {
"compliance": {
"matchedResponseRules": []
},
"detection": {
"status": "Approved"
},
"device": {
"byod": false,
"coupled": false,
"emm": "airwatch",
"id": "kfvsh37xT2GUUlQHBZSIZw",
"imei": "356568109376877",
"mdmId": "00008030-0006404C2EE1802E",
"name": "remy iPhone iOS 17.5.1 N736"
},
"metadata": {
"creationDate": "2024-07-01T17:24:54.784000Z",
"id": "XjR27UNPT7ixTAV6M4YBEA",
"source": "system",
"type": "DeviceComplianceUpdated"
}
}
}
{
"message": "{\"id\":\"QFtxnwWFCERsCvYI599bSv\",\"creationDate\":\"2024-07-01T14:28:11.000Z\",\"source\":\"system\",\"category\":\"null\",\"type\":\"DeviceCorrelationUpdated\",\"content\":{\"id\":\"android:p-2MTZU_S1jQsqz9Ommy_A\",\"last_name\":\"m\",\"first_name\":\"m\",\"email\":\"\",\"metric\":\"match_bluetooth\",\"type\":\"BlueTooth activation\",\"status\":\"END\"}}",
"event": {
"action": "DeviceCorrelationUpdated",
"category": [
"process"
],
"type": [
"info"
]
},
"@timestamp": "2024-07-01T14:28:11Z",
"pradeo": {
"correlation": {
"applicationThreatLevel": "Red",
"matchedNetworkStatusLevels": [
{
"deviceNetworkStatusRecord": {
"id": "6EByUpV4R9qcggk9mQGylA",
"value": 3
},
"id": "6_WYPd5hRp2ZKteAx_KUhw",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "hbaZqAT-VSG-6BWCL2ec0w",
"name": "ARPPoisoning"
},
"id": "YgTHvrQqQUyIZTysaK_heQ",
"level": "Green"
}
},
{
"deviceNetworkStatusRecord": {
"id": "n5gtT-ORQImbp3dql_SlHw",
"value": 0
},
"id": "8-WULaesQQSEbVyYk7_WAQ",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "WgEwwyksUIS2T5AFjKtGvg",
"name": "Bluetooth"
},
"id": "uHvq4MBERPuVAk3luwphrg",
"level": "Green"
}
},
{
"deviceNetworkStatusRecord": {
"id": "06Hv_Fw-TC-ZRGbkoIWSkg",
"value": 0
},
"id": "alN6SbtoTk-39N9H7IEzrg",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "pwxiTO7iW0inGsISgmFxMQ",
"name": "NFC"
},
"id": "y0CHemAGROCpswd5vu7BGQ",
"level": "Orange"
}
},
{
"deviceNetworkStatusRecord": {
"id": "bAeDvPxoTJ-5hLGUKHgpWw",
"value": 0
},
"id": "D0piRvT4QbutQljPMalXsQ",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "fPrbn1lHXwuQAhrRgMvSTg",
"name": "RogueCellTower"
},
"id": "GO7UOVytQX-78Tzk5IOvjg",
"level": "Red"
}
},
{
"deviceNetworkStatusRecord": {
"id": "xev8ikm5SX-s4zNVzbd9Cw",
"value": 0
},
"id": "DZi_-u7HRl-zN_jP-MAlSw",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "5H_waBpbX6-W5Zg0SDQhIA",
"name": "ConnectionToUntrustedHotspots"
},
"id": "myxc8oiYTAWZEEwHvwbIEQ",
"level": "Orange"
}
},
{
"deviceNetworkStatusRecord": {
"id": "naAO765rRtyHscwBD3RrZg",
"value": 0
},
"id": "gkrrmUKsSeiEvqgUr5IfUg",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "YWXiVq4SUnimRuDEzzDb_w",
"name": "RogueAccessPoint"
},
"id": "G-pFFmnsSWe-LXZEkSqhBA",
"level": "Green"
}
},
{
"deviceNetworkStatusRecord": {
"id": "6y2ToOEXQmCyI2kHhxd7Eg",
"value": 0
},
"id": "kj2F5qhIQzGMdPerO-Y3Lw",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "TSss4UX3XweuFnLLGSbR1w",
"name": "ManInTheMiddle"
},
"id": "O43t_Zq2SkeM6TZiFmM8jQ",
"level": "Red"
}
},
{
"deviceNetworkStatusRecord": {
"id": "YNJfP2b7QdW3ULYB_CbIGw",
"value": 1
},
"id": "TSfDjjttS-GYG_NS4rSKPg",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "f4nzGKc5UF-0Ow_uz0_jHQ",
"name": "GPS"
},
"id": "i0GslqZcR4K3k6k1S6EWHQ",
"level": "Green"
}
},
{
"deviceNetworkStatusRecord": {
"id": "08ZvMtm5TNOHTTkXujWD2w",
"value": 0
},
"id": "zeCc8trcQciYY4rLZce54w",
"networkStatusLevel": {
"deviceNetworkStatus": {
"id": "WRrA_3G0WZOdV52312piYA",
"name": "VPN"
},
"id": "13GU2c4vTxC2QylhQtWpPg",
"level": "Orange"
}
}
],
"matchedSystemStatusLevels": [
{
"deviceSystemStatusRecord": {
"id": "57jwjBD9SLCnfh5bSWmzSA",
"value": 0
},
"id": "-Beyvn0rTOmgqC1rs3XaEw",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "92Xbb2HhW02s85yh33nHfg",
"name": "SystemNotUpToDate"
},
"id": "oYdBmpvDT0aUz1dCzRGYDw",
"level": "Orange"
}
},
{
"deviceSystemStatusRecord": {
"id": "zrUxC90pTFOdDtfWlq_Mow",
"value": 1
},
"id": "1YiiEuuATR2rB7nKinFU5g",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "EmL050CAW-65ogu3GRSAsg",
"name": "ApplicationInstalledFromUnknownSource"
},
"id": "SX5zOVZoTWOn7oRTv8cNdw",
"level": "Orange"
}
},
{
"deviceSystemStatusRecord": {
"id": "_qLcu7a_TTatBWvbWRy8cA",
"value": 3
},
"id": "5vljuTwJQhSFWGOD3EF-aQ",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "s6wK_SInU42K_g2bGsPbhg",
"name": "SELinuxPermissive"
},
"id": "_ukzZc57QouY7kudIIrEsw",
"level": "Orange"
}
},
{
"deviceSystemStatusRecord": {
"id": "QMyc35a8TI27t5SFtvs_0A",
"value": 1
},
"id": "6HGN94xFQPm6f6UXr5jPdw",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "FjkqaultWs-HBFWzHq3C8Q",
"name": "AccessibilityOption"
},
"id": "gSIPIL0kSk62XlQuoelXDQ",
"level": "Green"
}
},
{
"deviceSystemStatusRecord": {
"id": "5ft9cwvGTI-Cnee1u-F9Aw",
"value": 0
},
"id": "bH-NDdsATluwj6VZn-ZBzA",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "iEqcWkTpW8yARFKCv8MBYQ",
"name": "CustomHosts"
},
"id": "Nbnd9EGxQMuqkF0KXysA4A",
"level": "Red"
}
},
{
"deviceSystemStatusRecord": {
"id": "aZUmMZ3cTNG3RfYhjpd8tQ",
"value": 1
},
"id": "d9CKeAvCT9Sb3vP06MOq4Q",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "sMLlZzy8WFKDp8xev58LpA",
"name": "DebugMode"
},
"id": "jWr0_EQpSj2z_JrkD2WOyQ",
"level": "Red"
}
},
{
"deviceSystemStatusRecord": {
"id": "yyQGNf7sT_KVRGUFdtnygw",
"value": 0
},
"id": "juI58xKrSrK16Rk787RsnA",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "UzAgUIoDXLioT8Xca4q9UA",
"name": "DeviceNotEncrypted"
},
"id": "hgwHAMvZTImT151inM8vYg",
"level": "Red"
}
},
{
"deviceSystemStatusRecord": {
"id": "-drVU9tpS1qugsU-1d0EDA",
"value": 1
},
"id": "VnfcT_lgRHurAfaGjym-rA",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "AV84fYHQXbyKjXZ52iuHLg",
"name": "DeveloperMode"
},
"id": "lB0d6wk8TJWpmJ-96Fi02Q",
"level": "Orange"
}
},
{
"deviceSystemStatusRecord": {
"id": "mM3q-uXmR1-TJflwC-C72w",
"value": 0
},
"id": "w0rOFu5STim869zy6aHs3w",
"systemStatusLevel": {
"deviceSystemStatus": {
"id": "cAwR35npXkmkg7IF3KnCgg",
"name": "Root"
},
"id": "oRJbjuE2Sl2P8exMrFQTHw",
"level": "Red"
}
}
],
"networkThreatLevel": "Green",
"systemThreatLevel": "Red"
},
"device": {
"byod": false,
"coupled": true,
"declaredModel": "SM-A536B",
"declaredOperatingSystem": "Android",
"declaredOperatingSystemSecurityPatchDate": "2023-08-01T00:00:00Z",
"declaredOperatingSystemVersion": "13",
"email": "test@pradeo.dev",
"emm": "unknown",
"id": "iowEjn9PR2WlrIIBR2_FPQ",
"imei": "xxxxx",
"lastConnection": "2024-07-05T14:58:48Z",
"mdmId": "xxxxx",
"name": "Test device",
"serialNumber": "unknown"
},
"metadata": {
"category": "null",
"creationDate": "2024-07-01T14:28:11Z",
"id": "QFtxnwWFCERsCvYI599bSv",
"source": "system",
"type": "DeviceCorrelationUpdated"
},
"policy": {
"id": "JIiW6eyUWoe9COTVCR4rww",
"name": "Standard"
}
}
}
{
"message": "{\"id\":\"QFtxnwWFCERsCvYI599bSv\",\"creationDate\":\"2024-07-01T14:28:11.000Z\",\"source\":\"admin\",\"category\":\"Network\",\"type\":\"DeviceDetection\",\"content\":{\"id\":\"android:p-2MTZU_S1jQsqz9Ommy_A\",\"last_name\":\"m\",\"first_name\":\"m\",\"email\":\"\",\"metric\":\"match_bluetooth\",\"type\":\"BlueTooth activation\",\"status\":\"END\"}}",
"event": {
"action": "DeviceDetection",
"category": [
"process"
],
"type": [
"info"
]
},
"@timestamp": "2024-07-01T14:28:11Z",
"pradeo": {
"detection": {
"status": "match_bluetooth",
"value": "END"
},
"device": {
"id": "android:p-2MTZU_S1jQsqz9Ommy_A"
},
"metadata": {
"category": "Network",
"creationDate": "2024-07-01T14:28:11Z",
"id": "QFtxnwWFCERsCvYI599bSv",
"source": "admin",
"type": "DeviceDetection"
}
}
}
{
"message": "{\"id\":\"---tmfIPM0q8uo0bGtreRA\",\"creationDate\":\"2024-07-05T08:58:43.325Z\",\"source\":\"device\",\"category\":null,\"type\":\"DeviceStatusHistoryUpdated\",\"content\":{\"deviceId\":\"3DGAsW2pRhKZLArNUGBo4Q\",\"event\":{\"kind\":\"RogueCellTower\",\"value\":2}},\"user\":null,\"device\":{\"id\":\"3DGAsW2pRhKZLArNUGBo4Q\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":null,\"email\":null,\"singleEnrollmentKey\":\"{sa?LW]p:gWoGR}),ishy@)7XPoMI-)LH&n)g5v{aY{Wqi4b\",\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":\"Android\",\"declaredOperatingSystemVersion\":\"13\",\"declaredOperatingSystemSecurityPatchDate\":\"2023-11-05T00:00:00.000Z\",\"declaredModel\":\"EB2103\",\"enrollmentStatus\":{\"id\":\"etw6fGIcQtyKQDB3hbpXUQ\",\"lastConnection\":\"2024-07-05T13:05:05.000Z\",\"coupled\":false},\"emmDeviceInfo\":null},\"company\":{\"id\":\"bufQJXK_RNamdgiPmXzpFg\",\"name\":\"Mobile boat\",\"creationDate\":\"2024-07-03T10:01:02.043Z\",\"lastModificationDate\":\"2024-07-04T07:19:50.000Z\",\"deletedAt\":null}}",
"event": {
"action": "DeviceStatusHistoryUpdated",
"category": [
"process"
],
"type": [
"info"
]
},
"@timestamp": "2024-07-05T08:58:43.325000Z",
"pradeo": {
"detection": {
"status": "RogueCellTower",
"value": 2
},
"device": {
"id": "3DGAsW2pRhKZLArNUGBo4Q"
},
"initiator": {
"byod": false,
"coupled": false,
"declaredModel": "EB2103",
"declaredOperatingSystem": "Android",
"declaredOperatingSystemSecurityPatchDate": "2023-11-05T00:00:00.000Z",
"declaredOperatingSystemVersion": "13",
"id": "3DGAsW2pRhKZLArNUGBo4Q",
"lastConnection": "2024-07-05T13:05:05Z",
"serialNumber": "unknown"
},
"metadata": {
"creationDate": "2024-07-05T08:58:43.325000Z",
"id": "---tmfIPM0q8uo0bGtreRA",
"source": "device",
"type": "DeviceStatusHistoryUpdated"
}
}
}
{
"message": "{\"id\":\"SQU4ZdbZSxqEIi1ioYP6mw\",\"creationDate\":\"2024-07-01T14:28:20.233Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceNetworkStatusRecordUpdated\",\"content\":{\"deviceNetworkStatusRecord\":{\"id\":\"7tUjB6riQGqo2Tqz4AmVPw\",\"device\":{\"id\":\"R96VSXfLT4i1UDNKioactw\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":\"m m\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"2GxYOm6GR8qXdDRMrCjJwQ\",\"lastConnection\":\"2024-07-01T09:54:07.000Z\",\"coupled\":true},\"emmDeviceInfo\":null,\"configuration\":{\"id\":\"XXWAKzLmTIydNDbSbpLuWw\",\"advancedMode\":false,\"notificationPermission\":\"Undefined\",\"geolocationPermission\":\"Undefined\",\"callPermission\":\"Undefined\",\"knoxPermission\":\"Undefined\",\"vpnPermission\":\"Undefined\",\"bluetoothPermission\":\"Undefined\",\"deviceAdminPermission\":\"Undefined\",\"overlayPermission\":\"Undefined\",\"usageStatisticsPermission\":\"Undefined\",\"accessibilityPermission\":\"Undefined\",\"ignoreBatteryOptimizationPermission\":\"Undefined\"}},\"deviceNetworkStatus\":{\"id\":\"WgEwwyksUIS2T5AFjKtGvg\",\"name\":\"Bluetooth\"},\"value\":0}}}",
"event": {
"action": "DeviceNetworkStatusRecordUpdated",
"category": [
"process"
],
"type": [
"change"
]
},
"@timestamp": "2024-07-01T14:28:20.233000Z",
"pradeo": {
"detection": {
"status": "Bluetooth",
"value": 0
},
"device": {
"byod": false,
"coupled": true,
"id": "R96VSXfLT4i1UDNKioactw",
"lastConnection": "2024-07-01T09:54:07Z",
"name": "m m",
"serialNumber": "unknown"
},
"metadata": {
"creationDate": "2024-07-01T14:28:20.233000Z",
"id": "SQU4ZdbZSxqEIi1ioYP6mw",
"source": "system",
"type": "DeviceNetworkStatusRecordUpdated"
}
}
}
{
"message": "{\"id\":\"Chp2bFsQTEGAJd67m_Na2w\",\"creationDate\":\"2024-07-01T14:28:20.139Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceStatusHistoryUpdated\",\"content\":{\"deviceId\":\"R96VSXfLT4i1UDNKioactw\",\"event\":{\"id\":\"Aw9PSSUpT0idoAdhaiACbg\",\"device\":{\"id\":\"R96VSXfLT4i1UDNKioactw\",\"serialNumber\":\"unknown\",\"imei\":null,\"name\":\"m m\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":false,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"2GxYOm6GR8qXdDRMrCjJwQ\",\"lastConnection\":\"2024-07-01T09:54:07.000Z\",\"coupled\":true},\"emmDeviceInfo\":null},\"kind\":\"Bluetooth\",\"value\":0,\"eventDate\":\"2024-07-01T14:28:20.124Z\"}}}",
"event": {
"action": "DeviceStatusHistoryUpdated",
"category": [
"process"
],
"type": [
"info"
]
},
"@timestamp": "2024-07-01T14:28:20.139000Z",
"pradeo": {
"detection": {
"status": "Bluetooth",
"value": 0
},
"device": {
"id": "R96VSXfLT4i1UDNKioactw"
},
"metadata": {
"creationDate": "2024-07-01T14:28:20.139000Z",
"id": "Chp2bFsQTEGAJd67m_Na2w",
"source": "system",
"type": "DeviceStatusHistoryUpdated"
}
}
}
{
"message": "{\"id\":\"hWjVNq-WRiefU1vqfrbeyQ\",\"creationDate\":\"2024-06-27T11:24:13.592Z\",\"source\":\"system\",\"category\":null,\"type\":\"DeviceSystemStatusRecordUpdated\",\"content\":{\"deviceSystemStatusRecord\":{\"id\":\"2jA8-gQ6TCuGIgR9EMcbYQ\",\"device\":{\"id\":\"EeFFJKtPS0Gl52z5uzijKg\",\"serialNumber\":null,\"imei\":null,\"name\":\" cs Ivanti EID2\",\"email\":null,\"singleEnrollmentKey\":null,\"byod\":true,\"lockPassword\":null,\"knoxVersion\":null,\"declaredOperatingSystem\":null,\"declaredOperatingSystemVersion\":null,\"declaredOperatingSystemSecurityPatchDate\":null,\"declaredModel\":null,\"company\":{\"id\":\"JmidYbyCRpegHOjnpK4uag\",\"name\":\"Pradeo\",\"creationDate\":\"2023-09-11T13:15:14.000Z\",\"lastModificationDate\":\"2024-04-19T10:03:30.000Z\",\"deletedAt\":null},\"enrollmentStatus\":{\"id\":\"ZWxQtoMWTKegjcvMinHaZg\",\"lastConnection\":\"2024-06-21T12:07:57.000Z\",\"coupled\":true},\"emmDeviceInfo\":null,\"configuration\":{\"id\":\"4oQgfWybS46D2huT1ggWLA\",\"advancedMode\":false,\"notificationPermission\":\"Undefined\",\"geolocationPermission\":\"Undefined\",\"callPermission\":\"Undefined\",\"knoxPermission\":\"Undefined\",\"vpnPermission\":\"Undefined\",\"bluetoothPermission\":\"Undefined\",\"deviceAdminPermission\":\"Undefined\",\"overlayPermission\":\"Undefined\",\"usageStatisticsPermission\":\"Undefined\",\"accessibilityPermission\":\"Undefined\",\"ignoreBatteryOptimizationPermission\":\"Undefined\"}},\"deviceSystemStatus\":{\"id\":\"AV84fYHQXbyKjXZ52iuHLg\",\"name\":\"DeveloperMode\"},\"value\":1}}}",
"event": {
"action": "DeviceSystemStatusRecordUpdated",
"category": [
"process"
],
"type": [
"change"
]
},
"@timestamp": "2024-06-27T11:24:13.592000Z",
"pradeo": {
"detection": {
"status": "DeveloperMode",
"value": 1
},
"device": {
"byod": true,
"coupled": true,
"id": "EeFFJKtPS0Gl52z5uzijKg",
"lastConnection": "2024-06-21T12:07:57Z",
"name": " cs Ivanti EID2"
},
"metadata": {
"creationDate": "2024-06-27T11:24:13.592000Z",
"id": "hWjVNq-WRiefU1vqfrbeyQ",
"source": "system",
"type": "DeviceSystemStatusRecordUpdated"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
pradeo.application.id |
string |
id of the application |
pradeo.application.md5 |
string |
md5 of the application |
pradeo.application.name |
string |
name of the application |
pradeo.application.package |
string |
package of the application |
pradeo.application.sha1 |
string |
sha1 of the application |
pradeo.application.sha256 |
string |
sha256 of the application |
pradeo.application.system |
string |
operating system of the application |
pradeo.application.version |
string |
version of the application |
pradeo.application.versionCode |
integer |
version code of the application |
pradeo.compliance.matchedResponseRules |
string |
compliance matched response rules level of a device or device application |
pradeo.correlation.applicationThreatLevel |
keyword |
application threat level of the device |
pradeo.correlation.matchedNetworkStatusLevels |
string |
matched network status level of a device |
pradeo.correlation.matchedSystemStatusLevels |
string |
matched system status level of a device |
pradeo.correlation.networkThreatLevel |
keyword |
network threat level of the device |
pradeo.correlation.systemThreatLevel |
keyword |
system threat level of the device |
pradeo.detection.status |
keyword |
device status name affected by the event |
pradeo.detection.value |
integer |
device status value affected by the event |
pradeo.device.byod |
boolean |
byod state of the device |
pradeo.device.coupled |
boolean |
coupling status of the device |
pradeo.device.declaredModel |
string |
declared model of the device |
pradeo.device.declaredOperatingSystem |
keyword |
declared operating system of the device |
pradeo.device.declaredOperatingSystemSecurityPatchDate |
datetime |
declared operating system security patch date of the device |
pradeo.device.declaredOperatingSystemVersion |
string |
declared operating system version of the device |
pradeo.device.email |
string |
email of the device |
pradeo.device.emm |
string |
emm of the device |
pradeo.device.id |
string |
id of the device |
pradeo.device.imei |
string |
imei of the device |
pradeo.device.lastConnection |
datetime |
last connection date of the device |
pradeo.device.mdmId |
string |
mdm id of the device |
pradeo.device.name |
string |
name of the device |
pradeo.device.serialNumber |
string |
serial mumber of the device |
pradeo.initiator.byod |
boolean |
byod state of the initiator of the action (device) |
pradeo.initiator.coupled |
boolean |
coupling status of the initiator of the action (device) |
pradeo.initiator.declaredModel |
string |
declared model of the initiator of the action (device) |
pradeo.initiator.declaredOperatingSystem |
keyword |
declared operating system of the initiator of the action (device) |
pradeo.initiator.declaredOperatingSystemSecurityPatchDate |
string |
declared operating system security patch date of the initiator of the action (device) |
pradeo.initiator.declaredOperatingSystemVersion |
string |
declared operating system version of the initiator of the action (device) |
pradeo.initiator.email |
string |
email of the initiator of the action (device or admin) |
pradeo.initiator.emm |
keyword |
emm of the initiator of the action (device) |
pradeo.initiator.id |
string |
id of the initiator of the action (device or admin) |
pradeo.initiator.imei |
string |
imei of the initiator of the action (device) |
pradeo.initiator.lastConnection |
datetime |
last connection date of the initiator of the action (device) |
pradeo.initiator.mdmId |
string |
mdm id of the initiator of the action (device) |
pradeo.initiator.name |
string |
name of the initiator of the action (device) |
pradeo.initiator.serialNumber |
string |
serial mumber of the initiator of the action (device) |
pradeo.metadata.category |
keyword |
event category (application, device, system or network) |
pradeo.metadata.creationDate |
datetime |
Cretaion date of the event |
pradeo.metadata.id |
string |
Pradeo unique event id |
pradeo.metadata.source |
keyword |
event origin (system or admin) |
pradeo.metadata.type |
keyword |
type of event (e.g AccountCreated, DeviceCreated, DeviceDetection) |
pradeo.permission.name |
string |
permission name |
pradeo.permission.value |
string |
permission value |
pradeo.policy.id |
string |
policy id used for correlation |
pradeo.policy.name |
string |
policy name used for correlation |
user.email |
keyword |
User email address. |
user.full_name |
keyword |
User's full name, if available. |
user.id |
keyword |
Unique identifier of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.