OCSF
Overview
The OCSF (Open Cybersecurity Schema Framework) is an initiative to create a common, open-source set of data standards and schemas for cybersecurity threat information. It aims to improve interoperability and streamline threat data sharing across different tools and platforms.
- Vendor: OCSF
- Plan: Defend Core & Defend Prime
- Supported environment: SaaS
- Version compatibility: 1.1
- Detection based on: Telemetry
- Supported application or feature: System Activity, Findings, Identity & Access Management, Network Activity, Discovery application Activity
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Configure
Deploying the Data Collection Architecture
This section will guide you through creating all the AWS resources needed to collect OCSF events. If you already have existing resources that you want to use, you may do so, but any potential issues or incompatibilities with this tutorial will be your responsibility.
Prerequisites
In order to set up the AWS architecture, you need an administator access to the Amazon console with the permissions to create and manage users, Security Lake subscribers, S3 notifications, SQS queues and resource accesses (RAM).
Create a Security DataLake subscriber
To allow Sekoia.io to collect OCSF events, you need an active subscriber.
To create a subscriber:
- In the AWS console, navigate to:
Services > Security Lake > Subscribers. - Click
Create subscriber. - Name the subscriber (e.g:
Sekoia.io) and type a description. - Select
S3as theData accessmethod. - Type the
accountIDandexternalIDassociated to the access key. - Select the sources you want to forward to Sekoia.io.
- Click
Create
Pull events
Go to the intake page and create a new intake with the OCSF format.
Type the name of the intake, select the entity and click Next.
Select or create an account with the AWS Access Key, the secret key, and the region name. Set up the configuration with the name of the SQS queue (Keep the last part from the arn of the subscription endpoint).
Important
In the configuration settings of your OCSF intake, we recommend using the following configuration by default: chunk_size = 10000 and frequency = 10.
Start the intake and enjoy your events.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"activity_id": 1,
"activity_name": "Create",
"actor": {
"idp": {
"name": null
},
"invoked_by": null,
"session": {
"created_time": 1700239437000,
"created_time_dt": "2023-11-17T16:43:57Z",
"is_mfa": false,
"issuer": "arn:aws:iam::112233445566:role/Admin"
},
"user": {
"account": {
"uid": "112233445566"
},
"credential_uid": null,
"type": "AssumedRole",
"uid": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user",
"uid_alt": "AROA2W7SOKHEXAMPLE:Admin-user"
}
},
"api": {
"operation": "CreateUser",
"request": {
"data": {
"userName": "test_user2"
},
"uid": "c99bf9da-e0bd-4bf7-bb32-example"
},
"response": {
"data": {
"user": {
"arn": "arn:aws:iam::112233445566:user/test_user2",
"createDate": "Mar 17, 2023 5:07:59 PM",
"path": "/",
"userId": "AIDA2W7SOKHEXAMPLE",
"userName": "test_user2"
}
},
"error": null,
"message": null
},
"service": {
"name": "iam.amazonaws.com"
},
"version": null
},
"category_name": "Identity & Access Management Category",
"category_uid": 3,
"class_name": "Account Change",
"class_uid": 3001,
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"http_request": {
"user_agent": "AWS Internal"
},
"metadata": {
"log_name": "AwsApiCall",
"log_provider": "CloudTrail",
"product": {
"feature": {
"name": "Management"
},
"name": "CloudTrail",
"vendor_name": "AWS",
"version": "1.08"
},
"profiles": [
"cloud",
"datetime"
],
"uid": "7dd15a89-ae0f-4340-8e6c-example",
"version": "1.1.0"
},
"observables": [
{
"name": "user.name",
"type": "User",
"type_id": 4,
"value": "test_user2"
},
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "52.95.4.21"
}
],
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "52.95.4.21",
"uid": null
},
"time": 1679072879000,
"time_dt": "2023-03-17T17:07:59Z",
"type_name": "Account Change: Create",
"type_uid": 300101,
"unmapped": {
"eventType": "AwsApiCall",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "112233445566",
"requestParameters": {
"userName": "test_user2"
},
"responseElements": {
"user": {
"arn": "arn:aws:iam::112233445566:user/test_user2",
"createDate": "Mar 17, 2023 5:07:59 PM",
"path": "/",
"userId": "AIDA2W7SOKHEXAMPLE",
"userName": "test_user2"
}
},
"sessionCredentialFromConsole": "true",
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"accountId": "112233445566",
"principalId": "AROA2W7SOKHEXAMPLE",
"type": "Role"
},
"webIdFederationData": {}
}
}
},
"user": {
"name": "test_user2",
"uid": "AROA2W7SOKHEXAMPLE:Admin-user"
}
}
{
"activity_id": 2,
"activity_name": "Read",
"actor": {
"idp": {
"name": null
},
"invoked_by": null,
"session": {
"created_time": 0,
"created_time_dt": null,
"issuer": null
},
"user": {
"account": {
"uid": "1111111111111"
},
"credential_uid": "AKIA3Z2XBVEXAMPLE",
"name": "Level6",
"type": "IAMUser",
"uid": "arn:aws:iam::1111111111111:user/Level6",
"uid_alt": "AIDADO2GQEXAMPLE"
}
},
"api": {
"operation": "DescribeDirectConnectGateways",
"request": {
"data": null,
"uid": "1c8a6220-4263-4763-b526-example"
},
"response": {
"data": {
"directConnectGateways": []
},
"error": null,
"message": null
},
"service": {
"name": "directconnect.amazonaws.com"
},
"version": null
},
"category_name": "Application Activity",
"category_uid": 6,
"class_name": "API Activity",
"class_uid": 6003,
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"http_request": {
"user_agent": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2"
},
"metadata": {
"log_name": "AwsApiCall",
"log_provider": "CloudTrail",
"product": {
"feature": {
"name": null
},
"name": "CloudTrail",
"vendor_name": "AWS",
"version": "1.05"
},
"profiles": [
"cloud",
"datetime"
],
"uid": "71c88be9-ea5c-43c7-8c82-example",
"version": "1.1.0"
},
"observables": [
{
"name": "actor.user.name",
"type": "User",
"type_id": 4,
"value": "Level6"
},
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "205.8.181.128"
}
],
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "205.8.181.128"
},
"status": null,
"status_id": 99,
"time": 1695334972000,
"time_dt": "2023-09-21T22:22:52Z",
"type_name": "API Activity: Read",
"type_uid": 600302,
"unmapped": {
"eventType": "AwsApiCall",
"recipientAccountId": "1111111111111",
"requestParameters": null,
"responseElements": {
"directConnectGateways": []
},
"userIdentity": {}
}
}
{
"activity_id": 1,
"activity_name": "Create",
"actor": {
"session": {
"credential_uid": "EXAMPLEUIDTEST",
"issuer": "arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912",
"uid": "i-12345678901"
},
"user": {
"groups": [
{
"name": "system:bootstrappers"
},
{
"name": "system:nodes"
},
{
"name": "system:authenticated"
}
],
"name": "system:node:ip-192-001-02-03.ec2.internal",
"type_id": 0,
"uid": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE"
}
},
"api": {
"operation": "create",
"request": {
"uid": "f47c68f2-d3ac-4f96-b2f4-5d497bf79b64"
},
"response": {
"code": 201
},
"version": "v1"
},
"category_name": "Application Activity",
"category_uid": 6,
"class_name": "API Activity",
"class_uid": 6003,
"cloud": {
"account": {
"uid": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901"
},
"provider": "AWS"
},
"http_request": {
"url": {
"path": "/api/v1/nodes"
},
"user_agent": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc"
},
"message": "ResponseComplete",
"metadata": {
"log_level": "RequestResponse",
"product": {
"feature": {
"name": "Elastic Kubernetes Service"
},
"name": "Amazon EKS",
"vendor_name": "AWS",
"version": "audit.k8s.io/v1"
},
"profiles": [
"cloud",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "actor.user.name",
"type": "User Name",
"type_id": 4,
"value": "system:node:ip-192-001-02-03.ec2.internal"
},
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "12.000.22.33"
},
{
"name": "http_request.url.path",
"type": "URL String",
"type_id": 6,
"value": "/api/v1/nodes"
}
],
"resources": [
{
"name": "ip-192-001-02-03.ec2.internal",
"type": "nodes"
}
],
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "12.000.22.33"
},
"start_time_dt": "2021-09-07 20:37:30.502000",
"time": 1631047050642,
"time_dt": "2021-09-07 20:37:30.642000",
"type_name": "API Activity: Create",
"type_uid": 600301,
"unmapped": {
"responseObject.status.capacity.cpu": "4",
"annotations.authorization.k8s.io/reason": "",
"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach": "true",
"responseObject.metadata.labels.kubernetes.io/hostname": "ip-192-001-02-03.ec2.internal",
"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion": "1",
"responseObject.metadata.labels.alpha.eksctl.io/cluster-name": "ABCD1234567890EXAMPLE",
"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image": "ami-0193ebf9573ebc9f7",
"responseObject.metadata.managedFields[].time": "2021-09-07T20:37:30Z",
"responseObject.status.nodeInfo.kubeletVersion": "v1.21.2-eks-55daa9d",
"responseObject.status.nodeInfo.kubeProxyVersion": "v1.21.2-eks-55daa9d",
"requestObject.status.capacity.hugepages-1Gi": "0",
"responseObject.metadata.managedFields[].manager": "kubelet",
"annotations.authorization.k8s.io/decision": "allow",
"requestObject.status.nodeInfo.systemUUID": "ec2483c6-33b0-e271-f36c-e14e45a361b8",
"responseObject.metadata.name": "ip-192-001-02-03.ec2.internal",
"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion": "1",
"responseObject.apiVersion": "v1",
"requestObject.metadata.labels.kubernetes.io/arch": "amd64",
"requestObject.status.allocatable.hugepages-2Mi": "0",
"requestObject.metadata.labels.alpha.eksctl.io/cluster-name": "ABCD1234567890EXAMPLE",
"responseObject.status.allocatable.memory": "15076868Ki",
"responseObject.status.conditions[].lastHeartbeatTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z",
"responseObject.spec.providerID": "aws:///us-east-1f/i-12345678901",
"requestObject.status.nodeInfo.architecture": "amd64",
"responseObject.status.nodeInfo.kernelVersion": "5.4.141-67.229.amzn2.x86_64",
"responseObject.status.allocatable.pods": "58",
"requestObject.status.conditions[].status": "False,False,False,False",
"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region": "us-east-1",
"responseObject.metadata.labels.beta.kubernetes.io/os": "linux",
"responseObject.metadata.labels.kubernetes.io/os": "linux",
"requestObject.status.addresses[].address": "192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com",
"responseObject.status.capacity.hugepages-1Gi": "0",
"responseObject.status.conditions[].reason": "KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady",
"requestObject.apiVersion": "v1",
"requestObject.status.capacity.cpu": "4",
"requestObject.metadata.labels.node.kubernetes.io/instance-type": "m5.xlarge",
"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image": "ami-0193ebf9573ebc9f7",
"responseObject.metadata.labels.node.kubernetes.io/instance-type": "m5.xlarge",
"responseObject.status.allocatable.hugepages-2Mi": "0",
"responseObject.status.allocatable.attachable-volumes-aws-ebs": "25",
"requestObject.status.nodeInfo.containerRuntimeVersion": "docker://19.3.13",
"requestObject.status.allocatable.attachable-volumes-aws-ebs": "25",
"responseObject.status.conditions[].lastTransitionTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z",
"responseObject.metadata.creationTimestamp": "2021-09-07T20:37:30Z",
"requestObject.metadata.labels.kubernetes.io/hostname": "ip-192-001-02-03.ec2.internal",
"requestObject.status.nodeInfo.bootID": "0d0dd4f2-8829-4b03-9f29-794f4908281b",
"requestObject.status.nodeInfo.kubeProxyVersion": "v1.21.2-eks-55daa9d",
"responseObject.kind": "Node",
"requestObject.status.nodeInfo.osImage": "Amazon Linux 2",
"requestObject.status.conditions[].type": "MemoryPressure,DiskPressure,PIDPressure,Ready",
"requestObject.status.daemonEndpoints.kubeletEndpoint.Port": "10250",
"responseObject.metadata.labels.kubernetes.io/arch": "amd64",
"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId": "lt-0f20d6f901007611e",
"requestObject.status.capacity.attachable-volumes-aws-ebs": "25",
"responseObject.status.conditions[].message": "kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]",
"responseObject.status.nodeInfo.operatingSystem": "linux",
"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name": "ng-5fe434eb",
"responseObject.status.capacity.memory": "16093700Ki",
"requestObject.metadata.labels.beta.kubernetes.io/arch": "amd64",
"requestObject.metadata.labels.eks.amazonaws.com/capacityType": "ON_DEMAND",
"requestObject.status.allocatable.memory": "15076868Ki",
"requestObject.status.conditions[].lastHeartbeatTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z",
"responseObject.status.capacity.attachable-volumes-aws-ebs": "25",
"responseObject.status.nodeInfo.osImage": "Amazon Linux 2",
"responseObject.metadata.labels.beta.kubernetes.io/instance-type": "m5.xlarge",
"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name": "ng-5fe434eb",
"requestObject.metadata.labels.beta.kubernetes.io/instance-type": "m5.xlarge",
"responseObject.status.nodeInfo.architecture": "amd64",
"responseObject.metadata.labels.topology.kubernetes.io/zone": "us-east-1f",
"requestObject.status.capacity.hugepages-2Mi": "0",
"requestObject.status.conditions[].message": "kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]",
"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region": "us-east-1",
"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId": "lt-0f20d6f901007611e",
"responseObject.spec.taints[].effect": "NoSchedule",
"requestObject.metadata.labels.topology.kubernetes.io/region": "us-east-1",
"requestObject.metadata.name": "ip-192-001-02-03.ec2.internal",
"responseObject.status.nodeInfo.machineID": "ec2483c633b0e271f36ce14e45a361b8",
"kind": "Event",
"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach": "true",
"responseObject.status.nodeInfo.bootID": "0d0dd4f2-8829-4b03-9f29-794f4908281b",
"responseObject.status.conditions[].status": "False,False,False,False",
"requestObject.metadata.labels.beta.kubernetes.io/os": "linux",
"requestObject.status.allocatable.hugepages-1Gi": "0",
"requestObject.status.addresses[].type": "InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS",
"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone": "us-east-1f",
"requestObject.status.allocatable.cpu": "3920m",
"requestObject.metadata.labels.kubernetes.io/os": "linux",
"requestObject.status.nodeInfo.operatingSystem": "linux",
"responseObject.status.daemonEndpoints.kubeletEndpoint.Port": "10250",
"responseObject.status.nodeInfo.systemUUID": "ec2483c6-33b0-e271-f36c-e14e45a361b8",
"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone": "us-east-1f",
"requestObject.metadata.labels.topology.kubernetes.io/zone": "us-east-1f",
"responseObject.status.nodeInfo.containerRuntimeVersion": "docker://19.3.13",
"requestObject.status.nodeInfo.kernelVersion": "5.4.141-67.229.amzn2.x86_64",
"requestObject.kind": "Node",
"requestObject.spec.providerID": "aws:///us-east-1f/i-12345678901",
"responseObject.metadata.uid": "4ecf628a-1b50-47ed-932c-bb1df89dad10",
"responseObject.status.capacity.hugepages-2Mi": "0",
"responseObject.metadata.managedFields[].fieldsType": "FieldsV1",
"responseObject.metadata.labels.topology.kubernetes.io/region": "us-east-1",
"responseObject.status.capacity.pods": "58",
"requestObject.status.capacity.memory": "16093700Ki",
"responseObject.metadata.managedFields[].apiVersion": "v1",
"responseObject.status.allocatable.hugepages-1Gi": "0",
"responseObject.metadata.resourceVersion": "67933403",
"responseObject.status.addresses[].address": "192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com",
"requestObject.status.conditions[].lastTransitionTime": "2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z",
"requestObject.status.nodeInfo.kubeletVersion": "v1.21.2-eks-55daa9d",
"responseObject.metadata.labels.eks.amazonaws.com/nodegroup": "ng-5fe434eb",
"requestObject.metadata.labels.eks.amazonaws.com/nodegroup": "ng-5fe434eb",
"requestObject.status.conditions[].reason": "KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady",
"responseObject.metadata.labels.eks.amazonaws.com/capacityType": "ON_DEMAND",
"requestObject.status.nodeInfo.machineID": "ec2483c633b0e271f36ce14e45a361b8",
"responseObject.status.addresses[].type": "InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS",
"responseObject.metadata.labels.beta.kubernetes.io/arch": "amd64",
"responseObject.metadata.managedFields[].operation": "Update",
"responseObject.status.allocatable.cpu": "3920m",
"responseObject.status.conditions[].type": "MemoryPressure,DiskPressure,PIDPressure,Ready",
"responseObject.spec.taints[].key": "node.kubernetes.io/not-ready",
"sourceIPs[]": "12.000.22.33",
"requestObject.status.capacity.pods": "58",
"requestObject.status.allocatable.pods": "58"
}
}
{
"activity_id": 1,
"activity_name": "Logon",
"actor": {
"idp": {
"name": null
},
"invoked_by": null,
"session": {
"issuer": null
},
"user": {
"account": {
"uid": "111122223333"
},
"credential_uid": null,
"name": "anaya",
"type": "IAMUser",
"uid": "arn:aws:iam::111122223333:user/anaya",
"uid_alt": "AIDACKCEVSQ6C2EXAMPLE"
}
},
"api": {
"operation": "ConsoleLogin",
"request": {
"data": null,
"uid": ""
},
"response": {
"data": {
"ConsoleLogin": "Success"
},
"error": null,
"message": null
},
"service": {
"name": "signin.amazonaws.com"
},
"version": null
},
"category_name": "Identity & Access Management Category",
"category_uid": 3,
"class_name": "Authentication",
"class_uid": 3002,
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"dst_endpoint": {
"svc_name": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true"
},
"http_request": {
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
},
"is_mfa": true,
"metadata": {
"event_code": "AwsConsoleSignIn",
"log_provider": "CloudTrail",
"product": {
"feature": {
"name": "Management"
},
"name": "CloudTrail",
"vendor_name": "AWS",
"version": "1.08"
},
"profiles": [
"cloud",
"datetime"
],
"uid": "fed06f42-cb12-4764-8c69-example",
"version": "1.1.0"
},
"observables": [
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "192.0.2.0"
}
],
"session": {
"expiration_time": null
},
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "192.0.2.0"
},
"status": "Success",
"status_id": 1,
"time": 1699633474000,
"time_dt": "2023-11-10T16:24:34Z",
"type_name": "Authentication: Logon",
"type_uid": 300201,
"unmapped": {
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
"MFAIdentifier": "arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD",
"MobileVersion": "No"
},
"eventType": "AwsConsoleSignIn",
"recipientAccountId": "111122223333",
"requestParameters": null,
"responseElements": {},
"userIdentity": {}
},
"user": {
"uid": "arn:aws:iam::111122223333:user/anaya",
"uid_alt": "AIDACKCEVSQ6C2EXAMPLE"
}
}
{
"activity_id": 1,
"activity_name": "Logon",
"actor": {
"process": {
"file": {
"name": "services.exe",
"parent_folder": "C:\\Windows\\System32",
"path": "C:\\Windows\\System32\\services.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 848
},
"session": {
"uid": "0x3E7"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "ATTACKRANGE",
"name": "WIN-DC-725$",
"uid": "NT AUTHORITY\\SYSTEM"
}
},
"auth_protocol": "Other",
"auth_protocol_id": 99,
"category_name": "Audit Activity",
"category_uid": 3,
"class_name": "Authentication",
"class_uid": 3002,
"device": {
"hostname": "win-dc-725.attackrange.local",
"os": {
"name": "Windows",
"type": "Windows",
"type_id": 100
},
"type": "Unknown",
"type_id": 0
},
"dst_endpoint": {
"hostname": "win-dc-725.attackrange.local"
},
"logon_process": {
"name": "Advapi ",
"pid": -1
},
"logon_type": "OS Service",
"logon_type_id": 5,
"message": "An account was successfully logged on.",
"metadata": {
"original_time": "03/12/2021 10:48:14 AM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "ce139867-ced1-4742-9bb0-ad1926b8bbe1",
"version": "1.0.0-rc.2"
},
"session": {
"uid": "0x3E7",
"uuid": "{00000000-0000-0000-0000-000000000000}"
},
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "-",
"name": "-",
"port": 0
},
"status": "Success",
"status_id": 1,
"time": 1615564094000,
"type_name": "Authentication: Logon",
"type_uid": 300201,
"unmapped": {
"Detailed Authentication Information": {
"Key Length": "0",
"Package Name (NTLM only)": "-",
"Transited Services": "-"
},
"EventCode": "4624",
"EventType": "0",
"Impersonation Level": "Impersonation",
"Logon Information": {
"Elevated Token": "Yes",
"Restricted Admin Mode": "-",
"Virtual Account": "No"
},
"New Logon": {
"Linked Logon ID": "0x0",
"Network Account Domain": "-",
"Network Account Name": "-"
},
"OpCode": "Info",
"RecordNumber": "257879",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Logon"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"uid": "NT AUTHORITY\\SYSTEM"
}
}
{
"activity_id": 1,
"activity_name": "Logon",
"actor": {
"process": {
"file": {
"name": "-",
"path": "-",
"type": "Regular File",
"type_id": 1
},
"pid": 0
},
"session": {
"uid": "0x0"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "-",
"name": "-",
"uid": "NULL SID"
}
},
"auth_protocol": "NTLM",
"auth_protocol_id": 1,
"category_name": "Audit Activity",
"category_uid": 3,
"class_name": "Authentication",
"class_uid": 3002,
"device": {
"hostname": "EC2AMAZ-6KJ2BPP",
"os": {
"name": "Windows",
"type": "Windows",
"type_id": 100
},
"type": "Unknown",
"type_id": 0
},
"dst_endpoint": {
"hostname": "EC2AMAZ-6KJ2BPP"
},
"logon_process": {
"name": "NtLmSsp ",
"pid": -1
},
"logon_type": "Network",
"logon_type_id": 3,
"message": "An account failed to log on.",
"metadata": {
"original_time": "10/08/2020 12:41:47 PM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "a738d6e6-4ebd-49bb-805e-45d0604a1bef",
"version": "1.0.0-rc.2"
},
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "-",
"name": "EC2AMAZ-6KJ2BPP",
"port": 0
},
"status": "0xC000006D",
"status_detail": "Unknown user name or bad password.",
"status_id": 2,
"time": 1602175307000,
"type_name": "Authentication: Logon",
"type_uid": 300201,
"unmapped": {
"Detailed Authentication Information": {
"Key Length": "0",
"Package Name (NTLM only)": "-",
"Transited Services": "-"
},
"EventCode": "4625",
"EventType": "0",
"Failure Information": {
"Sub Status": "0xC000006A"
},
"OpCode": "Info",
"RecordNumber": "223742",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Logon"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "EC2AMAZ-6KJ2BPP",
"name": "Administrator",
"uid": "NULL SID"
}
}
{
"activity_id": 2,
"activity_name": "Update",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Compliance Finding",
"class_uid": 2003,
"cloud": {
"account": {
"uid": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"compliance": {
"control": "Config.1",
"requirements": [
"PCI DSS 10.5.2",
"PCI DSS 11.5"
],
"standards": [
"standards/pci-dss/v/3.2.1"
],
"status": "FAILED"
},
"finding_info": {
"created_time_dt": "2023-01-13T15:08:44.967-05:00",
"desc": "This AWS control checks whether AWS Config is enabled in current account and region.",
"first_seen_time_dt": "2023-01-13T15:08:44.967-05:00",
"last_seen_time_dt": "2023-07-21T14:12:05.693-04:00",
"modified_time_dt": "2023-07-21T14:11:53.060-04:00",
"title": "PCI.Config.1 AWS Config should be enabled",
"types": [
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
],
"uid": "arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6"
},
"metadata": {
"log_version": "2018-10-08",
"processed_time_dt": "2023-07-21T14:12:08.489-04:00",
"product": {
"feature": {
"uid": "pci-dss/v/3.2.1/PCI.Config.1"
},
"name": "Security Hub",
"uid": "arn:aws:securityhub:us-east-2::product/aws/securityhub",
"vendor_name": "AWS"
},
"profiles": [
"cloud",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "resource.uid",
"type": "Resource UID",
"type_id": 10,
"value": "AWS::::Account:111111111111"
}
],
"remediation": {
"desc": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"references": [
"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation"
]
},
"resource": {
"cloud_partition": "aws",
"region": "us-east-2",
"type": "AwsAccount",
"uid": "AWS::::Account:111111111111"
},
"severity": "Medium",
"severity_id": 3,
"status": "New",
"time": 1689963113060,
"time_dt": "2023-07-21T14:11:53.060-04:00",
"type_name": "Compliance Finding: Update",
"type_uid": 200302,
"unmapped": {
"FindingProviderFields.Severity.Label": "MEDIUM",
"FindingProviderFields.Severity.Original": "MEDIUM",
"FindingProviderFields.Types[]": "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
"ProductFields.ControlId": "PCI.Config.1",
"ProductFields.RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/Config.1/remediation",
"ProductFields.Resources:0/Id": "arn:aws:iam::111111111111:root",
"ProductFields.StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1",
"ProductFields.StandardsControlArn": "arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1",
"ProductFields.StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1",
"ProductFields.aws/securityhub/CompanyName": "AWS",
"ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6",
"ProductFields.aws/securityhub/ProductName": "Security Hub",
"RecordState": "ACTIVE",
"Severity.Normalized": "40",
"Severity.Original": "MEDIUM",
"Severity.Product": "40",
"WorkflowState": "NEW"
}
}
{
"activity_id": 1,
"activity_name": "Create",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Detection Finding",
"class_uid": 2004,
"cloud": {
"account": {
"uid": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"evidences": [
{
"api": {
"operation": "DeleteTrail",
"service": {
"name": "cloudtrail.amazonaws.com"
}
},
"data": "",
"src_endpoint": {
"ip": "52.94.133.131",
"location": {
"city": "",
"coordinates": [
-100.821999,
37.751
],
"country": "United States"
}
}
}
],
"finding_info": {
"created_time_dt": "2023-09-19T11:05:22.487-04:00",
"desc": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.",
"first_seen_time_dt": "2023-09-19T10:55:09.000-04:00",
"last_seen_time_dt": "2023-09-19T10:55:09.000-04:00",
"modified_time_dt": "2023-09-19T11:05:22.487-04:00",
"src_url": "https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b",
"title": "AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.",
"types": [
"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled"
],
"uid": "arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b"
},
"metadata": {
"extensions": [
{
"name": "linux",
"uid": "1",
"version": "1.1.0"
}
],
"log_version": "2018-10-08",
"product": {
"feature": {
"uid": "arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE"
},
"name": "GuardDuty",
"uid": "arn:aws:securityhub:us-east-2::product/aws/guardduty",
"vendor_name": "Amazon"
},
"profiles": [
"cloud",
"datetime",
"linux"
],
"version": "1.1.0"
},
"observables": [
{
"name": "evidences[].src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "52.94.133.131"
},
{
"name": "resources[].uid",
"type": "Resource UID",
"type_id": 10,
"value": "AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE"
}
],
"resources": [
{
"cloud_partition": "aws",
"data": "{\"AwsIamAccessKey\":{\"PrincipalId\":\"AROATMJPC7YEXAMPLE:example\",\"PrincipalName\":\"Admin\",\"PrincipalType\":\"AssumedRole\"}}",
"region": "us-east-2",
"type": "AwsIamAccessKey",
"uid": "AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE"
}
],
"severity": "Low",
"severity_id": 2,
"status": "New",
"time": 1695135922487,
"time_dt": "2023-09-19T11:05:22.487-04:00",
"type_name": "Detection Finding: Create",
"type_uid": 200401,
"unmapped": {
"FindingProviderFields.Severity.Label": "LOW",
"FindingProviderFields.Types[]": "TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled",
"ProductFields.aws/guardduty/service/action/actionType": "AWS_API_CALL",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail": "arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType": "Remote IP",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn": "16509",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg": "AMAZON-02",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp": "Amazon Office",
"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org": "Amazon Office",
"ProductFields.aws/guardduty/service/additionalInfo/type": "default",
"ProductFields.aws/guardduty/service/archived": "false",
"ProductFields.aws/guardduty/service/count": "1",
"ProductFields.aws/guardduty/service/detectorId": "1ac1bfceda6679698215d5d0EXAMPLE",
"ProductFields.aws/guardduty/service/eventFirstSeen": "2023-09-19T14:55:09.000Z",
"ProductFields.aws/guardduty/service/eventLastSeen": "2023-09-19T14:55:09.000Z",
"ProductFields.aws/guardduty/service/resourceRole": "TARGET",
"ProductFields.aws/guardduty/service/serviceName": "guardduty",
"ProductFields.aws/securityhub/CompanyName": "Amazon",
"ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b",
"ProductFields.aws/securityhub/ProductName": "GuardDuty",
"RecordState": "ACTIVE",
"Sample": "false",
"Severity.Normalized": "40",
"Severity.Product": "2",
"WorkflowState": "NEW"
}
}
{
"metadata": {
"log_version": "2018-10-08",
"product": {
"feature": {
"uid": "arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833",
"name": null
},
"uid": "arn:aws:securityhub:eu-west-3::product/aws/guardduty",
"name": "GuardDuty",
"vendor_name": "Amazon",
"version": null
},
"processed_time_dt": 1726062303537,
"profiles": [
"cloud",
"datetime",
"linux"
],
"version": "1.1.0",
"extensions": [
{
"name": "linux",
"uid": "1",
"version": "1.1.0"
}
]
},
"time": 1726062281022,
"time_dt": 1726062281022,
"confidence_score": null,
"message": null,
"cloud": {
"account": {
"uid": "11111111111"
},
"region": "eu-west-3",
"provider": "AWS"
},
"resource": null,
"finding_info": {
"created_time_dt": 1681218428211,
"uid": "arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c",
"desc": "The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.",
"title": "The API DescribeStackEvents was invoked using root credentials.",
"modified_time_dt": 1726062281022,
"first_seen_time_dt": 1681218080000,
"last_seen_time_dt": 1726061921000,
"related_events": null,
"types": [
"TTPs/Policy:IAMUser-RootCredentialUsage"
],
"src_url": "https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c"
},
"remediation": null,
"compliance": null,
"vulnerabilities": null,
"resources": [
{
"type": "AwsIamAccessKey",
"uid": "AWS::IAM::AccessKey:********************",
"cloud_partition": "aws",
"region": "eu-west-3",
"labels": null,
"data": "{\"AwsIamAccessKey\":{\"PrincipalId\":\"11111111111\",\"PrincipalName\":\"Root\",\"PrincipalType\":\"Root\"}}",
"criticality": null,
"owner": null
}
],
"evidences": [
{
"data": "",
"actor": null,
"process": null,
"api": {
"operation": "DescribeStackEvents",
"response": null,
"service": {
"name": "cloudformation.amazonaws.com"
}
},
"src_endpoint": {
"ip": "1.2.3.4",
"location": {
"country": "France",
"city": "Rennes",
"coordinates": [
-1.6744,
48.110001
]
},
"port": null
},
"connection_info": null,
"dst_endpoint": null,
"query": null
}
],
"class_name": "Detection Finding",
"class_uid": 2004,
"category_name": "Findings",
"category_uid": 2,
"severity_id": 2,
"severity": "Low",
"activity_name": "Update",
"activity_id": 2,
"type_uid": 200402,
"type_name": "Detection Finding: Update",
"status": "New",
"accountid": null,
"region": null,
"asl_version": null,
"observables": [
{
"name": "resources[].uid",
"value": "AWS::IAM::AccessKey:********************",
"type": "Resource UID",
"type_id": 10
},
{
"name": "evidences[].src_endpoint.ip",
"value": "1.2.3.4",
"type": "IP Address",
"type_id": 2
}
]
}
{
"action": "Allowed",
"action_id": 1,
"activity_id": 6,
"activity_name": "Traffic",
"answers": [
{
"class": "IN",
"rdata": "127.0.0.62",
"type": "A"
}
],
"category_name": "Network Activity",
"category_uid": 4,
"class_name": "DNS Activity",
"class_uid": 4003,
"cloud": {
"account": {
"uid": "123456789012"
},
"provider": "AWS",
"region": "us-east-1"
},
"connection_info": {
"direction": "Unknown",
"direction_id": 0,
"protocol_name": "UDP"
},
"disposition": "Alert",
"dst_endpoint": {
"instance_uid": "rslvr-in-0000000000000000",
"interface_uid": "rni-0000000000000000"
},
"firewall_rule": {
"uid": "rslvr-frg-000000000000000"
},
"metadata": {
"product": {
"feature": {
"name": "Resolver Query Logs"
},
"name": "Route 53",
"vendor_name": "AWS",
"version": "1.100000"
},
"profiles": [
"cloud",
"security_control",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "answers[].rdata",
"type": "IP Address",
"type_id": 2,
"value": "127.0.0.62"
},
{
"name": "dst_endpoint.instance_uid",
"type": "Resource UID",
"type_id": 10,
"value": "rslvr-in-0000000000000000"
},
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "10.200.21.100"
},
{
"name": "query.hostname",
"type": "Hostname",
"type_id": 1,
"value": "ip-127-0-0-62.alert.firewall.canary."
}
],
"query": {
"class": "IN",
"hostname": "ip-127-0-0-62.alert.firewall.canary.",
"type": "A"
},
"rcode": "NoError",
"rcode_id": 0,
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "10.200.21.100",
"port": 15083,
"vpc_uid": "vpc-00000000000000000"
},
"time": 1665694956000,
"time_dt": "2022-10-13T17:02:36.000-04:00",
"type_name": "DNS Activity: Traffic",
"type_uid": 400306,
"unmapped": {
"firewall_domain_list_id": "rslvr-fdl-0000000000000"
}
}
{
"metadata": {
"product": {
"version": "1.100000",
"name": "Route 53",
"feature": {
"name": "Resolver Query Logs"
},
"vendor_name": "AWS"
},
"profiles": [
"cloud",
"security_control",
"datetime"
],
"version": "1.1.0"
},
"cloud": {
"account": {
"uid": "111111111111"
},
"region": "eu-west-3",
"provider": "AWS"
},
"src_endpoint": {
"vpc_uid": "vpc-11111111",
"ip": "1.2.3.4",
"port": 63115,
"instance_uid": "i-11111111111111111"
},
"time": 1726088328000,
"time_dt": 1726088328000,
"query": {
"hostname": "_ldap._tcp.dc.example.org.",
"type": "SRV",
"class": "IN"
},
"answers": null,
"connection_info": {
"protocol_name": "UDP",
"direction": "Unknown",
"direction_id": 0
},
"dst_endpoint": null,
"firewall_rule": null,
"severity_id": 1,
"severity": "Informational",
"class_name": "DNS Activity",
"class_uid": 4003,
"category_name": "Network Activity",
"category_uid": 4,
"activity_id": 6,
"activity_name": "Traffic",
"type_uid": 400306,
"type_name": "DNS Activity: Traffic",
"rcode_id": 3,
"rcode": "NXDomain",
"disposition": "Unknown",
"action": "Unknown",
"action_id": 0,
"unmapped": null,
"accountid": null,
"region": null,
"asl_version": null,
"observables": [
{
"name": "src_endpoint.instance_uid",
"value": "i-11111111111111111",
"type": "Resource UID",
"type_id": 10
},
{
"name": "query.hostname",
"value": "_ldap._tcp.dc.example.org.",
"type": "Hostname",
"type_id": 1
},
{
"name": "src_endpoint.ip",
"value": "1.2.3.4",
"type": "IP Address",
"type_id": 2
}
]
}
{
"metadata": {
"product": {
"version": "1.100000",
"name": "Route 53",
"feature": {
"name": "Resolver Query Logs"
},
"vendor_name": "AWS"
},
"profiles": [
"cloud",
"security_control",
"datetime"
],
"version": "1.1.0"
},
"cloud": {
"account": {
"uid": "111111111111"
},
"region": "eu-west-3",
"provider": "AWS"
},
"src_endpoint": {
"vpc_uid": "vpc-11111111",
"ip": "1.2.3.4",
"port": 62699,
"instance_uid": "i-11111111111111111"
},
"time": 1726395887000,
"time_dt": 1726395887000,
"query": {
"hostname": "settings-win.data.microsoft.com.",
"type": "A",
"class": "IN"
},
"answers": [
{
"type": "CNAME",
"rdata": "atm-settingsfe-prod-geo2.trafficmanager.net.",
"class": "IN"
},
{
"type": "CNAME",
"rdata": "settings-prod-weu-2.westeurope.cloudapp.azure.com.",
"class": "IN"
},
{
"type": "A",
"rdata": "5.6.7.8",
"class": "IN"
}
],
"connection_info": {
"protocol_name": "UDP",
"direction": "Unknown",
"direction_id": 0
},
"dst_endpoint": null,
"firewall_rule": null,
"severity_id": 1,
"severity": "Informational",
"class_name": "DNS Activity",
"class_uid": 4003,
"category_name": "Network Activity",
"category_uid": 4,
"activity_id": 6,
"activity_name": "Traffic",
"type_uid": 400306,
"type_name": "DNS Activity: Traffic",
"rcode_id": 0,
"rcode": "NoError",
"disposition": "Unknown",
"action": "Unknown",
"action_id": 0,
"unmapped": null,
"accountid": null,
"region": null,
"asl_version": null,
"observables": [
{
"name": "answers[].rdata",
"value": "settings-prod-weu-2.westeurope.cloudapp.azure.com.",
"type": "IP Address",
"type_id": 2
},
{
"name": "src_endpoint.instance_uid",
"value": "i-11111111111111111",
"type": "Resource UID",
"type_id": 10
},
{
"name": "answers[].rdata",
"value": "5.6.7.8",
"type": "IP Address",
"type_id": 2
},
{
"name": "src_endpoint.ip",
"value": "1.2.3.4",
"type": "IP Address",
"type_id": 2
},
{
"name": "answers[].rdata",
"value": "atm-settingsfe-prod-geo2.trafficmanager.net.",
"type": "IP Address",
"type_id": 2
},
{
"name": "query.hostname",
"value": "settings-win.data.microsoft.com.",
"type": "Hostname",
"type_id": 1
}
]
}
{
"activity_id": 3,
"activity_name": "Get",
"category_name": "Network Activitys",
"category_uid": 4,
"class_name": "HTTP Activity",
"class_uid": 4002,
"cloud": {
"provider": "AWS"
},
"dst_endpoint": {
"domain": "/CanaryTest"
},
"firewall_rule": {
"type": "RATE_BASED",
"uid": "RateBasedRule"
},
"http_request": {
"args": "",
"http_method": "GET",
"uid": "Ed0AiHF_CGYF-DA=",
"url": {
"path": "/CanaryTest"
},
"version": "HTTP/1.1"
},
"http_response": {
"code": 403
},
"metadata": {
"labels": null,
"product": {
"feature": {
"uid": "..."
},
"name": "AWS WAF",
"vendor_name": "AWS",
"version": "1"
},
"version": "1.1.0-dev"
},
"severity_id": 1,
"src_endpoint": {
"ip": "52.46.82.45",
"location": {
"country": "FR"
},
"svc_name": "APIGW",
"uid": "EXAMPLE11:rjvegx5guh:CanaryTest"
},
"time": 0,
"type_name": "HTTP Activity: Get",
"type_uid": 400203,
"unmapped": [
[
"rateBasedRuleList[].rateBasedRuleId",
"..."
],
[
"rateBasedRuleList[].customValues[].value",
"ella"
],
[
"rateBasedRuleList[].customValues[].name",
"dogname"
],
[
"rateBasedRuleList[].limitKey",
"CUSTOMKEYS"
],
[
"rateBasedRuleList[].customValues[].key",
"HEADER"
],
[
"httpRequest.headers[].value",
"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate"
],
[
"rateBasedRuleList[].rateBasedRuleName",
"RateBasedRule"
],
[
"rateBasedRuleList[].maxRateAllowed",
"100"
],
[
"httpRequest.headers[].name",
"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding"
]
]
}
{
"cloud": {
"account_uid": "987654321098",
"region": "us-west-2",
"zone": "use2-az2",
"provider": "AWS"
},
"action": "Allowed",
"action_id": 1,
"status_code": "OK",
"traffic": {
"bytes": 85,
"packets": 10
},
"src_endpoint": {
"ip": "192.168.1.10",
"port": 8080,
"svc_name": "amazon-s3",
"subnet_uid": "subnet-33333333333333333",
"vpc_uid": "vpc-44444444444444444"
},
"dst_endpoint": {
"ip": "192.168.1.20",
"port": 443,
"svc_name": "amazon-ec2",
"interface_uid": "eni-22222222222222222",
"instance_uid": "i-111111111111111111"
},
"connection_info": {
"protocol_num": 17,
"protocol_ver": "IPv6",
"tcp_flags": 6,
"direction": "egress",
"direction_id": 2,
"boundary_id": 99,
"boundary": "vpn",
"start_time": 1653200123,
"end_time": 1653200100
},
"time": 1653200100,
"type_name": "Network Activity: Traffic",
"type_uid": 400105,
"activity_id": 5,
"activity_name": "Traffic",
"class_uid": 4001,
"class_name": "Network Activity",
"category_uid": 4,
"category_name": "Network Activity",
"metadata": {
"product": {
"name": "Amazon VPC",
"feature": {
"name": "Flowlogs"
},
"vendor_name": "AWS"
},
"profiles": [
"cloud",
"security_control"
],
"version": "1.1.0"
},
"severity_id": 1,
"severity": "Informational",
"status_id": 1,
"status": "Success",
"disposition": "Allowed",
"pkt_src_aws_service": "amazon-s3",
"pkt_dst_aws_service": "amazon-ec2",
"sublocation_type": "subnet",
"sublocation_id": "subnet-33333333333333333"
}
{
"action": "Denied",
"action_id": 2,
"activity_id": 5,
"activity_name": "Refuse",
"category_name": "Network Activity",
"category_uid": 4,
"class_name": "Network Activity",
"class_uid": 4001,
"cloud": {
"account": {
"uid": "123456789012"
},
"provider": "AWS",
"region": "us-east-1",
"zone": "use1-az1"
},
"connection_info": {
"boundary": "-",
"boundary_id": 99,
"direction": "Inbound",
"direction_id": 1,
"protocol_num": 6,
"protocol_ver": "IPv4",
"tcp_flags": 2
},
"disposition": "Blocked",
"dst_endpoint": {
"instance_uid": "i-000000000000000000",
"interface_uid": "eni-000000000000000000",
"ip": "172.31.2.52",
"port": 39938,
"subnet_uid": "subnet-000000000000000000",
"svc_name": "-",
"vpc_uid": "vpc-00000000"
},
"end_time_dt": "2022-04-11T20:03:08.000-04:00",
"metadata": {
"product": {
"feature": {
"name": "Flowlogs"
},
"name": "Amazon VPC",
"vendor_name": "AWS",
"version": "5"
},
"profiles": [
"cloud",
"security_control",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "dst_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "172.31.2.52"
},
{
"name": "dst_endpoint.instance_uid",
"type": "Resource UID",
"type_id": 10,
"value": "i-000000000000000000"
},
{
"name": "src_endpoint.ip",
"type": "IP Address",
"type_id": 2,
"value": "1.2.3.4"
}
],
"severity": "Informational",
"severity_id": 1,
"src_endpoint": {
"ip": "1.2.3.4",
"port": 56858,
"svc_name": "-"
},
"start_time_dt": "2022-04-11T20:02:12.000-04:00",
"status_code": "OK",
"time": 1649721732000,
"time_dt": "2022-04-11T20:02:12.000-04:00",
"traffic": {
"bytes": 40,
"packets": 1
},
"type_name": "Network Activity: Refuse",
"type_uid": 400105,
"unmapped": {
"sublocation_id": "-",
"sublocation_type": "-"
}
}
{
"activity_name": "Traffic",
"activity_id": 6,
"category_name": "Network Activity",
"category_uid": 4,
"class_name": "Network Activity",
"class_uid": 4001,
"type_uid": 400106,
"type_name": "Network Activity: Traffic",
"severity_id": 1,
"severity": "Informational",
"start_time": "2015/06/17T00:00:00.083",
"end_time": "2015/06/17T00:00:00.089",
"duration": 0.006,
"metadata": {
"product": {
"version": "3.9.0",
"name": "SiLK",
"feature": {
"name": " Network Flow Data"
},
"vendor_name": "CERT/NetSA at Carnegie Mellon University - Software Engineering Institute"
},
"version": "1.0.0-rc.3"
},
"src_endpoint": {
"port": 63975,
"ip": "192.168.40.20"
},
"dst_endpoint": {
"port": 443,
"ip": "10.0.40.21"
},
"connection_info": {
"protocol_num": 6,
"tcp_flags": 19,
"boundary_id": 99,
"boundary": "Other",
"direction_id": 2,
"direction": "Outbound"
},
"traffic": {
"packets": 8,
"bytes": 344
},
"unmapped": {
"sensor": "S1",
"in": 0,
"out": 0,
"nhIP": "0.0.0.0",
"initialFlags": "",
"sessionFlags": "",
"attributes": "",
"application": 0,
"class": "all",
"type": "outweb",
"iType": "",
"iCode": ""
}
}
{
"time": 1591367999.305988,
"uuid": "CMdzit1AMNsmfAIiQc",
"src_endpoint": {
"ip": "192.168.4.76",
"port": 36844
},
"dst_endpoint": {
"ip": "192.168.4.1",
"port": 53
},
"connection_info": {
"protocol_name": "udp"
},
"bytes_in": 62,
"packets_in": 2,
"orig_bytes": {
"ip": 118
},
"bytes_out": 141,
"packets_out": 2,
"resp_bytes": {
"ip": 197
},
"duration": 0.06685185432434082,
"unmapped": {
"conn_state": "SF"
},
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"metadata": {
"profiles": [
"security_control"
],
"product": {
"name": "Zeek",
"feature": {
"name": "conn.log"
},
"vendor_name": "Zeek"
}
},
"severity": "Informational",
"severity_id": 1,
"proposed_new_attributes": {
"application_protocol": "dns",
"bytes_missed": 0,
"connection_history": "Dd"
}
}
{
"time": 1591367999.305988,
"uuid": "CMdzit1AMNsmfAIiQc",
"src_endpoint": {
"ip": "192.168.4.76",
"port": 36844
},
"dst_endpoint": {
"ip": "192.168.4.1",
"port": 53
},
"connection_info": {
"protocol_name": "udp"
},
"bytes_in": 62,
"packets_in": 2,
"orig_bytes": {
"ip": 118
},
"bytes_out": 141,
"packets_out": 2,
"resp_bytes": {
"ip": 197
},
"duration": 0.06685185432434082,
"unmapped": {
"conn_state": "SF"
},
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"metadata": {
"profiles": [
"security_control"
],
"product": {
"name": "Zeek",
"feature": {
"name": "conn.log"
},
"vendor_name": "Zeek"
}
},
"severity": "Informational",
"severity_id": 1,
"proposed_new_attributes": {
"application_protocol": "dns",
"bytes_missed": 0,
"connection_history": "Dd"
}
}
{
"time": 1598377391.921726,
"uuid": "CsukF91Bx9mrqdEaH9",
"src_endpoint": {
"ip": "192.168.4.49",
"port": 56718
},
"dst_endpoint": {
"ip": "13.32.202.10",
"port": 443
},
"version": "TLSv12",
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"certificate": "secp256r1",
"domain": "www.taosecurity.com",
"certificate_chain": [
"F2XEvj1CahhdhtfvT4",
"FZ7ygD3ERPfEVVohG9",
"F7vklpOKI4yX9wmvh",
"FAnbnR32nIIr2j9XV"
],
"subject": "CN=www.taosecurity.com",
"issuer": "CN=Amazon,OU=Server CA 1B,O=Amazon,C=US",
"unmapped": {
"next_protocol": "h2",
"resumed": false
},
"network_activity": {
"status_id": "1"
},
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"metadata": {
"profiles": [
"security_control"
],
"product": {
"name": "Zeek",
"feature": {
"name": "ssl.log"
},
"vendor_name": "Zeek"
}
},
"severity": "Informational",
"severity_id": 1
}
{
"activity_id": 1,
"activity_name": "Launch",
"actor": {
"process": {
"file": {
"name": "cmd.exe",
"parent_folder": "C:\\Windows\\System32",
"path": "C:\\Windows\\System32\\cmd.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 3948
},
"session": {
"uid": "0x55E621"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "ATTACKRANGE",
"name": "Administrator",
"uid": "ATTACKRANGE\\Administrator"
}
},
"category_name": "System Activity",
"category_uid": 1,
"class_name": "Process Activity",
"class_uid": 1007,
"device": {
"hostname": "win-dc-725.attackrange.local",
"os": {
"name": "Windows",
"type": "Windows",
"type_id": 100
},
"type": "Unknown",
"type_id": 0
},
"message": "A new process has been created.",
"metadata": {
"original_time": "03/12/2021 10:48:14 AM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "a47bd2fb-4da1-4378-8961-81f81f90aec2",
"version": "1.0.0-rc.2"
},
"process": {
"cmd_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ",
"file": {
"name": "reg.exe",
"parent_folder": "C:\\Windows\\System32",
"path": "C:\\Windows\\System32\\reg.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 4696,
"session": {
"uid": "0x0"
},
"user": {
"domain": "-",
"name": "-",
"uid": "NULL SID"
}
},
"severity": "Informational",
"severity_id": 1,
"status": "Success",
"status_id": 1,
"time": 1615564094000,
"type_name": "Process Activity: Launch",
"type_uid": 100701,
"unmapped": {
"EventCode": "4688",
"EventType": "0",
"OpCode": "Info",
"Process Information": {
"Mandatory Label": "Mandatory Label\\High Mandatory Level",
"Token Elevation Type": "%%1936"
},
"RecordNumber": "257874",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Process Creation"
}
}
{
"activity_id": 2,
"activity_name": "Terminate",
"actor": {
"process": {
"file": {
"name": "auditon.exe",
"parent_folder": "C:\\Generate_Security_Events1",
"path": "C:\\Generate_Security_Events1\\auditon.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 1524
},
"session": {
"uid": "0x1806d9"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "LOGISTICS",
"name": "Administrator",
"uid": "S-1-5-21-1135140816-2109348461-2107143693-500"
}
},
"category_name": "System Activity",
"category_uid": 1,
"class_name": "Process Activity",
"class_uid": 1007,
"device": {
"hostname": "dcc1.Logistics.local",
"os": {
"name": "Windows",
"type": "Windows",
"type_id": 100
},
"type": "Unknown",
"type_id": 0
},
"exit_code": 0,
"message": "A process has exited.",
"metadata": {
"original_time": "09/05/2019 11:22:49 AM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f",
"version": "1.0.0-rc.2"
},
"process": {
"file": {
"name": "auditon.exe",
"parent_folder": "C:\\Generate_Security_Events1",
"path": "C:\\Generate_Security_Events1\\auditon.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 1524
},
"severity": "Informational",
"severity_id": 1,
"status": "Success",
"status_id": 1,
"time": 1567696969000,
"type_name": "Process Activity: Terminate",
"type_uid": 100702,
"unmapped": {
"EventCode": "4689",
"EventType": "0",
"OpCode": "Info",
"RecordNumber": "6828379",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Process Termination"
}
}
{
"activity_id": 1,
"activity_name": "Generate",
"category_name": "Findings",
"category_uid": 2,
"classname": "Security Finding",
"class_uid": 2001,
"finding": {
"created_time": 1672758699558,
"desc": "Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)",
"title": "Linux Kernel Module Injection Detected",
"types": [
"syscalls"
],
"uid": "ec834826-90c1-458a-8eec-a014e7266754"
},
"message": "Linux Kernel Module Injection Detected",
"metadata": {
"version": "0.1.0",
"product": {
"vendor_name": "Falcosecurity",
"name": "Falco"
},
"labels": [
"process"
]
},
"observables": [
{
"name": "hostname",
"type": "Other",
"type_id": 0,
"value": "host0.local"
},
{
"name": "proc.pname",
"type": "Other",
"type_id": 0,
"value": "proc.pname"
},
{
"name": "container.info",
"type": "Other",
"type_id": 0,
"value": "container.info"
},
{
"name": "proc.args",
"type": "Other",
"type_id": 0,
"value": "proc.args"
},
{
"name": "user.loginuid",
"type": "Other",
"type_id": 0,
"value": "user.loginuid"
},
{
"name": "user.name",
"type": "Other",
"type_id": 0,
"value": "user.name"
},
{
"name": "container.image.repository",
"type": "Other",
"type_id": 0,
"value": "container.image.repository"
},
{
"name": "container.image.tag",
"type": "Other",
"type_id": 0,
"value": "container.image.tag"
}
],
"raw_data": "{\"uuid\":\"ec834826-90c1-458a-8eec-a014e7266754\",\"output\":\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\",\"priority\":\"Warning\",\"rule\":\"Linux Kernel Module Injection Detected\",\"time\":\"2023-01-03T15:11:39.558068644Z\",\"output_fields\":{\"akey\":\"AValue\",\"bkey\":\"BValue\",\"ckey\":\"CValue\",\"container.image.repository\":\"container.image.repository\",\"container.image.tag\":\"container.image.tag\",\"container.info\":\"container.info\",\"dkey\":\"bar\",\"proc.args\":\"proc.args\",\"proc.pname\":\"proc.pname\",\"user.loginuid\":\"user.loginuid\",\"user.name\":\"user.name\"},\"source\":\"syscalls\",\"tags\":[\"process\"],\"hostname\":\"host0.local\"}",
"severity": "Medium",
"severity_id": 3,
"state": "New",
"state_id": 1,
"status": "Warning",
"time": 1672758699558,
"type_name": "Security Finding: Generate",
"type_uid": 200101
}
{
"analytic": {
"desc": "Custom Rule Engine",
"name": "CRE",
"relatedAnalytics": [
{
"category": "CRE_RULE",
"name": "Network DoS Attack Detected",
"type": "Rule",
"typeId": 1,
"uid": "100079"
}
],
"type": "Rule",
"typeId": 1
},
"finding": {
"uid": "591",
"title": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n",
"created_time": 1682347463218,
"desc": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n",
"first_seen_time": 1682347463000,
"last_seen_time": 1682781010000
},
"confidence_score": 2,
"confidence": "Low",
"confidence_id": 2,
"data_sources": [
"Snort @ wolverine"
],
"impact_score": 0,
"impact": "Low",
"impact_id": 1,
"malware": [
{
"classification_ids": [
5
],
"classifications": [
"DDOS"
],
"name": "ICMP DoS"
}
],
"risk_level": "High",
"risk_level_id": 3,
"risk_score": 3,
"state": "In Progress",
"state_id": 2,
"activity_id": 1,
"category_uid": 2,
"class_uid": 2001,
"time": 1682347463218,
"message": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n",
"metadata": {
"log_name": "Offense",
"log_provider": "IBM QRadar",
"original_time": 1682347463218,
"product": {
"lang": "en",
"name": "QRadar SIEM",
"version": "7.5.0",
"vendor_name": "IBM"
},
"version": "7.5.0",
"modified_time": 1682347469220
},
"activity_name": "Create",
"category_name": "Findings",
"class_name": "Security Finding",
"count": 2,
"end_time": 1682781010000,
"enrichments": [
{
"name": "Magnitude",
"provider": "Event Processor",
"type": "score",
"value": "3"
},
{
"name": "offense_type",
"provider": "Event Processor",
"type": "correlation",
"value": "2"
},
{
"name": "offense_source",
"provider": "Event Processor",
"type": "correlation",
"value": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt"
},
{
"name": "category_count",
"provider": "Event Processor",
"type": "counter",
"value": "1"
},
{
"name": "device_count",
"provider": "Event Processor",
"type": "counter",
"value": "1"
},
{
"name": "event_count",
"provider": "Event Processor",
"type": "counter",
"value": "2"
},
{
"name": "flow_count",
"provider": "Event Processor",
"type": "counter",
"value": "0"
},
{
"name": "policy_category_count",
"provider": "Event Processor",
"type": "counter",
"value": "0"
},
{
"name": "remote_destination_count",
"provider": "Event Processor",
"type": "counter",
"value": "0"
},
{
"name": "local_destination_count",
"provider": "Event Processor",
"type": "counter",
"value": "2"
},
{
"name": "security_category_count",
"provider": "Event Processor",
"type": "counter",
"value": "1"
},
{
"name": "source_count",
"provider": "Event Processor",
"type": "counter",
"value": "1"
},
{
"name": "user_name_count",
"provider": "Event Processor",
"type": "counter",
"value": "0"
},
{
"name": "domain_id",
"provider": "Event Processor",
"type": "correlation",
"value": "0"
},
{
"name": "source_network",
"provider": "Event Processor",
"type": "network",
"value": "Net-99-99-99.Net_99_0_0_0"
},
{
"name": "destination_network",
"provider": "Event Processor",
"type": "network",
"value": "Net-88-88-88.Net_88_88_0_0"
},
{
"name": "destination_network",
"provider": "Event Processor",
"type": "network",
"value": "Net-77-77-77.Net_77_0_0_0"
}
],
"observables": [
{
"name": "log_source_id",
"type": "Other",
"type_id": 99,
"value": "112"
},
{
"name": "log_source_name",
"type": "Other",
"type_id": 99,
"value": "Snort @ wolverine"
},
{
"name": "log_source_type_id",
"type": "Other",
"type_id": 99,
"value": "2"
},
{
"name": "log_source_type_name",
"type": "Other",
"type_id": 99,
"value": "Snort"
},
{
"name": "assigned_to",
"type": "User",
"type_id": 21,
"value": "SomeUser"
},
{
"name": "low_level_category",
"type": "Other",
"type_id": 99,
"value": "ICMP DoS"
},
{
"name": "source_address",
"type": "IP Address",
"type_id": 2,
"value": "99.99.99.99"
},
{
"name": "local_destination_address",
"type": "IP Address",
"type_id": 2,
"value": "88.88.88.88"
},
{
"name": "local_destination_address",
"type": "IP Address",
"type_id": 2,
"value": "77.77.77.77"
}
],
"status_code": "OPEN"
}
{
"activity_id": 1,
"malware": [
{
"classification_ids": [
-1
],
"classifications": [
"Potentially vulnerable application"
],
"name": "pva.torrent.openinternet",
"provider": "SecurityScorecard",
"uid": "pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214"
}
],
"activity_name": "Generate",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Security Finding",
"class_uid": 2001,
"confidence": 100,
"data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAiWPgag==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-27T01:37:06.385325 version_5\",\"remote_addr\":\"1.183.190.110\",\"remote_port\":\"2048\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-27T01:36:21.515207\"}",
"message": "Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl",
"severity": "Informational ",
"severity_id": 1,
"status": "Not applicable, static security finding from global threat intelligence monitoring",
"status_id": -1,
"state": "New",
"state_id": 1,
"time": 1668535199945,
"timezone_offset": 0,
"type_name": "Security Finding: Generate",
"type_uid": 200101,
"metadata": {
"logged_time": 1668535199945,
"original_time": "2022-11-15T17:59:59.945Z",
"labels": [
"infected_device"
],
"product": {
"lang": "en",
"name": "SecurityScorecard Attack Surface Intelligence",
"uid": "ssc_asi",
"feature": {
"uid": "ssc_malware_dns_sinkhole",
"name": "SecurityScorecard Malware DNS Sinkhole collection system"
},
"vendor_name": "SecurityScorecard"
},
"version": "1.0.0",
"profiles": [
"malware",
"reputation"
]
},
"resources": [
{
"group_name": "infected_device",
"name": "IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs",
"owner": "chinatelecom.cn",
"uid": "1.183.190.110"
}
],
"observables": [
{
"name": "infected_device.ip",
"type": "IP Address",
"type_id": 2,
"value": "1.183.190.110"
},
{
"name": "infection.category",
"type": "Category of infection on infected device",
"type_id": -1,
"value": "Potentially vulnerable application"
},
{
"name": "infected_device.malware_hostname",
"type": "Hostname",
"type_id": 1,
"value": "open-internet.nl"
},
{
"name": "infection.family",
"type": "Malware, adware, or PUA/PVA family name",
"type_id": -1,
"value": "pva.torrent.openinternet"
},
{
"name": "infected_device.source_port",
"type": "Client-side port making connection to the infection communication domain",
"type_id": -1,
"value": "2048"
},
{
"name": "infected_device.geo_location",
"type": "Geo Location",
"type_id": 26,
"value": "Bieligutai, China"
}
],
"finding": {
"title": "Infection found on 1.183.190.110",
"uid": "2b7908d7-4b72-4f65-afa0-09bdaea46ae3",
"types": [
"malware_infection",
"infected_device",
"pva.torrent.openinternet"
],
"src_url": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110",
"remediation": {
"desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence",
"kb_articles": [
"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K",
"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings"
]
},
"product_uid": "ssc_malware_dns_sinkhole",
"last_seen_time": 1668535199945,
"desc": "Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl"
}
}
{
"activity_id": 1,
"malware": [
{
"classification_ids": [
-1
],
"classifications": [
"Potentially vulnerable application"
],
"name": "pva.torrent.openinternet",
"provider": "SecurityScorecard",
"uid": "pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5"
}
],
"activity_name": "Generate",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Security Finding",
"class_uid": 2001,
"confidence": 100,
"data": "{\"body_bytes_sent\":\"-\",\"enc_host\":\"open-internet.nl\",\"enc_raw_header\":\"-\",\"enc_request\":\"SOCKET_UDP%20%2F\",\"enc_request_body\":\"AAAEFycQGYAAAAAAtdIQjw==\",\"family\":\"pva.torrent.openinternet\",\"field_1\":\"2022-06-04T10:35:07.143255 version_5\",\"remote_addr\":\"59.11.81.231\",\"remote_port\":\"6927\",\"remote_user\":\"-\", \"status\":\"200\",\"time_local\":\"2022-06-04T10:34:45.835005\"}",
"message": "Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain ",
"severity": "Informational ",
"severity_id": 1,
"status": "Not applicable, static security finding from global threat intelligence monitoring",
"status_id": -1,
"state": "New",
"state_id": 1,
"time": 1668535199946,
"timezone_offset": 0,
"type_name": "Security Finding: Generate",
"type_uid": 200101,
"metadata": {
"logged_time": 1668535199946,
"original_time": "2022-11-15T17:59:59.946Z",
"labels": [
"infected_device"
],
"product": {
"lang": "en",
"name": "SecurityScorecard Attack Surface Intelligence",
"uid": "ssc_asi",
"feature": {
"uid": "ssc_malware_dns_sinkhole",
"name": "SecurityScorecard Malware DNS Sinkhole collection system"
},
"vendor_name": "SecurityScorecard"
},
"version": "1.0.0",
"profiles": [
"malware",
"reputation"
]
},
"resources": [
{
"group_name": "infected_device",
"name": "IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs",
"owner": "krnic.or.kr",
"uid": "59.11.81.231"
}
],
"observables": [
{
"name": "infected_device.ip",
"type": "IP Address",
"type_id": 2,
"value": "59.11.81.231"
},
{
"name": "infection.category",
"type": "Category of infection on infected device",
"type_id": -1,
"value": "Potentially vulnerable application"
},
{
"name": "infected_device.malware_hostname",
"type": "Hostname",
"type_id": 1,
"value": null
},
{
"name": "infection.family",
"type": "Malware, adware, or PUA/PVA family name",
"type_id": -1,
"value": "pva.torrent.openinternet"
},
{
"name": "infected_device.source_port",
"type": "Client-side port making connection to the infection communication domain",
"type_id": -1,
"value": "6927"
},
{
"name": "infected_device.geo_location",
"type": "Geo Location",
"type_id": 26,
"value": "Seongnam-si (Buljeong-ro), Korea, Republic of"
}
],
"finding": {
"title": "Infection found on 59.11.81.231",
"uid": "45521c66-6498-442d-ad9b-40da9f0e9236",
"types": [
"malware_infection",
"infected_device",
"pva.torrent.openinternet"
],
"src_url": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231",
"remediation": {
"desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence",
"kb_articles": [
"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K",
"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings"
]
},
"product_uid": "ssc_malware_dns_sinkhole",
"last_seen_time": 1668535199947,
"desc": "Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain "
}
}
{
"activity_id": 1,
"malware": [
{
"classification_ids": [
-1
],
"classifications": [
"Potentially vulnerable application"
],
"name": "pva.torrent.kickasstracker",
"provider": "SecurityScorecard",
"uid": "pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4"
}
],
"activity_name": "Generate",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Security Finding",
"class_uid": 2001,
"confidence": 100,
"data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"open.kickasstracker.com\",\"enc_raw_header\":\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\",\"enc_request\":\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\",\"enc_request_body\":\"\",\"family\":\"pva.torrent.kickasstracker\",\"field_1\":\"2022-09-30T21:26:09.028507 version_5\",\"remote_addr\":\"190.109.227.80\",\"remote_port\":\"21886\",\"remote_user\":\"-\", \"status\":\"404\",\"time_local\":\"2022-09-30T21:25:21+00:00\"}",
"message": "Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com",
"severity": "Informational ",
"severity_id": 1,
"status": "Not applicable, static security finding from global threat intelligence monitoring",
"status_id": -1,
"state": "New",
"state_id": 1,
"time": 1668535199947,
"timezone_offset": 0,
"type_name": "Security Finding: Generate",
"type_uid": 200101,
"metadata": {
"logged_time": 1668535199947,
"original_time": "2022-11-15T17:59:59.947Z",
"labels": [
"infected_device"
],
"product": {
"lang": "en",
"name": "SecurityScorecard Attack Surface Intelligence",
"uid": "ssc_asi",
"feature": {
"uid": "ssc_malware_dns_sinkhole",
"name": "SecurityScorecard Malware DNS Sinkhole collection system"
},
"vendor_name": "SecurityScorecard"
},
"version": "1.0.0",
"profiles": [
"malware",
"reputation"
]
},
"resources": [
{
"group_name": "infected_device",
"name": "IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs",
"owner": "cotel.bo",
"uid": "190.109.227.80"
}
],
"observables": [
{
"name": "infected_device.ip",
"type": "IP Address",
"type_id": 2,
"value": "190.109.227.80"
},
{
"name": "infection.category",
"type": "Category of infection on infected device",
"type_id": -1,
"value": "Potentially vulnerable application"
},
{
"name": "infected_device.malware_hostname",
"type": "Hostname",
"type_id": 1,
"value": "open.kickasstracker.com"
},
{
"name": "infection.family",
"type": "Malware, adware, or PUA/PVA family name",
"type_id": -1,
"value": "pva.torrent.kickasstracker"
},
{
"name": "infected_device.source_port",
"type": "Client-side port making connection to the infection communication domain",
"type_id": -1,
"value": "21886"
},
{
"name": "infected_device.geo_location",
"type": "Geo Location",
"type_id": 26,
"value": "La Paz (Macrodistrito Centro), Bolivia, Plurinational State of"
}
],
"finding": {
"title": "Infection found on 190.109.227.80",
"uid": "8f91e92d-b75c-4d55-a6a2-c9f611cdea28",
"types": [
"malware_infection",
"infected_device",
"pva.torrent.kickasstracker"
],
"src_url": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80",
"remediation": {
"desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence",
"kb_articles": [
"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K",
"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings"
]
},
"product_uid": "ssc_malware_dns_sinkhole",
"last_seen_time": 1668535199948,
"desc": "Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com"
}
}
{
"activity_id": 1,
"malware": [
{
"classification_ids": [
-1
],
"classifications": [
"Adware"
],
"name": "adware.android.imp",
"provider": "SecurityScorecard",
"uid": "adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba"
}
],
"activity_name": "Generate",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Security Finding",
"class_uid": 2001,
"confidence": 100,
"data": "{\"body_bytes_sent\":\"152\",\"enc_host\":\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\",\"enc_raw_header\":\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\",\"enc_request\":\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\",\"enc_request_body\":\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\",\"family\":\"adware.android.imp\",\"field_1\":\"2022-09-23T16:20:10.540428 version_5\",\"remote_addr\":\"38.7.186.198\",\"remote_port\":\"59750\",\"remote_user\":\"-\",\"status\":\"404\",\"time_local\":\"2022-09-23T16:19:38+00:00\"}",
"message": "Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com",
"severity": "Informational ",
"severity_id": 1,
"status": "Not applicable, static security finding from global threat intelligence monitoring",
"status_id": -1,
"state": "New",
"state_id": 1,
"time": 1668535199948,
"timezone_offset": 0,
"type_name": "Security Finding: Generate",
"type_uid": 200101,
"metadata": {
"logged_time": 1668535199948,
"original_time": "2022-11-15T17:59:59.948Z",
"labels": [
"infected_device"
],
"product": {
"lang": "en",
"name": "SecurityScorecard Attack Surface Intelligence",
"uid": "ssc_asi",
"feature": {
"uid": "ssc_malware_dns_sinkhole",
"name": "SecurityScorecard Malware DNS Sinkhole collection system"
},
"vendor_name": "SecurityScorecard"
},
"version": "1.0.0",
"profiles": [
"malware",
"reputation"
]
},
"resources": [
{
"group_name": "infected_device",
"name": "IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs",
"owner": "emix.net.ae",
"uid": "38.7.186.198"
}
],
"observables": [
{
"name": "infected_device.ip",
"type": "IP Address",
"type_id": 2,
"value": "38.7.186.198"
},
{
"name": "infection.category",
"type": "Category of infection on infected device",
"type_id": -1,
"value": "Adware"
},
{
"name": "infected_device.malware_hostname",
"type": "Hostname",
"type_id": 1,
"value": "x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com"
},
{
"name": "infection.family",
"type": "Malware, adware, or PUA/PVA family name",
"type_id": -1,
"value": "adware.android.imp"
},
{
"name": "infected_device.source_port",
"type": "Client-side port making connection to the infection communication domain",
"type_id": -1,
"value": "59750"
},
{
"name": "infected_device.geo_location",
"type": "Geo Location",
"type_id": 26,
"value": "Karachi (Sector Five F), Pakistan"
}
],
"finding": {
"title": "Infection found on 38.7.186.198",
"uid": "26c7c83d-0aad-411b-88ee-52343ff22064",
"types": [
"malware_infection",
"infected_device",
"adware.android.imp"
],
"src_url": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198",
"remediation": {
"desc": "If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence",
"kb_articles": [
"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K",
"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings"
]
},
"product_uid": "ssc_malware_dns_sinkhole",
"last_seen_time": 1668535199948,
"desc": "Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com"
}
}
{
"activity_id": 99,
"actor": {
"process": {
"file": {
"name": "lsass.exe",
"parent_folder": "C:\\Windows\\System32",
"path": "C:\\Windows\\System32\\lsass.exe",
"type_id": 1
},
"pid": 492
},
"session": {
"uid": "0x3e7"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "DIR",
"name": "STLDIRDC1$",
"uid": "NT AUTHORITY\\SYSTEM"
}
},
"category_uid": 1,
"class_uid": 1010,
"device": {
"hostname": "STLDIRDC1.dir.solutia.com",
"os": {
"name": "Windows",
"type_id": 100
},
"type_id": 0
},
"message": "A handle to an object was requested.",
"metadata": {
"original_time": "01/09/2019 12:46:00 AM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "d9e6a7b1-3177-4542-8de1-bfd582f87727",
"version": "1.0.0-rc.2"
},
"severity_id": 1,
"status_id": 1,
"time": 1547012760000,
"unmapped": {
"Access Request Information": {
"Access Mask": "0x2d",
"Accesses": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"ReadPasswordParameters",
"WritePasswordParameters",
"ReadOtherParameters",
"WriteOtherParameters",
"CreateUser",
"CreateGlobalGroup",
"CreateLocalGroup",
"GetLocalGroupMembership",
"ListAccounts"
],
"Privileges Used for Access Check": "\u01ff\\x0F-",
"Properties": [
"---",
"domain",
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"ReadPasswordParameters",
"WritePasswordParameters",
"ReadOtherParameters",
"WriteOtherParameters",
"CreateUser",
"CreateGlobalGroup",
"CreateLocalGroup",
"GetLocalGroupMembership",
"ListAccounts",
"Domain Password & Lockout Policies",
"lockOutObservationWindow",
"lockoutDuration",
"lockoutThreshold",
"maxPwdAge",
"minPwdAge",
"minPwdLength",
"pwdHistoryLength",
"pwdProperties",
"Other Domain Parameters (for use by SAM)",
"serverState",
"serverRole",
"modifiedCount",
"uASCompat",
"forceLogoff",
"domainReplica",
"oEMInformation",
"Domain Administer Server"
],
"Restricted SID Count": "0",
"Transaction ID": "{00000000-0000-0000-0000-000000000000}"
},
"EventCode": "4661",
"EventType": "0",
"Object": {
"Object Server": "Security Account Manager"
},
"OpCode": "Info",
"RecordNumber": "3166250565",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "SAM"
},
"win_resource": {
"name": "DC=dir,DC=solutia,DC=com",
"type_id": 36,
"uid": "0x7f79620"
}
}
{
"activity_id": 1,
"actor": {
"process": {
"file": {
"name": "explorer.exe",
"parent_folder": "C:\\Windows",
"path": "C:\\Windows\\explorer.exe",
"type_id": 1
},
"pid": 1704
},
"session": {
"uid": "0xDE9AD8"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "SESTEST",
"name": "splunker",
"uid": "SESTEST\\splunker"
}
},
"category_uid": 1,
"class_uid": 1010,
"device": {
"hostname": "SesWin2019DC1.SesTest.local",
"os": {
"name": "Windows",
"type_id": 100
},
"type_id": 0
},
"message": "A privileged service was called.",
"metadata": {
"original_time": "01/28/2022 04:12:19 PM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "995559a6-1921-463f-93e1-9c5ca932dc8c",
"version": "1.0.0-rc.2"
},
"severity_id": 1,
"status_id": 2,
"time": 1643404339000,
"unmapped": {
"EventCode": "4673",
"EventType": "0",
"OpCode": "Info",
"RecordNumber": "374060",
"Service Request Information": {
"Privileges": "SeTcbPrivilege"
},
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Sensitive Privilege Use"
},
"win_resource": {
"name": "-",
"type": "Security",
"type_id": 0
}
}
{
"activity_id": 2,
"activity_name": "Update",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Vulnerability Finding",
"class_uid": 2002,
"cloud": {
"account": {
"uid": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"finding_info": {
"created_time_dt": "2023-04-21T11:59:04.000-04:00",
"desc": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"first_seen_time_dt": "2023-04-21T11:59:04.000-04:00",
"last_seen_time_dt": "2024-01-26T17:19:14.000-05:00",
"modified_time_dt": "2024-01-26T17:19:14.000-05:00",
"title": "CVE-2023-1255 - openssl",
"types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"uid": "arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5"
},
"metadata": {
"log_version": "2018-10-08",
"processed_time_dt": "2024-01-26T17:59:56.923-05:00",
"product": {
"feature": {
"uid": "AWSInspector"
},
"name": "Inspector",
"uid": "arn:aws:securityhub:us-east-2::product/aws/inspector",
"vendor_name": "Amazon",
"version": "2"
},
"profiles": [
"cloud",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "resource.uid",
"type": "Resource UID",
"type_id": 10,
"value": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8"
}
],
"resource": {
"cloud_partition": "aws",
"data": "{\"AwsEcrContainerImage\":{\"Architecture\":\"amd64\",\"ImageDigest\":\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\",\"ImagePublishedAt\":\"2023-04-11T21:07:55Z\",\"RegistryId\":\"111111111111\",\"RepositoryName\":\"browserhostingstack-EXAMPLE-btb1o54yh1jr\"}}",
"region": "us-east-2",
"type": "AwsEcrContainerImage",
"uid": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8"
},
"severity": "Medium",
"severity_id": 3,
"status": "New",
"time": 1706307554000,
"time_dt": "2024-01-26T17:19:14.000-05:00",
"type_name": "Vulnerability Finding: Update",
"type_uid": 200202,
"unmapped": {
"FindingProviderFields.Severity.Label": "MEDIUM",
"FindingProviderFields.Types[]": "Software and Configuration Checks/Vulnerabilities/CVE",
"ProductFields.aws/inspector/FindingStatus": "ACTIVE",
"ProductFields.aws/inspector/inspectorScore": "5.9",
"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09",
"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_17",
"ProductFields.aws/securityhub/CompanyName": "Amazon",
"ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5",
"ProductFields.aws/securityhub/ProductName": "Inspector",
"RecordState": "ACTIVE",
"Severity.Normalized": "40",
"Vulnerabilities[].Cvss[].Source": "NVD,NVD",
"Vulnerabilities[].Vendor.VendorSeverity": "MEDIUM",
"Vulnerabilities[].VulnerablePackages[].SourceLayerHash": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09",
"WorkflowState": "NEW"
},
"vulnerabilities": [
{
"affected_packages": [
{
"architecture": "X86_64",
"epoch": 0,
"fixed_in_version": "0:3.0.8-r4",
"name": "openssl",
"package_manager": "OS",
"release": "r3",
"remediation": {
"desc": "apk update && apk upgrade openssl"
},
"version": "3.0.8"
}
],
"cve": {
"created_time_dt": "2023-04-20T13:15:06.000-04:00",
"cvss": [
{
"base_score": 5.9,
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"base_score": 5.9,
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"epss": {
"score": "0.00066"
},
"modified_time_dt": "2023-09-08T13:15:15.000-04:00",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-1255"
],
"uid": "CVE-2023-1255"
},
"is_exploit_available": true,
"is_fix_available": true,
"references": [
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a",
"https://www.openssl.org/news/secadv/20230419.txt",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb"
],
"remediation": {
"desc": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON."
},
"vendor_name": "NVD"
}
]
}
{
"activity_id": 1,
"activity_name": "Access",
"actor": {
"process": {
"file": {
"name": "services.exe",
"parent_folder": "C:\\Windows\\System32",
"path": "C:\\Windows\\System32\\services.exe",
"type": "Regular File",
"type_id": 1
},
"pid": 532
},
"session": {
"uid": "0x3e7"
},
"user": {
"account_type": "Windows Account",
"account_type_id": 2,
"domain": "SOI",
"name": "SZUSOIDC1$",
"uid": "NT AUTHORITY\\SYSTEM"
}
},
"category_name": "System Activity",
"category_uid": 1,
"class_name": "Windows Resource Activity",
"class_uid": 201003,
"device": {
"hostname": "szusoidc1.soi.dir.acme080.com",
"os": {
"name": "Windows",
"type": "Windows",
"type_id": 100
},
"type": "Unknown",
"type_id": 0
},
"message": "An attempt was made to access an object.",
"metadata": {
"original_time": "01/14/2015 08:30:54 PM",
"product": {
"feature": {
"name": "Security"
},
"name": "Microsoft Windows",
"vendor_name": "Microsoft"
},
"profiles": [
"host"
],
"uid": "05e90f2c-5be6-484c-aefb-f8e6f591bd2c",
"version": "1.0.0-rc.2"
},
"severity": "Informational",
"severity_id": 1,
"status": "Success",
"status_id": 1,
"time": 1421285454000,
"type_name": "Windows Resource Activity: Access",
"type_uid": 101001,
"unmapped": {
"Access Mask": "0x2",
"Access Request Information": {
"Accesses": "Set key value"
},
"CaseID": "AD_4663",
"EventCode": "4663",
"EventType": "0",
"Object": {
"Object Server": "Security"
},
"OpCode": "Info",
"RecordNumber": "989202992",
"SourceName": "Microsoft Windows security auditing.",
"TaskCategory": "Registry"
},
"win_resource": {
"name": "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Security",
"type": "Key",
"type_id": 25,
"uid": "0x564"
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
File monitoring |
OCSF allows collecting system activities |
Network device logs |
OCSF allows collection network activities |
Process monitoring |
OCSF allows collecting application activities |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert, event |
| Category | `` |
| Type | `` |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}",
"event": {
"action": "create",
"category": [
"iam"
],
"kind": "event",
"provider": "CloudTrail",
"severity": 1,
"type": [
"creation",
"info",
"user"
]
},
"@timestamp": "2023-03-17T17:07:59Z",
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Create",
"class_name": "Account Change",
"class_uid": 3001
},
"related": {
"ip": [
"52.95.4.21"
]
},
"source": {
"address": "52.95.4.21",
"ip": "52.95.4.21"
},
"user": {
"id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user",
"target": {
"id": "AROA2W7SOKHEXAMPLE:Admin-user",
"name": "test_user2"
}
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "AWS Internal",
"os": {
"name": "Other"
}
}
}
{
"message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}",
"event": {
"action": "read",
"category": [
"web"
],
"kind": "event",
"provider": "CloudTrail",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2023-09-21T22:22:52Z",
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"ocsf": {
"activity_id": 2,
"activity_name": "Read",
"class_name": "API Activity",
"class_uid": 6003
},
"package": {
"description": [],
"name": [],
"type": []
},
"related": {
"ip": [
"205.8.181.128"
],
"user": [
"Level6"
]
},
"source": {
"address": "205.8.181.128",
"ip": "205.8.181.128"
},
"user": {
"id": "arn:aws:iam::1111111111111:user/Level6",
"name": "Level6"
},
"user_agent": {
"device": {
"name": "Spider"
},
"name": "Boto3",
"original": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2",
"os": {
"name": "Linux",
"version": "5.6.3"
},
"version": "1.15.2"
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}",
"event": {
"action": "create",
"category": [
"web"
],
"kind": "event",
"reason": "ResponseComplete",
"severity": 1,
"start": "2021-09-07T20:37:30.502000Z",
"type": [
"info"
]
},
"@timestamp": "2021-09-07T20:37:30.642000Z",
"cloud": {
"account": {
"id": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901"
},
"provider": "AWS"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Create",
"class_name": "API Activity",
"class_uid": 6003,
"user": {
"groups": [
{
"name": "system:bootstrappers"
},
{
"name": "system:nodes"
},
{
"name": "system:authenticated"
}
]
}
},
"package": {
"description": [],
"name": [],
"type": []
},
"related": {
"user": [
"system:node:ip-192-001-02-03.ec2.internal"
]
},
"url": {
"path": "/api/v1/nodes"
},
"user": {
"id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE",
"name": "system:node:ip-192-001-02-03.ec2.internal"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc",
"os": {
"name": "Linux"
}
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}",
"event": {
"action": "logon",
"category": [
"authentication"
],
"code": "AwsConsoleSignIn",
"kind": "event",
"outcome": "success",
"provider": "CloudTrail",
"severity": 1,
"type": [
"info",
"start"
]
},
"@timestamp": "2023-11-10T16:24:34Z",
"cloud": {
"provider": "AWS",
"region": "us-east-1"
},
"network": {
"application": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Logon",
"class_name": "Authentication",
"class_uid": 3002
},
"related": {
"ip": [
"192.0.2.0"
],
"user": [
"anaya"
]
},
"source": {
"address": "192.0.2.0",
"ip": "192.0.2.0"
},
"user": {
"id": "arn:aws:iam::111122223333:user/anaya",
"name": "anaya",
"target": {
"id": "arn:aws:iam::111122223333:user/anaya"
}
},
"user_agent": {
"device": {
"name": "Mac"
},
"name": "Chrome",
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
"os": {
"name": "Mac OS X",
"version": "10.11.6"
},
"version": "67.0.3396"
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}",
"event": {
"action": "logon",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"reason": "An account was successfully logged on.",
"severity": 1,
"type": [
"info",
"start"
]
},
"@timestamp": "2021-03-12T15:48:14Z",
"destination": {
"address": "win-dc-725.attackrange.local",
"domain": "win-dc-725.attackrange.local",
"subdomain": "win-dc-725.attackrange"
},
"file": {
"directory": "C:\\Windows\\System32",
"name": "services.exe",
"path": "C:\\Windows\\System32\\services.exe",
"type": "Regular File"
},
"host": {
"hostname": "win-dc-725.attackrange.local",
"name": "win-dc-725.attackrange.local",
"os": {
"name": "Windows",
"type": "Windows"
},
"type": "Unknown"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Logon",
"class_name": "Authentication",
"class_uid": 3002
},
"process": {
"pid": 848
},
"related": {
"hosts": [
"win-dc-725.attackrange.local"
],
"user": [
"WIN-DC-725$"
]
},
"source": {
"port": 0
},
"user": {
"domain": "ATTACKRANGE",
"id": "NT AUTHORITY\\SYSTEM",
"name": "WIN-DC-725$",
"target": {
"domain": "NT AUTHORITY",
"id": "NT AUTHORITY\\SYSTEM",
"name": "SYSTEM"
}
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}",
"event": {
"action": "logon",
"category": [
"authentication"
],
"kind": "event",
"outcome": "failure",
"reason": "An account failed to log on.",
"severity": 1,
"type": [
"info",
"start"
]
},
"@timestamp": "2020-10-08T16:41:47Z",
"destination": {
"address": "EC2AMAZ-6KJ2BPP",
"domain": "EC2AMAZ-6KJ2BPP"
},
"file": {
"type": "Regular File"
},
"host": {
"hostname": "EC2AMAZ-6KJ2BPP",
"name": "EC2AMAZ-6KJ2BPP",
"os": {
"name": "Windows",
"type": "Windows"
},
"type": "Unknown"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Logon",
"class_name": "Authentication",
"class_uid": 3002
},
"process": {
"pid": 0
},
"related": {
"hosts": [
"EC2AMAZ-6KJ2BPP"
]
},
"source": {
"port": 0
},
"user": {
"id": "NULL SID",
"target": {
"domain": "EC2AMAZ-6KJ2BPP",
"id": "NULL SID",
"name": "Administrator"
}
}
}
{
"message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}",
"event": {
"action": "update",
"category": [
"vulnerability"
],
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2023-07-21T18:11:53.060000Z",
"cloud": {
"account": {
"id": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"ocsf": {
"activity_id": 2,
"activity_name": "Update",
"class_name": "Compliance Finding",
"class_uid": 2003
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}",
"event": {
"action": "create",
"category": [
"vulnerability"
],
"severity": 2,
"type": [
"info"
]
},
"@timestamp": "2023-09-19T15:05:22.487000Z",
"cloud": {
"account": {
"id": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Create",
"class_name": "Detection Finding",
"class_uid": 2004
}
}
{
"message": "{\"metadata\":{\"log_version\":\"2018-10-08\",\"product\":{\"feature\":{\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833\",\"name\":null},\"uid\":\"arn:aws:securityhub:eu-west-3::product/aws/guardduty\",\"name\":\"GuardDuty\",\"vendor_name\":\"Amazon\",\"version\":null},\"processed_time_dt\":1726062303537,\"profiles\":[\"cloud\",\"datetime\",\"linux\"],\"version\":\"1.1.0\",\"extensions\":[{\"name\":\"linux\",\"uid\":\"1\",\"version\":\"1.1.0\"}]},\"time\":1726062281022,\"time_dt\":1726062281022,\"confidence_score\":null,\"message\":null,\"cloud\":{\"account\":{\"uid\":\"11111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"resource\":null,\"finding_info\":{\"created_time_dt\":1681218428211,\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c\",\"desc\":\"The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.\",\"title\":\"The API DescribeStackEvents was invoked using root credentials.\",\"modified_time_dt\":1726062281022,\"first_seen_time_dt\":1681218080000,\"last_seen_time_dt\":1726061921000,\"related_events\":null,\"types\":[\"TTPs/Policy:IAMUser-RootCredentialUsage\"],\"src_url\":\"https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c\"},\"remediation\":null,\"compliance\":null,\"vulnerabilities\":null,\"resources\":[{\"type\":\"AwsIamAccessKey\",\"uid\":\"AWS::IAM::AccessKey:********************\",\"cloud_partition\":\"aws\",\"region\":\"eu-west-3\",\"labels\":null,\"data\":\"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"11111111111\\\",\\\"PrincipalName\\\":\\\"Root\\\",\\\"PrincipalType\\\":\\\"Root\\\"}}\",\"criticality\":null,\"owner\":null}],\"evidences\":[{\"data\":\"\",\"actor\":null,\"process\":null,\"api\":{\"operation\":\"DescribeStackEvents\",\"response\":null,\"service\":{\"name\":\"cloudformation.amazonaws.com\"}},\"src_endpoint\":{\"ip\":\"1.2.3.4\",\"location\":{\"country\":\"France\",\"city\":\"Rennes\",\"coordinates\":[-1.6744,48.110001]},\"port\":null},\"connection_info\":null,\"dst_endpoint\":null,\"query\":null}],\"class_name\":\"Detection Finding\",\"class_uid\":2004,\"category_name\":\"Findings\",\"category_uid\":2,\"severity_id\":2,\"severity\":\"Low\",\"activity_name\":\"Update\",\"activity_id\":2,\"type_uid\":200402,\"type_name\":\"Detection Finding: Update\",\"status\":\"New\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"resources[].uid\",\"value\":\"AWS::IAM::AccessKey:********************\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"evidences[].src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
"event": {
"action": "update",
"category": [
"vulnerability"
],
"severity": 2,
"type": [
"info"
]
},
"@timestamp": "2024-09-11T13:44:41.022000Z",
"cloud": {
"account": {
"id": "11111111111"
},
"provider": "AWS",
"region": "eu-west-3"
},
"ocsf": {
"activity_id": 2,
"activity_name": "Update",
"class_name": "Detection Finding",
"class_uid": 2004
}
}
{
"message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}",
"event": {
"action": "traffic",
"category": [
"network"
],
"kind": "event",
"severity": 1,
"type": [
"info",
"protocol"
]
},
"@timestamp": "2022-10-13T21:02:36Z",
"cloud": {
"account": {
"id": "123456789012"
},
"provider": "AWS",
"region": "us-east-1"
},
"dns": {
"answers": [
{
"class": "IN",
"data": "127.0.0.62",
"type": "A"
}
],
"question": {
"class": [
"IN"
],
"name": "ip-127-0-0-62.alert.firewall.canary.",
"subdomain": "ip-127-0-0-62.alert.firewall",
"type": [
"A"
]
},
"response_code": "NoError"
},
"network": {
"direction": [
"unknown"
]
},
"ocsf": {
"activity_id": 6,
"activity_name": "Traffic",
"class_name": "DNS Activity",
"class_uid": 4003
},
"related": {
"hosts": [
"ip-127-0-0-62.alert.firewall.canary."
],
"ip": [
"10.200.21.100"
]
},
"source": {
"address": "10.200.21.100",
"ip": "10.200.21.100",
"port": 15083
}
}
{
"message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":63115,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726088328000,\"time_dt\":1726088328000,\"query\":{\"hostname\":\"_ldap._tcp.dc.example.org.\",\"type\":\"SRV\",\"class\":\"IN\"},\"answers\":null,\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":3,\"rcode\":\"NXDomain\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"query.hostname\",\"value\":\"_ldap._tcp.dc.example.org.\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n",
"event": {
"action": "traffic",
"category": [
"network"
],
"kind": "event",
"severity": 1,
"type": [
"info",
"protocol"
]
},
"@timestamp": "2024-09-11T20:58:48Z",
"cloud": {
"account": {
"id": "111111111111"
},
"provider": "AWS",
"region": "eu-west-3"
},
"dns": {
"question": {
"class": [
"IN"
],
"name": "_ldap._tcp.dc.example.org.",
"registered_domain": "example.org",
"subdomain": "_ldap._tcp.dc",
"top_level_domain": "org",
"type": [
"SRV"
]
},
"response_code": "NXDomain"
},
"network": {
"direction": [
"unknown"
]
},
"ocsf": {
"activity_id": 6,
"activity_name": "Traffic",
"class_name": "DNS Activity",
"class_uid": 4003
},
"related": {
"hosts": [
"_ldap._tcp.dc.example.org."
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 63115
}
}
{
"message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":62699,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726395887000,\"time_dt\":1726395887000,\"query\":{\"hostname\":\"settings-win.data.microsoft.com.\",\"type\":\"A\",\"class\":\"IN\"},\"answers\":[{\"type\":\"CNAME\",\"rdata\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"class\":\"IN\"},{\"type\":\"CNAME\",\"rdata\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"class\":\"IN\"},{\"type\":\"A\",\"rdata\":\"5.6.7.8\",\"class\":\"IN\"}],\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":0,\"rcode\":\"NoError\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"answers[].rdata\",\"value\":\"settings-prod-weu-2.westeurope.cloudapp.azure.com.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"answers[].rdata\",\"value\":\"5.6.7.8\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"answers[].rdata\",\"value\":\"atm-settingsfe-prod-geo2.trafficmanager.net.\",\"type\":\"IP Address\",\"type_id\":2},{\"name\":\"query.hostname\",\"value\":\"settings-win.data.microsoft.com.\",\"type\":\"Hostname\",\"type_id\":1}]}\n",
"event": {
"action": "traffic",
"category": [
"network"
],
"kind": "event",
"severity": 1,
"type": [
"info",
"protocol"
]
},
"@timestamp": "2024-09-15T10:24:47Z",
"cloud": {
"account": {
"id": "111111111111"
},
"provider": "AWS",
"region": "eu-west-3"
},
"dns": {
"answers": [
{
"class": "IN",
"data": "atm-settingsfe-prod-geo2.trafficmanager.net.",
"type": "CNAME"
},
{
"class": "IN",
"data": "settings-prod-weu-2.westeurope.cloudapp.azure.com.",
"type": "CNAME"
},
{
"class": "IN",
"data": "5.6.7.8",
"type": "A"
}
],
"question": {
"class": [
"IN"
],
"name": "settings-win.data.microsoft.com.",
"registered_domain": "microsoft.com",
"subdomain": "settings-win.data",
"top_level_domain": "com",
"type": [
"A"
]
},
"response_code": "NoError"
},
"network": {
"direction": [
"unknown"
]
},
"ocsf": {
"activity_id": 6,
"activity_name": "Traffic",
"class_name": "DNS Activity",
"class_uid": 4003
},
"related": {
"hosts": [
"settings-win.data.microsoft.com."
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 62699
}
}
{
"message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}",
"event": {
"action": "get",
"category": [
"api"
],
"kind": "event",
"severity": 1,
"type": [
"info"
]
},
"cloud": {
"provider": "AWS"
},
"destination": {
"address": "/CanaryTest",
"domain": "/CanaryTest"
},
"http": {
"request": {
"id": "Ed0AiHF_CGYF-DA=",
"method": "GET"
},
"version": "HTTP/1.1"
},
"network": {
"application": "APIGW"
},
"ocsf": {
"activity_id": 3,
"activity_name": "Get",
"class_name": "HTTP Activity",
"class_uid": 4002
},
"related": {
"hosts": [
"/CanaryTest"
],
"ip": [
"52.46.82.45"
]
},
"source": {
"address": "52.46.82.45",
"geo": {
"country_iso_code": "FR"
},
"ip": "52.46.82.45"
},
"url": {
"path": "/CanaryTest"
}
}
{
"message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}",
"event": {
"action": "traffic",
"category": [
"network"
],
"kind": "event",
"outcome": "success",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2022-05-22T06:15:00Z",
"cloud": {
"availability_zone": "use2-az2",
"provider": "AWS",
"region": "us-west-2"
},
"destination": {
"address": "192.168.1.20",
"ip": "192.168.1.20",
"port": 443
},
"network": {
"application": "amazon-ec2",
"bytes": 85,
"iana_number": "17",
"packets": 10
},
"ocsf": {
"activity_id": 5,
"activity_name": "Traffic",
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"192.168.1.10",
"192.168.1.20"
]
},
"source": {
"address": "192.168.1.10",
"ip": "192.168.1.10",
"port": 8080
}
}
{
"message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}",
"event": {
"action": "refuse",
"category": [
"network"
],
"end": "2022-04-12T00:03:08Z",
"kind": "event",
"severity": 1,
"start": "2022-04-12T00:02:12Z",
"type": [
"denied",
"info"
]
},
"@timestamp": "2022-04-12T00:02:12Z",
"cloud": {
"account": {
"id": "123456789012"
},
"availability_zone": "use1-az1",
"provider": "AWS",
"region": "us-east-1"
},
"destination": {
"address": "172.31.2.52",
"ip": "172.31.2.52",
"port": 39938
},
"network": {
"bytes": 40,
"direction": [
"inbound"
],
"iana_number": "6",
"packets": 1
},
"ocsf": {
"activity_id": 5,
"activity_name": "Refuse",
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"1.2.3.4",
"172.31.2.52"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 56858
}
}
{
"message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}",
"event": {
"action": "traffic",
"category": [
"network"
],
"duration": 6000.0,
"end": "2015-06-17T00:00:00.089000Z",
"kind": "event",
"severity": 1,
"start": "2015-06-17T00:00:00.083000Z",
"type": [
"info"
]
},
"destination": {
"address": "10.0.40.21",
"ip": "10.0.40.21",
"port": 443
},
"network": {
"bytes": 344,
"direction": [
"outbound"
],
"iana_number": "6",
"packets": 8
},
"ocsf": {
"activity_id": 6,
"activity_name": "Traffic",
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"10.0.40.21",
"192.168.40.20"
]
},
"source": {
"address": "192.168.40.20",
"ip": "192.168.40.20",
"port": 63975
}
}
{
"message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}",
"event": {
"category": [
"network"
],
"duration": 66851.85432434082,
"kind": "event",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2020-06-05T14:39:59.305988Z",
"destination": {
"address": "192.168.4.1",
"ip": "192.168.4.1",
"port": 53
},
"ocsf": {
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"192.168.4.1",
"192.168.4.76"
]
},
"source": {
"address": "192.168.4.76",
"ip": "192.168.4.76",
"port": 36844
}
}
{
"message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}",
"event": {
"category": [
"network"
],
"duration": 66851.85432434082,
"kind": "event",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2020-06-05T14:39:59.305988Z",
"destination": {
"address": "192.168.4.1",
"ip": "192.168.4.1",
"port": 53
},
"ocsf": {
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"192.168.4.1",
"192.168.4.76"
]
},
"source": {
"address": "192.168.4.76",
"ip": "192.168.4.76",
"port": 36844
}
}
{
"message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}",
"event": {
"category": [
"network"
],
"kind": "event",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2020-08-25T17:43:11.921726Z",
"destination": {
"address": "13.32.202.10",
"ip": "13.32.202.10",
"port": 443
},
"ocsf": {
"class_name": "Network Activity",
"class_uid": 4001
},
"related": {
"ip": [
"13.32.202.10",
"192.168.4.49"
]
},
"source": {
"address": "192.168.4.49",
"ip": "192.168.4.49",
"port": 56718
},
"tls": {
"server": {
"certificate_chain": [
"F2XEvj1CahhdhtfvT4",
"F7vklpOKI4yX9wmvh",
"FAnbnR32nIIr2j9XV",
"FZ7ygD3ERPfEVVohG9"
]
}
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}",
"event": {
"action": "launch",
"category": [
"process"
],
"kind": "event",
"outcome": "success",
"reason": "A new process has been created.",
"severity": 1,
"type": [
"info",
"start"
]
},
"@timestamp": "2021-03-12T15:48:14Z",
"file": {
"directory": "C:\\Windows\\System32",
"name": "reg.exe",
"path": "C:\\Windows\\System32\\reg.exe",
"type": "Regular File"
},
"host": {
"hostname": "win-dc-725.attackrange.local",
"name": "win-dc-725.attackrange.local",
"os": {
"name": "Windows",
"type": "Windows"
},
"type": "Unknown"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Launch",
"class_name": "Process Activity",
"class_uid": 1007
},
"process": {
"command_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ",
"pid": 4696,
"user": {
"id": [
"NULL SID"
]
}
},
"related": {
"hosts": [
"win-dc-725.attackrange.local"
],
"user": [
"Administrator"
]
},
"user": {
"domain": "ATTACKRANGE",
"id": "ATTACKRANGE\\Administrator",
"name": "Administrator"
}
}
{
"message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}",
"event": {
"action": "terminate",
"category": [
"process"
],
"kind": "event",
"outcome": "success",
"reason": "A process has exited.",
"severity": 1,
"type": [
"end",
"info"
]
},
"@timestamp": "2019-09-05T15:22:49Z",
"file": {
"directory": "C:\\Generate_Security_Events1",
"name": "auditon.exe",
"path": "C:\\Generate_Security_Events1\\auditon.exe",
"type": "Regular File"
},
"host": {
"hostname": "dcc1.Logistics.local",
"name": "dcc1.Logistics.local",
"os": {
"name": "Windows",
"type": "Windows"
},
"type": "Unknown"
},
"ocsf": {
"activity_id": 2,
"activity_name": "Terminate",
"class_name": "Process Activity",
"class_uid": 1007
},
"process": {
"exit_code": 0,
"pid": 1524
},
"related": {
"hosts": [
"dcc1.Logistics.local"
],
"user": [
"Administrator"
]
},
"user": {
"domain": "LOGISTICS",
"id": "S-1-5-21-1135140816-2109348461-2107143693-500",
"name": "Administrator"
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}",
"event": {
"action": "generate",
"category": [],
"kind": "alert",
"reason": "Linux Kernel Module Injection Detected",
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2023-01-03T15:11:39.558000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Generate",
"class_uid": 2001
}
}
{
"message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}",
"event": {
"action": "create",
"category": [
"malware"
],
"end": "2023-04-29T15:10:10Z",
"kind": "alert",
"provider": "IBM QRadar",
"reason": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n",
"risk_score": 3,
"type": [
"info"
]
},
"@timestamp": "2023-04-24T14:44:23.218000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Create",
"class_name": "Security Finding",
"class_uid": 2001
},
"vulnerability": {
"category": [
"DDOS"
]
}
}
{
"message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}",
"event": {
"action": "generate",
"category": [
"malware"
],
"kind": "alert",
"reason": "Infection found on 1.183.190.110",
"reference": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2022-11-15T17:59:59.945000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Generate",
"class_name": "Security Finding",
"class_uid": 2001
},
"vulnerability": {
"category": [
"Potentially vulnerable application"
]
}
}
{
"message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}",
"event": {
"action": "generate",
"category": [
"malware"
],
"kind": "alert",
"reason": "Infection found on 59.11.81.231",
"reference": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2022-11-15T17:59:59.946000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Generate",
"class_name": "Security Finding",
"class_uid": 2001
},
"vulnerability": {
"category": [
"Potentially vulnerable application"
]
}
}
{
"message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}",
"event": {
"action": "generate",
"category": [
"malware"
],
"kind": "alert",
"reason": "Infection found on 190.109.227.80",
"reference": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2022-11-15T17:59:59.947000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Generate",
"class_name": "Security Finding",
"class_uid": 2001
},
"vulnerability": {
"category": [
"Potentially vulnerable application"
]
}
}
{
"message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}",
"event": {
"action": "generate",
"category": [
"malware"
],
"kind": "alert",
"reason": "Infection found on 38.7.186.198",
"reference": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198",
"severity": 1,
"type": [
"info"
]
},
"@timestamp": "2022-11-15T17:59:59.948000Z",
"ocsf": {
"activity_id": 1,
"activity_name": "Generate",
"class_name": "Security Finding",
"class_uid": 2001
},
"vulnerability": {
"category": [
"Adware"
]
}
}
{
"message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}",
"event": {
"category": [],
"outcome": "success",
"reason": "A handle to an object was requested.",
"severity": 1,
"type": []
},
"@timestamp": "2019-01-09T05:46:00Z",
"file": {
"directory": "C:\\Windows\\System32",
"name": "lsass.exe",
"path": "C:\\Windows\\System32\\lsass.exe"
},
"host": {
"hostname": "STLDIRDC1.dir.solutia.com",
"name": "STLDIRDC1.dir.solutia.com",
"os": {
"name": "Windows"
}
},
"ocsf": {
"activity_id": 99,
"class_uid": 1010
},
"process": {
"pid": 492
},
"related": {
"hosts": [
"STLDIRDC1.dir.solutia.com"
],
"user": [
"STLDIRDC1$"
]
},
"user": {
"domain": "DIR",
"id": "NT AUTHORITY\\SYSTEM",
"name": "STLDIRDC1$"
}
}
{
"message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}",
"event": {
"category": [],
"outcome": "failure",
"reason": "A privileged service was called.",
"severity": 1,
"type": []
},
"@timestamp": "2022-01-28T21:12:19Z",
"file": {
"directory": "C:\\Windows",
"name": "explorer.exe",
"path": "C:\\Windows\\explorer.exe"
},
"host": {
"hostname": "SesWin2019DC1.SesTest.local",
"name": "SesWin2019DC1.SesTest.local",
"os": {
"name": "Windows"
}
},
"ocsf": {
"activity_id": 1,
"class_uid": 1010
},
"process": {
"pid": 1704
},
"related": {
"hosts": [
"SesWin2019DC1.SesTest.local"
],
"user": [
"splunker"
]
},
"user": {
"domain": "SESTEST",
"id": "SESTEST\\splunker",
"name": "splunker"
}
}
{
"message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}",
"event": {
"action": "update",
"category": [
"vulnerability"
],
"severity": 3,
"type": [
"info"
]
},
"@timestamp": "2024-01-26T22:19:14Z",
"cloud": {
"account": {
"id": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"ocsf": {
"activity_id": 2,
"activity_name": "Update",
"class_name": "Vulnerability Finding",
"class_uid": 2002
},
"vulnerability": {
"id": "CVE-2023-1255",
"scanner": {
"vendor": "NVD"
}
}
}
{
"message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}",
"event": {
"action": "access",
"category": [],
"outcome": "success",
"reason": "An attempt was made to access an object.",
"severity": 1,
"type": []
},
"@timestamp": "2015-01-15T01:30:54Z",
"file": {
"directory": "C:\\Windows\\System32",
"name": "services.exe",
"path": "C:\\Windows\\System32\\services.exe",
"type": "Regular File"
},
"host": {
"hostname": "szusoidc1.soi.dir.acme080.com",
"name": "szusoidc1.soi.dir.acme080.com",
"os": {
"name": "Windows",
"type": "Windows"
},
"type": "Unknown"
},
"ocsf": {
"activity_id": 1,
"activity_name": "Access",
"class_name": "Windows Resource Activity",
"class_uid": 201003
},
"process": {
"pid": 532
},
"related": {
"hosts": [
"szusoidc1.soi.dir.acme080.com"
],
"user": [
"SZUSOIDC1$"
]
},
"user": {
"domain": "SOI",
"id": "NT AUTHORITY\\SYSTEM",
"name": "SZUSOIDC1$"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.account.id |
keyword |
The cloud account or organization id. |
cloud.account.name |
keyword |
The cloud account name. |
cloud.availability_zone |
keyword |
Availability zone in which this host, resource, or service is located. |
cloud.project.id |
keyword |
The cloud project id. |
cloud.provider |
keyword |
Name of the cloud provider. |
cloud.region |
keyword |
Region in which this host, resource, or service is located. |
container.id |
keyword |
Unique container id. |
container.image.name |
keyword |
Name of the image the container was built on. |
container.image.tag |
keyword |
Container image tags. |
container.labels |
object |
Image labels. |
container.name |
keyword |
Container name. |
container.runtime |
keyword |
Runtime managing this container. |
destination.bytes |
long |
Bytes sent from the destination to the source. |
destination.domain |
keyword |
The domain name of the destination. |
destination.geo.city_name |
keyword |
City name. |
destination.geo.continent_name |
keyword |
Name of the continent. |
destination.geo.country_iso_code |
keyword |
Country ISO code. |
destination.geo.name |
keyword |
User-defined description of a location. |
destination.geo.postal_code |
keyword |
Postal code. |
destination.geo.region_iso_code |
keyword |
Region ISO code. |
destination.ip |
ip |
IP address of the destination. |
destination.mac |
keyword |
MAC address of the destination. |
destination.packets |
long |
Packets sent from the destination to the source. |
destination.port |
long |
Port of the destination. |
dns.answers |
object |
Array of DNS answers. |
dns.id |
keyword |
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. |
dns.question.class |
keyword |
The class of records being queried. |
dns.question.name |
keyword |
The name being queried. |
dns.question.type |
keyword |
The type of record being queried. |
dns.response_code |
keyword |
The DNS response code. |
email.attachments.file.name |
keyword |
Name of the attachment file. |
email.attachments.file.size |
long |
Attachment file size. |
email.cc.address |
keyword |
Email address of CC recipient |
email.from.address |
keyword |
The sender's email address. |
email.local_id |
keyword |
Unique identifier given by the source. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.reply_to.address |
keyword |
Address replies should be delivered to. |
email.subject |
keyword |
The subject of the email message. |
email.to.address |
keyword |
Email address of recipient |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.provider |
keyword |
Source of the event. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.reference |
keyword |
Event reference URL |
event.risk_score |
float |
Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
event.sequence |
long |
Sequence number of the event. |
event.severity |
long |
Numeric severity of the event. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.accessed |
date |
Last time the file was accessed. |
file.created |
date |
File creation time. |
file.directory |
keyword |
Directory where the file is located. |
file.hash.md5 |
keyword |
MD5 hash. |
file.hash.sha1 |
keyword |
SHA1 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.hash.sha512 |
keyword |
SHA512 hash. |
file.hash.ssdeep |
keyword |
SSDEEP hash. |
file.hash.tlsh |
keyword |
TLSH hash. |
file.inode |
keyword |
Inode representing the file in the filesystem. |
file.mime_type |
keyword |
Media type of file, document, or arrangement of bytes. |
file.mtime |
date |
Last time the file content was modified. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.owner |
keyword |
File owner's username. |
file.path |
keyword |
Full path to the file, including the file name. |
file.size |
long |
File size in bytes. |
file.type |
keyword |
File type (file, dir, or symlink). |
file.uid |
keyword |
The user ID (UID) or security identifier (SID) of the file owner. |
file.x509.issuer.distinguished_name |
keyword |
Distinguished name (DN) of issuing certificate authority. |
file.x509.not_after |
date |
Time at which the certificate is no longer considered valid. |
file.x509.serial_number |
keyword |
Unique serial number issued by the certificate authority. |
file.x509.subject.distinguished_name |
keyword |
Distinguished name (DN) of the certificate subject entity. |
file.x509.version_number |
keyword |
Version of x509 format. |
group.id |
keyword |
Unique identifier for the group on the system/platform. |
group.name |
keyword |
Name of the group. |
host.domain |
keyword |
Name of the directory the group is a member of. |
host.geo.city_name |
keyword |
City name. |
host.geo.continent_name |
keyword |
Name of the continent. |
host.geo.country_iso_code |
keyword |
Country ISO code. |
host.geo.name |
keyword |
User-defined description of a location. |
host.geo.postal_code |
keyword |
Postal code. |
host.geo.region_iso_code |
keyword |
Region ISO code. |
host.hostname |
keyword |
Hostname of the host. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.mac |
keyword |
Host MAC addresses. |
host.os.name |
keyword |
Operating system name, without the version. |
host.os.type |
keyword |
Which commercial OS family (one of: linux, macos, unix or windows). |
host.os.version |
keyword |
Operating system version as a raw string. |
host.type |
keyword |
Type of host. |
http.request.id |
keyword |
HTTP request ID. |
http.request.method |
keyword |
HTTP request method. |
http.request.referrer |
keyword |
Referrer for this HTTP request. |
http.response.body.bytes |
long |
Size in bytes of the response body. |
http.response.body.content |
wildcard |
The full HTTP response body. |
http.response.status_code |
long |
HTTP response status code. |
http.version |
keyword |
HTTP version. |
network.application |
keyword |
Application level protocol name. |
network.bytes |
long |
Total bytes transferred in both directions. |
network.direction |
keyword |
Direction of the network traffic. |
network.iana_number |
keyword |
IANA Protocol Number. |
network.packets |
long |
Total packets transferred in both directions. |
network.vlan.id |
keyword |
VLAN ID as reported by the observer. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.ip |
ip |
IP addresses of the observer. |
observer.mac |
keyword |
MAC addresses of the observer. |
observer.name |
keyword |
Custom name of the observer. |
observer.type |
keyword |
The type of the observer the data is coming from. |
ocsf.activity_id |
long |
The normalized identifier of the activity that triggered the event. |
ocsf.activity_name |
keyword |
The event activity name, as defined by the activity_id. |
ocsf.class_name |
keyword |
The event class name, as defined by class_uid value: Security Finding. |
ocsf.class_uid |
long |
The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. |
ocsf.process.group |
dict |
|
ocsf.process.parent.group |
dict |
|
ocsf.process.parent.user.domain |
keyword |
|
ocsf.process.parent.user.email |
keyword |
|
ocsf.process.parent.user.full_name |
keyword |
|
ocsf.process.parent.user.groups |
array |
|
ocsf.process.user.domain |
keyword |
|
ocsf.process.user.email |
keyword |
|
ocsf.process.user.full_name |
keyword |
|
ocsf.process.user.groups |
array |
|
ocsf.user.groups |
array |
The list of groups that the user belong to |
ocsf.vulnerabilities |
array |
|
orchestrator.type |
keyword |
Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). |
organization.id |
keyword |
Unique identifier for the organization. |
organization.name |
keyword |
Organization name. |
package.description |
keyword |
Description of the package. |
package.name |
keyword |
Package name |
package.type |
keyword |
Package type |
process.command_line |
wildcard |
Full command line that started the process. |
process.end |
date |
The time the process ended. |
process.entity_id |
keyword |
Unique identifier for the process. |
process.exit_code |
long |
The exit code of the process. |
process.name |
keyword |
Process name. |
process.parent.command_line |
wildcard |
Full command line that started the process. |
process.parent.end |
date |
The time the process ended. |
process.parent.entity_id |
keyword |
Unique identifier for the process. |
process.parent.name |
keyword |
Process name. |
process.parent.pid |
long |
Process id. |
process.parent.start |
date |
The time the process started. |
process.parent.thread.id |
long |
Thread ID. |
process.pid |
long |
Process id. |
process.start |
date |
The time the process started. |
process.thread.id |
long |
Thread ID. |
rule.category |
keyword |
Rule category |
rule.description |
keyword |
Rule description |
rule.name |
keyword |
Rule name |
rule.uuid |
keyword |
Rule UUID |
rule.version |
keyword |
Rule version |
service.id |
keyword |
Unique identifier of the running service. |
service.name |
keyword |
Name of the service. |
service.version |
keyword |
Version of the service. |
source.bytes |
long |
Bytes sent from the source to the destination. |
source.domain |
keyword |
The domain name of the source. |
source.geo.city_name |
keyword |
City name. |
source.geo.continent_name |
keyword |
Name of the continent. |
source.geo.country_iso_code |
keyword |
Country ISO code. |
source.geo.location |
geo_point |
Longitude and latitude. |
source.geo.name |
keyword |
User-defined description of a location. |
source.geo.postal_code |
keyword |
Postal code. |
source.geo.region_iso_code |
keyword |
Region ISO code. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.packets |
long |
Packets sent from the source to the destination. |
source.port |
long |
Port of the source. |
threat.technique.id |
keyword |
Threat technique id. |
threat.technique.name |
keyword |
Threat technique name. |
tls.cipher |
keyword |
String indicating the cipher used during the current connection. |
tls.client.ja3 |
keyword |
A hash that identifies clients based on how they perform an SSL/TLS handshake. |
tls.client.server_name |
keyword |
Hostname the client is trying to connect to. Also called the SNI. |
tls.client.supported_ciphers |
keyword |
Array of ciphers offered by the client during the client hello. |
tls.client.x509.alternative_names |
keyword |
List of subject alternative names (SAN). |
tls.client.x509.issuer.distinguished_name |
keyword |
Distinguished name (DN) of issuing certificate authority. |
tls.client.x509.not_after |
date |
Time at which the certificate is no longer considered valid. |
tls.client.x509.serial_number |
keyword |
Unique serial number issued by the certificate authority. |
tls.client.x509.subject.distinguished_name |
keyword |
Distinguished name (DN) of the certificate subject entity. |
tls.client.x509.version_number |
keyword |
Version of x509 format. |
tls.server.certificate_chain |
keyword |
Array of PEM-encoded certificates that make up the certificate chain offered by the server. |
tls.server.ja3s |
keyword |
A hash that identifies servers based on how they perform an SSL/TLS handshake. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
url.domain |
keyword |
Domain of the url. |
url.original |
wildcard |
Unmodified original url as seen in the event source. |
url.path |
wildcard |
Path of the request, such as "/search". |
url.port |
long |
Port of the request, such as 443. |
url.query |
keyword |
Query string of the request. |
url.scheme |
keyword |
Scheme of the url. |
url.subdomain |
keyword |
The subdomain of the domain. |
user.changes.domain |
keyword |
Name of the directory the user is a member of. |
user.changes.email |
keyword |
User email address. |
user.changes.full_name |
keyword |
User's full name, if available. |
user.changes.id |
keyword |
Unique identifier of the user. |
user.changes.name |
keyword |
Short name or login of the user. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.email |
keyword |
User email address. |
user.full_name |
keyword |
User's full name, if available. |
user.id |
keyword |
Unique identifier of the user. |
user.name |
keyword |
Short name or login of the user. |
user.target.domain |
keyword |
Name of the directory the user is a member of. |
user.target.email |
keyword |
User email address. |
user.target.full_name |
keyword |
User's full name, if available. |
user.target.id |
keyword |
Unique identifier of the user. |
user.target.name |
keyword |
Short name or login of the user. |
user_agent.original |
keyword |
Unparsed user_agent string. |
vulnerability.category |
keyword |
Category of a vulnerability. |
vulnerability.description |
keyword |
Description of the vulnerability. |
vulnerability.id |
keyword |
ID of the vulnerability. |
vulnerability.scanner.vendor |
keyword |
Name of the scanner vendor. |
vulnerability.score.base |
float |
Vulnerability Base score. |
vulnerability.score.version |
keyword |
CVSS version. |
vulnerability.severity |
keyword |
Severity of the vulnerability. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.