Gatewatcher AionIQ (>=v103)
Overview
Gatewatcher AionIQ is a detection and response platform for your network that identifies malicious actions and suspicious behaviors.
- Vendor: Gatewatcher
- Supported environment: On Premise
- Version compatibility, if applicable: 2.5.3.103
- Detection based on: Network Telemetry
- Supported application or feature: Malware and Network events
High-Level Architecture Diagram
- Type of integration: Outbound (PUSH to Sekoia.io)
Specification
Prerequisites
- Resource:
- Self-managed syslog forwarder
- Network:
- Outbound traffic allowed
- Permissions:
- Administrator rights on the Gatewatcher GCenter
- Root access to the Linux server with the syslog forwarder
Transport Protocol/Method
- Indirect Syslog
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: JSON
- Supported verbosity level: Alert / Informational
Note
Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.
Step-by-Step Configuration Procedure
Instructions on the 3rd Party Solution
This setup guide will show you how to forward your Gatewatcher AionIQ logs to Sekoia.io by means of a syslog transport channel.
Setup syslog forwarding on GCenter
- Log on your GCenter
- Go to
Administrators
>Data
>Log export
- Click
Data export #1
orData export #2
- Click
Enabled
to activate the data export - In the
Logging server
section, set the hostname to your log concentrator and the port number to514
- Select
5424
as Syslog RFC andtcp
as the protocol. - Select
ECS log format 1.0.0
as formatting - Click
Save changes
to save the configuration
See GCenter documentation for more details.
Configure a forwarder
To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE
To achieve this you can:
- Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
- Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.
Warning
Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intake
button at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create
.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"tls": {
"client": {
"server_name": "cisco-update.com"
}
},
"@version": "1",
"event": {
"created": "2024-09-09T13:02:34.254441+00:00",
"end": "2024-09-09T11:52:25.666000+00:00",
"severity": 3,
"module": "beacon_detect",
"start": "2024-09-09T11:47:44.012000+00:00",
"category": [
"network",
"intrusion_detection"
],
"kind": "alert",
"id": "5e7bb104-6493-43b2-be4d-f7c28ce79e85",
"dataset": "alert"
},
"source": {
"ip": "10.0.0.60",
"mac": "60:57:18:e9:4f:5d"
},
"beacon": {
"mean_time_interval": 1,
"active": true,
"possible_cnc": "not_recognized",
"session_count": 260,
"type": "constant",
"id": "c4c886b4ad",
"hostname_resolution": "not_analyzed"
},
"destination": {
"ip": "157.230.93.100",
"port": 443
},
"observer": {
"product": "gcenter",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"vendor": "gatewatcher"
},
"ecs": {
"version": "8.6.0"
},
"@timestamp": "2024-09-09T13:02:59.354490664Z",
"url": {
"domain": "cisco-update.com"
},
"network": {
"protocol": "tls",
"timestamp": "2024-09-09T11:47:44.012000+00:00",
"transport": "tcp"
}
}
{
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"network": {
"protocol": "unknown",
"transport": "tcp",
"timestamp": "2024-09-11T09:10:46.975548+0000",
"flow_id": 779924698221176
},
"source": {
"port": 35444,
"ip": "10.127.0.111"
},
"destination": {
"port": 4242,
"ip": "10.127.0.222"
},
"malicious_powershell": {
"proba_obfuscated": 1,
"score": 1890,
"sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr",
"id": "60b656e17bec0a97f5638790c78a3124",
"score_details": {
"StrReplace": 0,
"StreamReader": 0,
"StartBitsTransfer": 0,
"InvokeRestMethod": 0,
"Base64": 1520,
"StreamWriter": 0,
"InvokeExpression": 0,
"SystemIOFile": 0,
"StrJoin": 0,
"StrCat": 370,
"WebClientInvokation": 0,
"GetContent": 0,
"FmtStr": 0,
"CharInt": 0,
"InvokeWebRequest": 0,
"AddContent": 0,
"SetContent": 0
}
},
"ecs": {
"version": "8.6.0"
},
"@timestamp": "2024-09-11T09:11:52.737102768Z",
"@version": "1",
"event": {
"id": "de7b5e80-a4b2-4ed6-b566-3590945e34d5",
"kind": "alert",
"module": "malicious_powershell_detect",
"severity": 1,
"dataset": "alert",
"category": [
"network",
"intrusion_detection"
],
"created": "2024-09-11T09:11:52.735668+0000"
}
}
{
"network": {
"protocol": "unknown",
"timestamp": "2024-09-11T15:35:30.167846+0000",
"transport": "tcp",
"flow_id": 888739207482646
},
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"destination": {
"port": 6666,
"ip": "178.160.128.2"
},
"source": {
"port": 60078,
"ip": "80.15.17.183"
},
"ecs": {
"version": "8.6.0"
},
"shellcode": {
"sub_type": "Windows_x86_32",
"encodings": [
{
"name": "Bloxor",
"count": 4
}
],
"sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr",
"analysis": [
{
"call": "kernel32_LoadLibraryA",
"args": "{lpFileName: user32.dll}",
"_id": 0,
"ret": "0x70600000"
},
{
"call": "user32_MessageBoxA",
"args": "{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}",
"_id": 1,
"ret": "1"
},
{
"call": "kernel32_ExitProcess",
"args": "{uExitCode: 0}",
"_id": 2,
"ret": "0"
},
{
"info": "Stop : End of shellcode (Exit)",
"_id": -1
}
],
"id": "790a2aa742e1da23e14c9b7270ee81a1"
},
"@timestamp": "2024-09-11T15:36:36.071882055Z",
"@version": "1",
"event": {
"dataset": "alert",
"kind": "alert",
"module": "shellcode_detect",
"category": [
"network",
"intrusion_detection"
],
"severity": 1,
"id": "8c03d100-794f-45fe-8d92-7409c925b255",
"created": "2024-09-11T15:36:36.068564+0000"
}
}
{
"network": {
"protocol": "dns",
"transport": "udp",
"timestamp": "2024-09-11T09:15:25.886786+00:00",
"flow_id": 1434780527372168
},
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"source": {
"ip": "27.0.0.227"
},
"destination": {
"port": 53,
"ip": "202.129.215.23"
},
"ecs": {
"version": "8.6.0"
},
"dga": {
"dga_count": 35,
"dga_ratio": 0.97,
"malware_behavior_confidence": 50,
"nx_domain_count": 36,
"top_DGA": [
"zmhaoyukbol6a.com",
"ppyblaohb.com",
"khllpmpmare.com",
"lttulzaiaoctpa7.com",
"jetuergatod.com",
"riaaiysk.com",
"anxsmqyfy.com",
"tqjhvylf.com",
"vdunsygwoktx.com",
"jhghrlufoh.com"
]
},
"@timestamp": "2024-09-11T09:16:33.314331057Z",
"@version": "1",
"event": {
"created": "2024-09-11T09:16:33.194964+00:00",
"end": "2024-09-11T09:15:27.858000+00:00",
"kind": "alert",
"module": "dga_detect",
"start": "2024-09-11T09:15:22.995000+00:00",
"severity": 1,
"category": [
"network",
"intrusion_detection"
],
"dataset": "alert",
"id": "0ec85c0d-68b6-4602-b26e-d0966d5e1b9d"
}
}
{
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"version": "2.5.3.103",
"vendor": "gatewatcher",
"log_format_version": "1.0.0"
},
"event": {
"kind": "event",
"dataset": "administration",
"category": [
"host"
],
"module": "history",
"id": "8223b432-7e97-4570-a29d-254f41dbb9db"
},
"ecs": {
"version": "8.6.0"
},
"history": {
"type": "user",
"name": "pierre.pocry",
"id": 18,
"ip": "192.192.32.12",
"content": {},
"method": "POST",
"endpoint": "/gum/configuration",
"code": "200"
},
"@timestamp": "2022-09-01T16:06:51.664Z"
}
{
"observer": {
"product": "lastinfosec",
"vendor": "gatewatcher",
"log_format_version": "1.0.0"
},
"event": {
"kind": "enrichment",
"dataset": "ioc",
"category": [
"network",
"threat"
],
"module": "ioc",
"id": "3713d994-1db4-40ff-abe9-2f43bac7b5fa",
"created": "2019-10-23T05:33:54+00:00",
"severity": 2,
"severity_human": "High suspicious"
},
"ecs": {
"version": "8.6.0"
},
"ioc": {
"tlp": "green",
"type": "SHA256",
"value": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4",
"signature": "SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa",
"description": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\nWe advised to use this IoC in detection mode.",
"relations": [
"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
"b57f419e-8b12-49d3-886b-145383725dcd"
],
"ttp": [],
"families": [
"PLEAD"
],
"campaigns": [],
"categories": [
"malware",
"trojan"
],
"threat_actor": [
"BlackTech"
],
"targeted_sectors": [],
"targeted_organizations": [],
"targeted_platforms": [],
"targeted_countries": [],
"vulnerabilities": [],
"kill_chain_phases": [],
"meta_data": {
"cwe": [],
"descriptions": [],
"usageMode": "detection"
},
"usage_mode": "detection",
"case_id": "21615052-7cf3-48cd-9aff-36a61e45528c",
"updated_date": "2023-04-07T04:10:34+00:00",
"package_date": "2023-04-07T05:00:02.362356+0000",
"creation_date": "2019-10-23T05:33:54+00:00",
"tags": [
"troj_fr.df33c1bd",
"trojan.plead.win32.33",
"gen:variant.graftor.598952 (b)",
"generic backdoor.gy",
"win32/plead.au trojan",
"trojan/plead!exyhr4fe",
"trojan.win32.plead.fqunov",
"tr/plead.mysge",
"trojan.win32.plead",
"trojan ( 0055a46c1 )",
"malware",
"trojan.win32.plead.aa",
"trojan/win32.plead"
],
"external_links": [
{
"source_name": "Twitter",
"url": "http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html"
},
{
"source_name": "Twitter",
"url": "http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html"
},
{
"source_name": "Twitter",
"url": "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html"
},
{
"source_name": "Twitter",
"url": "https://twitter.com/i/web/status/1186877625295196160"
},
{
"source_name": "any.run_report",
"url": "https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4"
}
]
}
}
{
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"source": {
"port": 80,
"ip": "202.129.215.251"
},
"file": {
"magic": "Macromedia Flash data (compressed), version 13",
"sid": [
1100020
],
"hash": {
"sha256": "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b"
},
"name": "/",
"file_id": 219,
"tx_id": 2,
"state": "CLOSED",
"gaps": false,
"size": 55351,
"stored": true
},
"@timestamp": "2024-09-11T09:31:00.111583612Z",
"malcore": {
"file_type": "application/x-shockwave-flash",
"analyzers_up": 16,
"analyzed_clean": 9,
"engines_last_update_date": "2024-09-03T17:15:00Z",
"state": "Infected",
"total_found": "3/16",
"detail_scan_time": 373,
"reporting_token": "",
"analyzed_infected": 3,
"detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash",
"analyzed_suspicious": 0,
"analyzed_error": 0,
"processing_time": 1576,
"engine_id": {
"5": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "c18ab9n"
},
"8": {
"scan_result": "INFECTED",
"threat_details": "Exploit.Flash",
"id": "ib54e9s"
},
"4": {
"scan_result": "UNSUPPORTED_FILE_TYPE",
"threat_details": "",
"id": "c10195e"
},
"14": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "t3114fn"
},
"13": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "sde882s"
},
"9": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "kfb8487"
},
"12": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "qb9308l"
},
"10": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "mb2b5fe"
},
"0": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "a32935b"
},
"15": {
"scan_result": "UNSUPPORTED_FILE_TYPE",
"threat_details": "",
"id": "we9a17t"
},
"6": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "c81e55c"
},
"7": {
"scan_result": "NOT_SCANNED",
"threat_details": "",
"id": "e83bf1t"
},
"3": {
"scan_result": "CLEAN",
"threat_details": "",
"id": "b557a5r"
},
"1": {
"scan_result": "INFECTED",
"threat_details": "EXP/Flash.EB.502",
"id": "acf9bba"
},
"11": {
"scan_result": "NOT_SCANNED",
"threat_details": "Unavailable (permanently_failed)",
"id": "n00000e"
},
"2": {
"scan_result": "INFECTED",
"threat_details": "SWF/Exploit",
"id": "af7872b"
}
},
"detail_wait_time": 660,
"file_type_description": "Macromedia Flash Player",
"code": 1,
"magic_details": "Macromedia Flash data (compressed), version 13",
"analyzed_other": 4
},
"@version": "1",
"network": {
"protocol": "http",
"timestamp": "2024-09-11T09:15:23.329615+0000",
"transport": "tcp",
"flow_id": 1779492455056060
},
"destination": {
"port": 47858,
"ip": "27.0.0.144"
},
"url": {
"domain": "chunky.enchantingweddingsandevents.co.uk",
"path": "/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs"
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
},
"ecs": {
"version": "8.6.0"
},
"http": {
"request": {
"method": "GET"
},
"hostname": "chunky.enchantingweddingsandevents.co.uk",
"version": "HTTP/1.1",
"http_refer": "http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/",
"response": {
"status": 200,
"mime_type": "application/x-shockwave-flash",
"bytes": 55351
}
},
"event": {
"id": "7c4e2a77-3481-4201-8247-889fe0718ed8",
"kind": "alert",
"module": "malcore",
"severity": 1,
"category": [
"network",
"file"
],
"created": "2024-09-11T09:15:23.329615+0000",
"dataset": "alert"
}
}
{
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"source": {
"mac": "00:50:56:91:85:03",
"port": 56098,
"ip": "10.2.19.131"
},
"metadata": {
"flowbits": [
"min.gethttp",
"exe.no.referer",
"ET.http.binary"
]
},
"@timestamp": "2024-09-12T13:24:51.231Z",
"@version": "1",
"network": {
"protocol": "http",
"community_id": "1:X+96B6BxVtmLT4rsbtdZeemyV0M=",
"timestamp": "2024-09-12T13:24:15.978904+0000",
"transport": "tcp",
"tx_id": 6,
"flow_id": 803295979358070
},
"destination": {
"mac": "00:09:0f:09:00:12",
"port": 80,
"ip": "10.2.10.205"
},
"url": {
"path": "/FireInstaller4.exe"
},
"user_agent": {
"original": "nghttp2/1.43.0"
},
"ecs": {
"version": "8.6.0"
},
"http": {
"request_headers": [
{
"name": ":method",
"value": "GET"
},
{
"name": ":path",
"value": "/FireInstaller4.exe"
},
{
"name": ":scheme",
"value": "http"
},
{
"name": ":authority",
"value": "10.2.10.205"
},
{
"name": "accept",
"value": "*/*"
},
{
"name": "accept-encoding",
"value": "gzip, deflate"
},
{
"name": "user-agent",
"value": "nghttp2/1.43.0"
}
],
"http2": {
"request": {
"priority": 15
},
"stream_id": 13,
"response": {}
},
"request": {
"method": "GET"
},
"response_headers": [
{
"name": ":status",
"value": "200"
},
{
"name": "server",
"value": "nginx/1.25.2"
},
{
"name": "date",
"value": "Mon, 08 Jan 2024 15:27:20 GMT"
},
{
"name": "content-type",
"value": "text/plain"
},
{
"name": "content-length",
"value": "319824"
},
{
"name": "last-modified",
"value": "Mon, 08 Jan 2024 15:21:12 GMT"
},
{
"name": "etag",
"value": "\"659c12e8-4e150\""
},
{
"name": "accept-ranges",
"value": "bytes"
}
],
"version": "2",
"response": {
"status": 200,
"bytes": 319824
}
},
"event": {
"kind": "event",
"module": "sigflow_http",
"category": [
"network"
],
"created": "2024-09-12T13:24:15.978904+0000",
"dataset": "network_metadata",
"id": "78681613-57af-4e10-b732-58f5d2e0ae12"
}
}
{
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"source": {
"port": 80,
"ip": "56.53.117.115"
},
"file": {
"magic": "PDF document, version 1.5",
"sid": [
1100008
],
"hash": {
"sha256": "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703"
},
"name": "/malcore_10KB_clean.pdf",
"file_id": 224,
"tx_id": 0,
"state": "CLOSED",
"gaps": false,
"size": 10456,
"stored": true
},
"@timestamp": "2024-09-11T13:56:19.010Z",
"@version": "1",
"network": {
"protocol": "http",
"timestamp": "2024-09-11T13:55:51.326090+0000",
"transport": "tcp",
"flow_id": 1331841998458539
},
"destination": {
"port": 62832,
"ip": "65.100.113.120"
},
"url": {
"domain": "56.53.117.115",
"path": "/malcore_10KB_clean.pdf"
},
"ecs": {
"version": "8.6.0"
},
"http": {
"request": {
"method": "GET"
},
"hostname": "56.53.117.115",
"version": "HTTP/1.1",
"response": {
"status": 200,
"mime_type": "application/pdf",
"bytes": 10456
}
},
"event": {
"kind": "event",
"module": "sigflow_file",
"category": [
"network",
"file"
],
"created": "2024-09-11T13:55:51.326090+0000",
"dataset": "network_metadata",
"id": "d66539e6-825e-4516-8c8c-2778dd6d9358"
}
}
{
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"version": "2.5.3.103",
"vendor": "gatewatcher",
"gcap": {
"hostname": "gcap-interne-rd-55.gatewatcher.com",
"version": "2.5.3.107",
"ingress": {
"interface": {
"name": "mon0"
}
}
},
"log_format_version": "1.0.0"
},
"event": {
"kind": "alert",
"dataset": "alert",
"category": [
"network",
"intrusion_detection"
],
"module": "network_behavior_analytics",
"created": "2022-09-01T16:06:15.605Z",
"id": "730a47f1-f7b1-4faa-9d61-8a41d7b138ed",
"severity": 2
},
"ecs": {
"version": "8.6.0"
},
"network": {
"transport": "tcp",
"protocol": "http",
"flow_id": 2071994639527866,
"community_id": "1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=",
"timestamp": "2022-09-01T16:06:15.605Z",
"tx_id": 0
},
"source": {
"ip": "10.2.6.250",
"port": 50886,
"mac": "00:50:56:91:73:14"
},
"destination": {
"ip": "13.107.4.52",
"port": 80,
"mac": "00:08:e3:ff:fc:28"
},
"nba": {
"packet": "AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA",
"payload": "R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K",
"payload_printable": "GET /connecttest.txt HTTP/1.1\r\nPragma: no-cache\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftconnecttest.com\r\nCache-Control: no-cache\r\nConnection: keep-alive\r\n\r\n",
"signature_id": 2031071,
"gid": 1,
"category": "Network Behavior Analytics",
"action": "allowed",
"signature": "NBA C&C tracker : cobalt strike tcp initialization",
"metadata": {
"performance_impact": [
"High"
],
"signature_severity": [
"CRITICAL"
]
},
"rev": 1,
"stream": 1
},
"http": {
"url": "/connecttest.txt",
"http_user_agent": "Microsoft NCSI",
"version": "HTTP/1.1",
"hostname": "www.msftconnecttest.com",
"request": {
"method": "GET"
},
"response": {
"bytes": 22,
"status_code": 200,
"mime_type": "text/plain"
}
},
"url": {
"domain": "www.msftconnecttest.com",
"path": "/connecttest.txt"
},
"user_agent": {
"original": "Microsoft NCSI"
},
"packet_info": {
"linktype": 1
},
"flow": {
"bytes_toclient": 700,
"pkts_toclient": 3,
"bytes_toserver": 407,
"pkts_toserver": 4,
"start": "2022-09-01T16:06:15.602042+0000"
},
"@version": "1",
"@timestamp": "2022-09-01T16:06:51.664Z"
}
{
"source": {
"ip": "172.31.47.105",
"port": 50066
},
"event": {
"created": "2024-09-13T09:11:20.223813+00:00",
"dataset": "alert",
"end": "2024-09-13T09:09:11.988000",
"module": "ransomware_detect",
"kind": "alert",
"category": [
"network",
"intrusion_detection"
],
"start": "2024-09-13T09:08:51.988000",
"id": "f357f7d1-e322-4f67-b798-50d05f54204b",
"severity": 1
},
"observer": {
"product": "gcenter",
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"vendor": "gatewatcher",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1",
"hostname": "gcap-clement-l.gatewatcher.fr"
},
"version": "2.5.3.103",
"hostname": "gcenter-clelyo-01.gatewatcher.com"
},
"destination": {
"ip": "172.31.33.0",
"port": 445
},
"ecs": {
"version": "8.6.0"
},
"ransomware": {
"alert_threshold": 648,
"malicious_behavior_confidence": 80,
"session_score": 37
},
"@timestamp": "2024-09-13T09:11:39.629080222Z",
"smb": {
"session_id": 593737889611873
},
"network": {
"protocol": "smb",
"flow_id": 1465670492342121,
"transport": "tcp",
"timestamp": "2024-09-13T09:08:44.877000+00:00",
"community_id": "1:RA5iYDlaiu3WMutFLj5r//rbk34="
},
"@version": "1"
}
{
"observer": {
"id": ""
},
"event": {
"kind": "alert",
"dataset": "alert",
"category": [
"network",
"intrusion_detection"
],
"module": "retrohunt",
"created": "2022-12-14T09:51:30.455Z",
"id": "8223b432-7e97-4570-a29d-254f41dbb9db",
"severity": 2
},
"ecs": {
"version": "8.6.0"
},
"network": {
"ether": ""
},
"source": {
"ip": "127.0.0.1",
"port": "80"
},
"destination": {
"ip": "127.0.0.1",
"port": "8080"
},
"matched_event": {
"id": "1"
},
"ioc": {
"id": "1"
},
"@timestamp": "2022-09-01T12:49:07.749Z"
}
{
"observer": {
"vendor": "gatewatcher",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f",
"gcap": {
"ingress": {
"interface": {
"name": "monvirt"
}
},
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"version": "2.5.3.103",
"log_format_version": "1.0.0",
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter"
},
"source": {
"mac": "00:6f:37:76:51:45",
"port": 62832,
"ip": "65.100.113.120"
},
"metadata": {
"flowbits": [
"http.dottedquadhost.pdf"
]
},
"@timestamp": "2024-09-11T13:55:34.006Z",
"@version": "1",
"network": {
"protocol": "http",
"community_id": "1:8T6+TppVoaMkXwi+BTjnzAYozVc=",
"timestamp": "2024-09-11T13:55:01.080901+0000",
"transport": "tcp",
"tx_id": 0,
"flow_id": 1331841998337663
},
"destination": {
"mac": "00:43:70:57:75:55",
"port": 80,
"ip": "56.53.117.115"
},
"flow": {
"bytes_toclient": 1362,
"bytes_toserver": 358,
"pkts_toclient": 3,
"start": "2024-09-11T13:55:01.079487+0000",
"pkts_toserver": 4
},
"url": {
"domain": "56.53.117.115",
"path": "/malcore_10KB_clean.pdf"
},
"ecs": {
"version": "8.6.0"
},
"http": {
"request": {
"method": "GET"
},
"hostname": "56.53.117.115",
"version": "HTTP/1.1",
"response": {
"status": 200,
"mime_type": "application/pdf",
"bytes": 1135
}
},
"sigflow": {
"action": "allowed",
"metadata": {
"signature_severity": [
"Informational"
],
"attack_target": [
"Client_Endpoint"
],
"created_at": [
"2019_04_23"
],
"deployment": [
"Perimeter"
],
"performance_impact": [
"Significant"
],
"updated_at": [
"2022_11_21"
]
},
"signature": "ET INFO Dotted Quad Host PDF Request",
"payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n",
"packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA",
"stream": 1,
"signature_id": 2027265,
"rev": 4,
"category": "Potentially Bad Traffic",
"gid": 1,
"packet_info": {
"linktype": 1
},
"payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg=="
},
"event": {
"dataset": "alert",
"kind": "alert",
"module": "sigflow_alert",
"severity": 2,
"category": [
"network",
"intrusion_detection"
],
"id": "58c28570-6c90-4ba9-b9b5-f72867d5fa08",
"created": "2024-09-11T13:55:01.080901+0000"
}
}
{
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"version": "2.5.3.103",
"vendor": "gatewatcher",
"gcap": {
"hostname": "gcap-interne-rd-55.gatewatcher.com",
"version": "2.5.3.107"
},
"log_format_version": "1.0.0"
},
"event": {
"kind": "metric",
"dataset": "system_metrics",
"category": [
"host"
],
"module": "sigflow_stats",
"created": "2022-12-14T09:51:30.455Z",
"id": "f14ab432-7e97-4570-a29d-254f41dbb9db"
},
"ecs": {
"version": "8.6.0"
},
"stats": {
"app_layer": {},
"tcp": {},
"uptime": 443637,
"ftp": {},
"flow_bypassed": {},
"decoder": {},
"detect": {},
"defrag": {},
"flow": {},
"capture": {},
"http": {},
"file_store": {}
},
"@version": "1",
"@timestamp": "2022-09-01T10:49:46.643Z"
}
{
"ecs": {
"version": "8.6.0"
},
"source": {
"ip": "1.2.3.2",
"port": 10000,
"mac": "55:55:55:55:99:66"
},
"@version": "1",
"observer": {
"vendor": "gatewatcher",
"product": "gcenter",
"gcap": {
"hostname": "hostname.test.fr",
"version": "2.5.4.0-rc9",
"ingress": {
"interface": {
"name": "testname"
}
}
},
"version": "2.5.3.103",
"hostname": "testcenter.test.fr",
"log_format_version": "1.0.0",
"uuid": "06699991-0000-5555-9333-577777771a36"
},
"dns": {
"type": "answer",
"response_code": "NOERROR",
"grouped": {
"CNAME": [
"test-switcher.test.net"
]
},
"rd": true,
"qr": true,
"opcode": 0,
"answers": {
"type": "CNAME",
"name": "test-switcher.testdesktop.net",
"data": [
{
"rrname": "test-switcher.testdesktop.net",
"rdata": "test-switcher.testdesktop.net",
"rrtype": "CNAME",
"ttl": 60
},
{
"rrname": "test-switcher.testdesktop.net",
"rrtype": "RRSIG",
"ttl": 60
}
]
},
"version": 2,
"flags": "8000",
"id": 44444,
"ra": true
},
"@timestamp": "2025-02-05T19:48:47.899Z",
"destination": {
"ip": "1.1.1.1",
"port": 53,
"mac": "00:00:00:00:00:0b"
},
"network": {
"timestamp": "2025-02-05T19:48:07.110939+0000",
"protocol": "dns",
"community_id": "1:MU54UuQZasAsDCTCRRR45553777=",
"flow_id": 1196387844666666,
"vlan": {
"id": 81
},
"transport": "udp"
},
"event": {
"kind": "event",
"module": "sigflow_dns",
"category": [
"network"
],
"created": "2025-02-05T19:48:07.110939+0000",
"id": "80baaf15-5d05-45a1-8052-4ac43c472e92",
"dataset": "network_metadata"
}
}
{
"ecs": {
"version": "8.6.0"
},
"source": {
"ip": "1.2.3.2",
"port": 10000,
"mac": "55:55:55:55:99:66"
},
"@version": "1",
"observer": {
"vendor": "gatewatcher",
"product": "gcenter",
"gcap": {
"hostname": "hostname.test.fr",
"version": "2.5.4.0-rc9",
"ingress": {
"interface": {
"name": "testname"
}
}
},
"version": "2.5.3.103",
"hostname": "testcenter.test.fr",
"log_format_version": "1.0.0",
"uuid": "06699991-0000-5555-9333-577777771a36"
},
"dns": {
"type": "answer",
"response_code": "NOERROR",
"grouped": {
"CNAME": [
"test-switcher.test.net"
]
},
"rd": true,
"qr": true,
"opcode": 0,
"answers": {
"type": "CNAME",
"name": "test-switcher.testdesktop.net"
},
"version": 2,
"flags": "8000",
"id": 44444,
"ra": true
},
"@timestamp": "2025-02-05T19:48:47.899Z",
"destination": {
"ip": "1.1.1.1",
"port": 53,
"mac": "00:00:00:00:00:0b"
},
"network": {
"timestamp": "2025-02-05T19:48:07.110939+0000",
"protocol": "dns",
"community_id": "1:MU54UuQZasAsDCTCRRR45553777=",
"flow_id": 1196387844666666,
"vlan": {
"id": 81
},
"transport": "udp"
},
"event": {
"kind": "event",
"module": "sigflow_dns",
"category": [
"network"
],
"created": "2025-02-05T19:48:07.110939+0000",
"id": "80baaf15-5d05-45a1-8052-4ac43c472e92",
"dataset": "network_metadata"
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Gatewatcher AionIQ V103. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Gatewatcher AionIQ V103 on ATT&CK Navigator
Advanced IP Scanner
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Effort: master
Bazar Loader DGA (Domain Generation Algorithm)
Detects Bazar Loader domains based on the Bazar Loader DGA
- Effort: elementary
Certify Or Certipy
Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.
- Effort: advanced
Cobalt Strike Default Beacons Names
Detects the default names of Cobalt Strike beacons / payloads.
- Effort: intermediate
Covenant Default HTTP Beaconing
Detects potential Covenant communications through the user-agent and specific urls
- Effort: intermediate
Credential Dump Tools Related Files
Detects processes or file names related to credential dumping tools and the dropped files they generate by default.
- Effort: advanced
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Discord Suspicious Download
Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.
- Effort: advanced
Download Files From Non-Legitimate TLDs
Detects file downloads from non-legitimate TLDs. Additional legitimates TLDs should be filtered according to the business habits.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
EvilProxy Phishing Domain
Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
- Effort: intermediate
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Gatewatcher AionIQ V103 Active CTI
Detects whan an event related to CTI is raised by Gatewatcher V103. An attacker may be gathering information with this event.
- Effort: master
Gatewatcher AionIQ V103 Beacon Detect
Detects a suspicious beacon.
- Effort: master
Gatewatcher AionIQ V103 Dga Detect
Detects when an event related to dga is raised by gatewatcher. An attacker can use this to generate a new domain for C2.
- Effort: master
Gatewatcher AionIQ V103 Malcore
Detects a malcore alert by Gatewatcher AionIQ V103 related to documents with passwords.
- Effort: master
Gatewatcher AionIQ V103 Malicious Powershell Detect
Detects malicious powershell by Gatewatcher V103.
- Effort: master
Gatewatcher AionIQ V103 Network Behavior Analytics
Detects when network behavior analytics were requested.
- Effort: master
Gatewatcher AionIQ V103 Ransomware Detect
Detects when a ransomware is detected by gatewatcherV103.
- Effort: master
Gatewatcher AionIQ V103 Retrohunt
Detects when a retrohunt event is raised by GatewatcherV103.
- Effort: master
Gatewatcher AionIQ V103 Shellcode Detect
Detects when a suspicious shellcode is used.
- Effort: master
Gatewatcher AionIQ V103 Sigflow Alert
Detects a sigflow alert by Gatewatcher AionIQ V103.
- Effort: master
HackTools Suspicious Names
Quick-win rule to detect the default process names or file names of several HackTools.
- Effort: advanced
Koadic MSHTML Command
Detects Koadic payload using MSHTML module
- Effort: intermediate
Nimbo-C2 User Agent
Nimbo-C2 Uses an unusual User-Agent format in its implants.
- Effort: intermediate
PasswordDump SecurityXploded Tool
Detects the execution of the PasswordDump SecurityXploded Tool
- Effort: elementary
Potential Azure AD Phishing Page (Adversary-in-the-Middle)
Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.
- Effort: intermediate
Potential Bazar Loader User-Agents
Detects potential Bazar loader communications through the user-agent
- Effort: elementary
Potential Lemon Duck User-Agent
Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".
- Effort: elementary
Potential LokiBot User-Agent
Detects potential LokiBot communications through the user-agent
- Effort: intermediate
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Suspicious Email Attachment Received
Detects email containing a suspicious file as an attachment, based on its extension.
- Effort: advanced
Suspicious File Name
Detects suspicious file name possibly linked to malicious tool.
- Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
TOR Usage
Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
TrevorC2 HTTP Communication
Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent.
- Effort: elementary
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Network intrusion detection system |
AIONIQ identify suspicious behaviors |
Network protocol analysis |
AIONIQ analyze traffic protocol |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"tls\": {\"client\": {\"server_name\": \"cisco-update.com\"}}, \"@version\": \"1\", \"event\": {\"created\": \"2024-09-09T13:02:34.254441+00:00\", \"end\": \"2024-09-09T11:52:25.666000+00:00\", \"severity\": 3, \"module\": \"beacon_detect\", \"start\": \"2024-09-09T11:47:44.012000+00:00\", \"category\": [\"network\", \"intrusion_detection\"], \"kind\": \"alert\", \"id\": \"5e7bb104-6493-43b2-be4d-f7c28ce79e85\", \"dataset\": \"alert\"}, \"source\": {\"ip\": \"10.0.0.60\", \"mac\": \"60:57:18:e9:4f:5d\"}, \"beacon\": {\"mean_time_interval\": 1, \"active\": true, \"possible_cnc\": \"not_recognized\", \"session_count\": 260, \"type\": \"constant\", \"id\": \"c4c886b4ad\", \"hostname_resolution\": \"not_analyzed\"}, \"destination\": {\"ip\": \"157.230.93.100\", \"port\": 443}, \"observer\": {\"product\": \"gcenter\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"gcap\": {\"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"vendor\": \"gatewatcher\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"@timestamp\": \"2024-09-09T13:02:59.354490664Z\", \"url\": {\"domain\": \"cisco-update.com\"}, \"network\": {\"protocol\": \"tls\", \"timestamp\": \"2024-09-09T11:47:44.012000+00:00\", \"transport\": \"tcp\"}}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "beacon_detect",
"severity": 3
},
"@timestamp": "2024-09-09T13:02:59.354490Z",
"destination": {
"address": "157.230.93.100",
"ip": "157.230.93.100",
"port": 443
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"beacon": {
"active": "true",
"hostname_resolution": "not_analyzed",
"mean_time_interval": "1",
"possible_cnc": "not_recognized",
"session_count": "260",
"type": "constant"
},
"event": {
"created": "2024-09-09T13:02:34.254441Z",
"id": "5e7bb104-6493-43b2-be4d-f7c28ce79e85"
},
"network": {
"timestamp": "2024-09-09T11:47:44.012000Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"tls": {
"client": {
"server_name": "cisco-update.com"
}
},
"version": "1"
},
"network": {
"protocol": "tls",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"cisco-update.com",
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"10.0.0.60",
"157.230.93.100"
]
},
"source": {
"address": "10.0.0.60",
"ip": "10.0.0.60",
"mac": "60:57:18:e9:4f:5d"
},
"tls": {
"client": {
"server_name": "cisco-update.com"
}
},
"url": {
"domain": "cisco-update.com",
"registered_domain": "cisco-update.com",
"top_level_domain": "com"
}
}
{
"message": "{\"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"network\": {\"protocol\": \"unknown\", \"transport\": \"tcp\", \"timestamp\": \"2024-09-11T09:10:46.975548+0000\", \"flow_id\": 779924698221176}, \"source\": {\"port\": 35444, \"ip\": \"10.127.0.111\"}, \"destination\": {\"port\": 4242, \"ip\": \"10.127.0.222\"}, \"malicious_powershell\": {\"proba_obfuscated\": 1, \"score\": 1890, \"sample_id\": \"09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr\", \"id\": \"60b656e17bec0a97f5638790c78a3124\", \"score_details\": {\"StrReplace\": 0, \"StreamReader\": 0, \"StartBitsTransfer\": 0, \"InvokeRestMethod\": 0, \"Base64\": 1520, \"StreamWriter\": 0, \"InvokeExpression\": 0, \"SystemIOFile\": 0, \"StrJoin\": 0, \"StrCat\": 370, \"WebClientInvokation\": 0, \"GetContent\": 0, \"FmtStr\": 0, \"CharInt\": 0, \"InvokeWebRequest\": 0, \"AddContent\": 0, \"SetContent\": 0}}, \"ecs\": {\"version\": \"8.6.0\"}, \"@timestamp\": \"2024-09-11T09:11:52.737102768Z\", \"@version\": \"1\", \"event\": {\"id\": \"de7b5e80-a4b2-4ed6-b566-3590945e34d5\", \"kind\": \"alert\", \"module\": \"malicious_powershell_detect\", \"severity\": 1, \"dataset\": \"alert\", \"category\": [\"network\", \"intrusion_detection\"], \"created\": \"2024-09-11T09:11:52.735668+0000\"}}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "malicious_powershell_detect",
"severity": 1
},
"@timestamp": "2024-09-11T09:11:52.737102Z",
"destination": {
"address": "10.127.0.222",
"ip": "10.127.0.222",
"port": 4242
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2024-09-11T09:11:52.735668Z",
"id": "de7b5e80-a4b2-4ed6-b566-3590945e34d5"
},
"malicious_powershell": {
"id": "60b656e17bec0a97f5638790c78a3124",
"proba_obfuscated": 1,
"sample_id": "09-11-2024T09:11:49_5a4a9ad809c84969b7f2bac324e41554_gcap-clement-l.gatewatcher.fr",
"score": 1890,
"score_details_text": "{\"AddContent\":0,\"Base64\":1520,\"CharInt\":0,\"FmtStr\":0,\"GetContent\":0,\"InvokeExpression\":0,\"InvokeRestMethod\":0,\"InvokeWebRequest\":0,\"SetContent\":0,\"StartBitsTransfer\":0,\"StrCat\":370,\"StrJoin\":0,\"StrReplace\":0,\"StreamReader\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"WebClientInvokation\":0}"
},
"network": {
"flow_id": 779924698221176,
"timestamp": "2024-09-11T09:10:46.975548Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"version": "1"
},
"network": {
"protocol": "unknown",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"10.127.0.111",
"10.127.0.222"
]
},
"source": {
"address": "10.127.0.111",
"ip": "10.127.0.111",
"port": 35444
}
}
{
"message": "{\"network\": {\"protocol\": \"unknown\", \"timestamp\": \"2024-09-11T15:35:30.167846+0000\", \"transport\": \"tcp\", \"flow_id\": 888739207482646}, \"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"destination\": {\"port\": 6666, \"ip\": \"178.160.128.2\"}, \"source\": {\"port\": 60078, \"ip\": \"80.15.17.183\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"shellcode\": {\"sub_type\": \"Windows_x86_32\", \"encodings\": [{\"name\": \"Bloxor\", \"count\": 4}], \"sample_id\": \"09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr\", \"analysis\": [{\"call\": \"kernel32_LoadLibraryA\", \"args\": \"{lpFileName: user32.dll}\", \"_id\": 0, \"ret\": \"0x70600000\"}, {\"call\": \"user32_MessageBoxA\", \"args\": \"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\", \"_id\": 1, \"ret\": \"1\"}, {\"call\": \"kernel32_ExitProcess\", \"args\": \"{uExitCode: 0}\", \"_id\": 2, \"ret\": \"0\"}, {\"info\": \"Stop : End of shellcode (Exit)\", \"_id\": -1}], \"id\": \"790a2aa742e1da23e14c9b7270ee81a1\"}, \"@timestamp\": \"2024-09-11T15:36:36.071882055Z\", \"@version\": \"1\", \"event\": {\"dataset\": \"alert\", \"kind\": \"alert\", \"module\": \"shellcode_detect\", \"category\": [\"network\", \"intrusion_detection\"], \"severity\": 1, \"id\": \"8c03d100-794f-45fe-8d92-7409c925b255\", \"created\": \"2024-09-11T15:36:36.068564+0000\"}}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "shellcode_detect",
"severity": 1
},
"@timestamp": "2024-09-11T15:36:36.071882Z",
"destination": {
"address": "178.160.128.2",
"ip": "178.160.128.2",
"port": 6666
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2024-09-11T15:36:36.068564Z",
"id": "8c03d100-794f-45fe-8d92-7409c925b255"
},
"network": {
"flow_id": 888739207482646,
"timestamp": "2024-09-11T15:35:30.167846Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"shellcode": {
"analysis_text": [
"{\"_id\":-1,\"info\":\"Stop : End of shellcode (Exit)\"}",
"{\"_id\":0,\"args\":\"{lpFileName: user32.dll}\",\"call\":\"kernel32_LoadLibraryA\",\"ret\":\"0x70600000\"}",
"{\"_id\":1,\"args\":\"{hWnd: None, lpText: Do you like GateWatcher ?, lpCaption: Gatewatcher2018, uType: [MB_OK, MB_ICONQUESTION, MB_DEFBUTTON1, MB_APPLMODAL, None]}\",\"call\":\"user32_MessageBoxA\",\"ret\":\"1\"}",
"{\"_id\":2,\"args\":\"{uExitCode: 0}\",\"call\":\"kernel32_ExitProcess\",\"ret\":\"0\"}"
],
"encodings": [
{
"count": 4,
"name": "Bloxor"
}
],
"id": "790a2aa742e1da23e14c9b7270ee81a1",
"sample_id": "09-11-2024T15:36:31_8608eb20e6844d2786d36811f92a673b_gcap-clement-l.gatewatcher.fr",
"sub_type": "Windows_x86_32"
},
"version": "1"
},
"network": {
"protocol": "unknown",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"178.160.128.2",
"80.15.17.183"
]
},
"source": {
"address": "80.15.17.183",
"ip": "80.15.17.183",
"port": 60078
}
}
{
"message": "{\"network\": {\"protocol\": \"dns\", \"transport\": \"udp\", \"timestamp\": \"2024-09-11T09:15:25.886786+00:00\", \"flow_id\": 1434780527372168}, \"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"source\": {\"ip\": \"27.0.0.227\"}, \"destination\": {\"port\": 53, \"ip\": \"202.129.215.23\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"dga\": {\"dga_count\": 35, \"dga_ratio\": 0.97, \"malware_behavior_confidence\": 50, \"nx_domain_count\": 36, \"top_DGA\": [\"zmhaoyukbol6a.com\", \"ppyblaohb.com\", \"khllpmpmare.com\", \"lttulzaiaoctpa7.com\", \"jetuergatod.com\", \"riaaiysk.com\", \"anxsmqyfy.com\", \"tqjhvylf.com\", \"vdunsygwoktx.com\", \"jhghrlufoh.com\"]}, \"@timestamp\": \"2024-09-11T09:16:33.314331057Z\", \"@version\": \"1\", \"event\": {\"created\": \"2024-09-11T09:16:33.194964+00:00\", \"end\": \"2024-09-11T09:15:27.858000+00:00\", \"kind\": \"alert\", \"module\": \"dga_detect\", \"start\": \"2024-09-11T09:15:22.995000+00:00\", \"severity\": 1, \"category\": [\"network\", \"intrusion_detection\"], \"dataset\": \"alert\", \"id\": \"0ec85c0d-68b6-4602-b26e-d0966d5e1b9d\"}}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "dga_detect",
"severity": 1
},
"@timestamp": "2024-09-11T09:16:33.314331Z",
"destination": {
"address": "202.129.215.23",
"ip": "202.129.215.23",
"port": 53
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"dga": {
"dga_count": "35",
"dga_ratio": "0.97",
"malware_behavior_confidence": "50",
"nx_domain_count": "36",
"top_DGA": [
"anxsmqyfy.com",
"jetuergatod.com",
"jhghrlufoh.com",
"khllpmpmare.com",
"lttulzaiaoctpa7.com",
"ppyblaohb.com",
"riaaiysk.com",
"tqjhvylf.com",
"vdunsygwoktx.com",
"zmhaoyukbol6a.com"
]
},
"event": {
"created": "2024-09-11T09:16:33.194964Z",
"id": "0ec85c0d-68b6-4602-b26e-d0966d5e1b9d"
},
"network": {
"flow_id": 1434780527372168,
"timestamp": "2024-09-11T09:15:25.886786Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"version": "1"
},
"network": {
"protocol": "dns",
"transport": "udp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"202.129.215.23",
"27.0.0.227"
]
},
"source": {
"address": "27.0.0.227",
"ip": "27.0.0.227"
}
}
{
"message": "{\"observer\": {\"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\", \"product\": \"gcenter\", \"version\": \"2.5.3.103\", \"vendor\": \"gatewatcher\", \"log_format_version\": \"1.0.0\"}, \"event\": {\"kind\": \"event\", \"dataset\": \"administration\", \"category\": [\"host\"], \"module\": \"history\", \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"history\": {\"type\": \"user\", \"name\": \"pierre.pocry\", \"id\": 18, \"ip\": \"192.192.32.12\", \"content\": {}, \"method\": \"POST\", \"endpoint\": \"/gum/configuration\", \"code\": \"200\"}, \"@timestamp\": \"2022-09-01T16:06:51.664Z\"}",
"event": {
"category": [
"host"
],
"dataset": "administration",
"module": "history"
},
"@timestamp": "2022-09-01T16:06:51.664000Z",
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"id": "8223b432-7e97-4570-a29d-254f41dbb9db"
},
"history": {
"code": 200,
"content": "{}",
"endpoint": "/gum/configuration",
"id": 18,
"ip": "192.192.32.12",
"method": "POST",
"name": "pierre.pocry",
"type": "user"
},
"observer": {
"log_format_version": "1.0.0"
}
},
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-interne-rd-56.gatewatcher.com"
]
}
}
{
"message": "{\"observer\": {\"product\": \"lastinfosec\", \"vendor\": \"gatewatcher\", \"log_format_version\": \"1.0.0\"}, \"event\": {\"kind\": \"enrichment\", \"dataset\": \"ioc\", \"category\": [\"network\", \"threat\"], \"module\": \"ioc\", \"id\": \"3713d994-1db4-40ff-abe9-2f43bac7b5fa\", \"created\": \"2019-10-23T05:33:54+00:00\", \"severity\": 2, \"severity_human\": \"High suspicious\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"ioc\": {\"tlp\": \"green\", \"type\": \"SHA256\", \"value\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\", \"signature\": \"SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa\", \"description\": \"2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\\nWe advised to use this IoC in detection mode.\", \"relations\": [\"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8\", \"b57f419e-8b12-49d3-886b-145383725dcd\"], \"ttp\": [], \"families\": [\"PLEAD\"], \"campaigns\": [], \"categories\": [\"malware\", \"trojan\"], \"threat_actor\": [\"BlackTech\"], \"targeted_sectors\": [], \"targeted_organizations\": [], \"targeted_platforms\": [], \"targeted_countries\": [], \"vulnerabilities\": [], \"kill_chain_phases\": [], \"meta_data\": {\"cwe\": [], \"descriptions\": [], \"usageMode\": \"detection\"}, \"usage_mode\": \"detection\", \"case_id\": \"21615052-7cf3-48cd-9aff-36a61e45528c\", \"updated_date\": \"2023-04-07T04:10:34+00:00\", \"package_date\": \"2023-04-07T05:00:02.362356+0000\", \"creation_date\": \"2019-10-23T05:33:54+00:00\", \"tags\": [\"troj_fr.df33c1bd\", \"trojan.plead.win32.33\", \"gen:variant.graftor.598952 (b)\", \"generic backdoor.gy\", \"win32/plead.au trojan\", \"trojan/plead!exyhr4fe\", \"trojan.win32.plead.fqunov\", \"tr/plead.mysge\", \"trojan.win32.plead\", \"trojan ( 0055a46c1 )\", \"malware\", \"trojan.win32.plead.aa\", \"trojan/win32.plead\"], \"external_links\": [{\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}, {\"source_name\": \"Twitter\", \"url\": \"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}, {\"source_name\": \"Twitter\", \"url\": \"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}, {\"source_name\": \"Twitter\", \"url\": \"https://twitter.com/i/web/status/1186877625295196160\"}, {\"source_name\": \"any.run_report\", \"url\": \"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"}]}}",
"event": {
"category": [
"network",
"threat"
],
"dataset": "ioc",
"kind": "enrichment",
"module": "ioc",
"severity": 2
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2019-10-23T05:33:54Z",
"id": "3713d994-1db4-40ff-abe9-2f43bac7b5fa"
},
"ioc": {
"campaigns": [],
"case_id": "21615052-7cf3-48cd-9aff-36a61e45528c",
"categories": [
"malware",
"trojan"
],
"creation_date": "2019-10-23T05:33:54Z",
"description": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4 is a High suspicious SHA256.\nThis SHA256 is linked to a malware attack of the PLEAD family and organised by BlackTech intrusion set.\nWe advised to use this IoC in detection mode.",
"external_links": [
"{\"source_name\":\"Twitter\",\"url\":\"http://web.archive.org/web/20191206225333/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
"{\"source_name\":\"Twitter\",\"url\":\"http://web.archive.org/web/20191227104253/https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
"{\"source_name\":\"Twitter\",\"url\":\"https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html\"}",
"{\"source_name\":\"Twitter\",\"url\":\"https://twitter.com/i/web/status/1186877625295196160\"}",
"{\"source_name\":\"any.run_report\",\"url\":\"https://any.run/report/2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4\"}"
],
"families": [
"PLEAD"
],
"kill_chain_phases": [],
"meta_data": {
"cwe": [],
"descriptions": [],
"usageMode": "detection"
},
"package_date": "2023-04-07T05:00:02.362356Z",
"relations": [
"6fe8a2a1-a1b0-4af8-953d-4babd329f8f8",
"b57f419e-8b12-49d3-886b-145383725dcd"
],
"signature": "SHA256 - malware/trojan - PLEAD - BlackTech - 3713d994-1db4-40ff-abe9-2f43bac7b5fa",
"tags": [
"gen:variant.graftor.598952 (b)",
"generic backdoor.gy",
"malware",
"tr/plead.mysge",
"troj_fr.df33c1bd",
"trojan ( 0055a46c1 )",
"trojan.plead.win32.33",
"trojan.win32.plead",
"trojan.win32.plead.aa",
"trojan.win32.plead.fqunov",
"trojan/plead!exyhr4fe",
"trojan/win32.plead",
"win32/plead.au trojan"
],
"targeted_countries": [],
"targeted_organizations": [],
"targeted_platforms": [],
"targeted_sectors": [],
"threat_actor": [
"BlackTech"
],
"updated_date": "2023-04-07T04:10:34Z",
"usage_mode": "detection"
},
"observer": {
"log_format_version": "1.0.0"
}
},
"observer": {
"product": "lastinfosec",
"vendor": "gatewatcher"
},
"threat": {
"indicator": {
"marking": {
"tlp": "green"
},
"name": "2e789fc5aa1318d0286264d70b2ececa15664689efa4f47c485d84df55231ac4",
"type": "SHA256"
}
}
}
{
"message": "{\"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"source\": {\"port\": 80, \"ip\": \"202.129.215.251\"}, \"file\": {\"magic\": \"Macromedia Flash data (compressed), version 13\", \"sid\": [1100020], \"hash\": {\"sha256\": \"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b\"}, \"name\": \"/\", \"file_id\": 219, \"tx_id\": 2, \"state\": \"CLOSED\", \"gaps\": false, \"size\": 55351, \"stored\": true}, \"@timestamp\": \"2024-09-11T09:31:00.111583612Z\", \"malcore\": {\"file_type\": \"application/x-shockwave-flash\", \"analyzers_up\": 16, \"analyzed_clean\": 9, \"engines_last_update_date\": \"2024-09-03T17:15:00Z\", \"state\": \"Infected\", \"total_found\": \"3/16\", \"detail_scan_time\": 373, \"reporting_token\": \"\", \"analyzed_infected\": 3, \"detail_threat_found\": \"Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash\", \"analyzed_suspicious\": 0, \"analyzed_error\": 0, \"processing_time\": 1576, \"engine_id\": {\"5\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"c18ab9n\"}, \"8\": {\"scan_result\": \"INFECTED\", \"threat_details\": \"Exploit.Flash\", \"id\": \"ib54e9s\"}, \"4\": {\"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\", \"id\": \"c10195e\"}, \"14\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"t3114fn\"}, \"13\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"sde882s\"}, \"9\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"kfb8487\"}, \"12\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"qb9308l\"}, \"10\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"mb2b5fe\"}, \"0\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"a32935b\"}, \"15\": {\"scan_result\": \"UNSUPPORTED_FILE_TYPE\", \"threat_details\": \"\", \"id\": \"we9a17t\"}, \"6\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"c81e55c\"}, \"7\": {\"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"\", \"id\": \"e83bf1t\"}, \"3\": {\"scan_result\": \"CLEAN\", \"threat_details\": \"\", \"id\": \"b557a5r\"}, \"1\": {\"scan_result\": \"INFECTED\", \"threat_details\": \"EXP/Flash.EB.502\", \"id\": \"acf9bba\"}, \"11\": {\"scan_result\": \"NOT_SCANNED\", \"threat_details\": \"Unavailable (permanently_failed)\", \"id\": \"n00000e\"}, \"2\": {\"scan_result\": \"INFECTED\", \"threat_details\": \"SWF/Exploit\", \"id\": \"af7872b\"}}, \"detail_wait_time\": 660, \"file_type_description\": \"Macromedia Flash Player\", \"code\": 1, \"magic_details\": \"Macromedia Flash data (compressed), version 13\", \"analyzed_other\": 4}, \"@version\": \"1\", \"network\": {\"protocol\": \"http\", \"timestamp\": \"2024-09-11T09:15:23.329615+0000\", \"transport\": \"tcp\", \"flow_id\": 1779492455056060}, \"destination\": {\"port\": 47858, \"ip\": \"27.0.0.144\"}, \"url\": {\"domain\": \"chunky.enchantingweddingsandevents.co.uk\", \"path\": \"/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs\"}, \"user_agent\": {\"original\": \"Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"http\": {\"request\": {\"method\": \"GET\"}, \"hostname\": \"chunky.enchantingweddingsandevents.co.uk\", \"version\": \"HTTP/1.1\", \"http_refer\": \"http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/\", \"response\": {\"status\": 200, \"mime_type\": \"application/x-shockwave-flash\", \"bytes\": 55351}}, \"event\": {\"id\": \"7c4e2a77-3481-4201-8247-889fe0718ed8\", \"kind\": \"alert\", \"module\": \"malcore\", \"severity\": 1, \"category\": [\"network\", \"file\"], \"created\": \"2024-09-11T09:15:23.329615+0000\", \"dataset\": \"alert\"}}",
"event": {
"category": [
"file",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "malcore",
"severity": 1
},
"@timestamp": "2024-09-11T09:31:00.111583Z",
"destination": {
"address": "27.0.0.144",
"ip": "27.0.0.144",
"port": 47858
},
"ecs": {
"version": "8.6.0"
},
"file": {
"hash": {
"sha256": "6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b"
},
"name": "/",
"size": 55351
},
"gatewatcher": {
"event": {
"created": "2024-09-11T09:15:23.329615Z",
"id": "7c4e2a77-3481-4201-8247-889fe0718ed8"
},
"file": {
"file_id": 219,
"gaps": false,
"magic": "Macromedia Flash data (compressed), version 13",
"sid": [
"1100020"
],
"state": "CLOSED",
"stored": true,
"tx_id": 2
},
"http": {
"hostname": "chunky.enchantingweddingsandevents.co.uk",
"http_refer": "http://chunky.enchantingweddingsandevents.co.uk/topic/03251-esplanade-interoperability-fuchsias-renegotiate-percent-youngster-trounced/"
},
"malcore": {
"analyzed_clean": 9,
"analyzed_error": 0,
"analyzed_infected": 3,
"analyzed_other": 4,
"analyzed_suspicious": 0,
"analyzers_up": 16,
"code": "1",
"detail_scan_time": 373,
"detail_threat_found": "Infected : EXP/Flash.EB.502, SWF/Exploit, Exploit.Flash",
"detail_wait_time": 660,
"engine_id": "{\"0\":{\"id\":\"a32935b\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"1\":{\"id\":\"acf9bba\",\"scan_result\":\"INFECTED\",\"threat_details\":\"EXP/Flash.EB.502\"},\"10\":{\"id\":\"mb2b5fe\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"11\":{\"id\":\"n00000e\",\"scan_result\":\"NOT_SCANNED\",\"threat_details\":\"Unavailable (permanently_failed)\"},\"12\":{\"id\":\"qb9308l\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"13\":{\"id\":\"sde882s\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"14\":{\"id\":\"t3114fn\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"15\":{\"id\":\"we9a17t\",\"scan_result\":\"UNSUPPORTED_FILE_TYPE\",\"threat_details\":\"\"},\"2\":{\"id\":\"af7872b\",\"scan_result\":\"INFECTED\",\"threat_details\":\"SWF/Exploit\"},\"3\":{\"id\":\"b557a5r\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"4\":{\"id\":\"c10195e\",\"scan_result\":\"UNSUPPORTED_FILE_TYPE\",\"threat_details\":\"\"},\"5\":{\"id\":\"c18ab9n\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"6\":{\"id\":\"c81e55c\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"},\"7\":{\"id\":\"e83bf1t\",\"scan_result\":\"NOT_SCANNED\",\"threat_details\":\"\"},\"8\":{\"id\":\"ib54e9s\",\"scan_result\":\"INFECTED\",\"threat_details\":\"Exploit.Flash\"},\"9\":{\"id\":\"kfb8487\",\"scan_result\":\"CLEAN\",\"threat_details\":\"\"}}",
"engines_last_update_date": "2024-09-03T17:15:00Z",
"file_type": "application/x-shockwave-flash",
"file_type_description": "Macromedia Flash Player",
"magic_details": "Macromedia Flash data (compressed), version 13",
"processing_time": 1576,
"state": "Infected",
"total_found": "3/16"
},
"network": {
"flow_id": 1779492455056060,
"timestamp": "2024-09-11T09:15:23.329615Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"version": "1"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"bytes": 55351,
"mime_type": "application/x-shockwave-flash",
"status_code": 200
},
"version": "HTTP/1.1"
},
"network": {
"protocol": "http",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hash": [
"6d3a6e2c771ab1a3721235ed3b3c4a2c3013290564272bcb6fbc9a15be79278b"
],
"hosts": [
"chunky.enchantingweddingsandevents.co.uk",
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"202.129.215.251",
"27.0.0.144"
]
},
"source": {
"address": "202.129.215.251",
"ip": "202.129.215.251",
"port": 80
},
"url": {
"domain": "chunky.enchantingweddingsandevents.co.uk",
"path": "/?q=&g=BDvv&y=enL16_6s_&s=t5qV-&e=_b_J--DqR&w=C2pZhaRyfn3uVT_v5Sfgs",
"registered_domain": "enchantingweddingsandevents.co.uk",
"subdomain": "chunky",
"top_level_domain": "co.uk"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "IE",
"original": "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
"os": {
"name": "Windows",
"version": "7"
},
"version": "11.0"
}
}
{
"message": "{\"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"source\": {\"mac\": \"00:50:56:91:85:03\", \"port\": 56098, \"ip\": \"10.2.19.131\"}, \"metadata\": {\"flowbits\": [\"min.gethttp\", \"exe.no.referer\", \"ET.http.binary\"]}, \"@timestamp\": \"2024-09-12T13:24:51.231Z\", \"@version\": \"1\", \"network\": {\"protocol\": \"http\", \"community_id\": \"1:X+96B6BxVtmLT4rsbtdZeemyV0M=\", \"timestamp\": \"2024-09-12T13:24:15.978904+0000\", \"transport\": \"tcp\", \"tx_id\": 6, \"flow_id\": 803295979358070}, \"destination\": {\"mac\": \"00:09:0f:09:00:12\", \"port\": 80, \"ip\": \"10.2.10.205\"}, \"url\": {\"path\": \"/FireInstaller4.exe\"}, \"user_agent\": {\"original\": \"nghttp2/1.43.0\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"http\": {\"request_headers\": [{\"name\": \":method\", \"value\": \"GET\"}, {\"name\": \":path\", \"value\": \"/FireInstaller4.exe\"}, {\"name\": \":scheme\", \"value\": \"http\"}, {\"name\": \":authority\", \"value\": \"10.2.10.205\"}, {\"name\": \"accept\", \"value\": \"*/*\"}, {\"name\": \"accept-encoding\", \"value\": \"gzip, deflate\"}, {\"name\": \"user-agent\", \"value\": \"nghttp2/1.43.0\"}], \"http2\": {\"request\": {\"priority\": 15}, \"stream_id\": 13, \"response\": {}}, \"request\": {\"method\": \"GET\"}, \"response_headers\": [{\"name\": \":status\", \"value\": \"200\"}, {\"name\": \"server\", \"value\": \"nginx/1.25.2\"}, {\"name\": \"date\", \"value\": \"Mon, 08 Jan 2024 15:27:20 GMT\"}, {\"name\": \"content-type\", \"value\": \"text/plain\"}, {\"name\": \"content-length\", \"value\": \"319824\"}, {\"name\": \"last-modified\", \"value\": \"Mon, 08 Jan 2024 15:21:12 GMT\"}, {\"name\": \"etag\", \"value\": \"\\\"659c12e8-4e150\\\"\"}, {\"name\": \"accept-ranges\", \"value\": \"bytes\"}], \"version\": \"2\", \"response\": {\"status\": 200, \"bytes\": 319824}}, \"event\": {\"kind\": \"event\", \"module\": \"sigflow_http\", \"category\": [\"network\"], \"created\": \"2024-09-12T13:24:15.978904+0000\", \"dataset\": \"network_metadata\", \"id\": \"78681613-57af-4e10-b732-58f5d2e0ae12\"}}",
"event": {
"category": [
"network"
],
"dataset": "network_metadata",
"module": "sigflow_http"
},
"@timestamp": "2024-09-12T13:24:51.231000Z",
"destination": {
"address": "10.2.10.205",
"ip": "10.2.10.205",
"mac": "00:09:0f:09:00:12",
"port": 80
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2024-09-12T13:24:15.978904Z",
"id": "78681613-57af-4e10-b732-58f5d2e0ae12"
},
"http": {
"http2": {
"request": {
"priority": 15
},
"stream_id": 13
}
},
"metadata": {
"flowbits": [
"ET.http.binary",
"exe.no.referer",
"min.gethttp"
]
},
"network": {
"flow_id": 803295979358070,
"timestamp": "2024-09-12T13:24:15.978904Z",
"tx_id": 6
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"version": "1"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"bytes": 319824,
"status_code": 200
},
"version": "2"
},
"network": {
"community_id": "1:X+96B6BxVtmLT4rsbtdZeemyV0M=",
"protocol": "http",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"10.2.10.205",
"10.2.19.131"
]
},
"source": {
"address": "10.2.19.131",
"ip": "10.2.19.131",
"mac": "00:50:56:91:85:03",
"port": 56098
},
"url": {
"path": "/FireInstaller4.exe"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "nghttp2/1.43.0",
"os": {
"name": "Other"
}
}
}
{
"message": "{\"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"source\": {\"port\": 80, \"ip\": \"56.53.117.115\"}, \"file\": {\"magic\": \"PDF document, version 1.5\", \"sid\": [1100008], \"hash\": {\"sha256\": \"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703\"}, \"name\": \"/malcore_10KB_clean.pdf\", \"file_id\": 224, \"tx_id\": 0, \"state\": \"CLOSED\", \"gaps\": false, \"size\": 10456, \"stored\": true}, \"@timestamp\": \"2024-09-11T13:56:19.010Z\", \"@version\": \"1\", \"network\": {\"protocol\": \"http\", \"timestamp\": \"2024-09-11T13:55:51.326090+0000\", \"transport\": \"tcp\", \"flow_id\": 1331841998458539}, \"destination\": {\"port\": 62832, \"ip\": \"65.100.113.120\"}, \"url\": {\"domain\": \"56.53.117.115\", \"path\": \"/malcore_10KB_clean.pdf\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"http\": {\"request\": {\"method\": \"GET\"}, \"hostname\": \"56.53.117.115\", \"version\": \"HTTP/1.1\", \"response\": {\"status\": 200, \"mime_type\": \"application/pdf\", \"bytes\": 10456}}, \"event\": {\"kind\": \"event\", \"module\": \"sigflow_file\", \"category\": [\"network\", \"file\"], \"created\": \"2024-09-11T13:55:51.326090+0000\", \"dataset\": \"network_metadata\", \"id\": \"d66539e6-825e-4516-8c8c-2778dd6d9358\"}}",
"event": {
"category": [
"file",
"network"
],
"dataset": "network_metadata",
"module": "sigflow_file"
},
"@timestamp": "2024-09-11T13:56:19.010000Z",
"destination": {
"address": "65.100.113.120",
"ip": "65.100.113.120",
"port": 62832
},
"ecs": {
"version": "8.6.0"
},
"file": {
"hash": {
"sha256": "50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703"
},
"name": "/malcore_10KB_clean.pdf",
"size": 10456
},
"gatewatcher": {
"event": {
"created": "2024-09-11T13:55:51.326090Z",
"id": "d66539e6-825e-4516-8c8c-2778dd6d9358"
},
"file": {
"file_id": 224,
"gaps": false,
"magic": "PDF document, version 1.5",
"sid": [
"1100008"
],
"state": "CLOSED",
"stored": true,
"tx_id": 0
},
"http": {
"hostname": "56.53.117.115"
},
"network": {
"flow_id": 1331841998458539,
"timestamp": "2024-09-11T13:55:51.326090Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"version": "1"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"bytes": 10456,
"mime_type": "application/pdf",
"status_code": 200
},
"version": "HTTP/1.1"
},
"network": {
"protocol": "http",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hash": [
"50c561f1e32cb1990a3050015088713e657f0081ba774dda2f9fcef828dcf703"
],
"hosts": [
"56.53.117.115",
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"56.53.117.115",
"65.100.113.120"
]
},
"source": {
"address": "56.53.117.115",
"ip": "56.53.117.115",
"port": 80
},
"url": {
"domain": "56.53.117.115",
"path": "/malcore_10KB_clean.pdf"
}
}
{
"message": "{\"observer\": {\"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\", \"product\": \"gcenter\", \"version\": \"2.5.3.103\", \"vendor\": \"gatewatcher\", \"gcap\": {\"hostname\": \"gcap-interne-rd-55.gatewatcher.com\", \"version\": \"2.5.3.107\", \"ingress\": {\"interface\": {\"name\": \"mon0\"}}}, \"log_format_version\": \"1.0.0\"}, \"event\": {\"kind\": \"alert\", \"dataset\": \"alert\", \"category\": [\"network\", \"intrusion_detection\"], \"module\": \"network_behavior_analytics\", \"created\": \"2022-09-01T16:06:15.605Z\", \"id\": \"730a47f1-f7b1-4faa-9d61-8a41d7b138ed\", \"severity\": 2}, \"ecs\": {\"version\": \"8.6.0\"}, \"network\": {\"transport\": \"tcp\", \"protocol\": \"http\", \"flow_id\": 2071994639527866, \"community_id\": \"1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=\", \"timestamp\": \"2022-09-01T16:06:15.605Z\", \"tx_id\": 0}, \"source\": {\"ip\": \"10.2.6.250\", \"port\": 50886, \"mac\": \"00:50:56:91:73:14\"}, \"destination\": {\"ip\": \"13.107.4.52\", \"port\": 80, \"mac\": \"00:08:e3:ff:fc:28\"}, \"nba\": {\"packet\": \"AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA\", \"payload\": \"R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K\", \"payload_printable\": \"GET /connecttest.txt HTTP/1.1\\r\\nPragma: no-cache\\r\\nUser-Agent: Microsoft NCSI\\r\\nHost: www.msftconnecttest.com\\r\\nCache-Control: no-cache\\r\\nConnection: keep-alive\\r\\n\\r\\n\", \"signature_id\": 2031071, \"gid\": 1, \"category\": \"Network Behavior Analytics\", \"action\": \"allowed\", \"signature\": \"NBA C&C tracker : cobalt strike tcp initialization\", \"metadata\": {\"performance_impact\": [\"High\"], \"signature_severity\": [\"CRITICAL\"]}, \"rev\": 1, \"stream\": 1}, \"http\": {\"url\": \"/connecttest.txt\", \"http_user_agent\": \"Microsoft NCSI\", \"version\": \"HTTP/1.1\", \"hostname\": \"www.msftconnecttest.com\", \"request\": {\"method\": \"GET\"}, \"response\": {\"bytes\": 22, \"status_code\": 200, \"mime_type\": \"text/plain\"}}, \"url\": {\"domain\": \"www.msftconnecttest.com\", \"path\": \"/connecttest.txt\"}, \"user_agent\": {\"original\": \"Microsoft NCSI\"}, \"packet_info\": {\"linktype\": 1}, \"flow\": {\"bytes_toclient\": 700, \"pkts_toclient\": 3, \"bytes_toserver\": 407, \"pkts_toserver\": 4, \"start\": \"2022-09-01T16:06:15.602042+0000\"}, \"@version\": \"1\", \"@timestamp\": \"2022-09-01T16:06:51.664Z\"}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "network_behavior_analytics",
"severity": 2
},
"@timestamp": "2022-09-01T16:06:51.664000Z",
"destination": {
"address": "13.107.4.52",
"ip": "13.107.4.52",
"mac": "00:08:e3:ff:fc:28",
"port": 80
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2022-09-01T16:06:15.605000Z",
"id": "730a47f1-f7b1-4faa-9d61-8a41d7b138ed"
},
"flow": {
"bytes_toclient": 700,
"bytes_toserver": 407,
"pkts_toclient": 3,
"pkts_toserver": 4,
"start": "2022-09-01T16:06:15.602042Z"
},
"http": {
"hostname": "www.msftconnecttest.com"
},
"nba": {
"action": "allowed",
"category": "Network Behavior Analytics",
"gid": "1",
"metadata": {
"performance_impact": [
"High"
],
"signature_severity": [
"CRITICAL"
]
},
"packet": "AAjj//woAFBWkXMUCABFAAAo6pNAAEAGLaIKAgb6DWsENMbGAFBecku30OsVlVAQAfUzhAAAAAAAAAAA",
"payload": "R0VUIC9jb25uZWN0dGVzdC50eHQgSFRUUC8xLjENClByYWdtYTogbm8tY2FjaGUNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBOQ1NJDQpIb3N0OiB3d3cubXNmdGNvbm5lY3R0ZXN0LmNvbQ0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCg0K",
"payload_printable": "GET /connecttest.txt HTTP/1.1\r\nPragma: no-cache\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftconnecttest.com\r\nCache-Control: no-cache\r\nConnection: keep-alive\r\n\r\n",
"rev": "1",
"signature": "NBA C&C tracker : cobalt strike tcp initialization",
"signature_id": "2031071",
"stream": "1"
},
"network": {
"flow_id": 2071994639527866,
"timestamp": "2022-09-01T16:06:15.605000Z",
"tx_id": 0
},
"observer": {
"gcap": {
"hostname": "gcap-interne-rd-55.gatewatcher.com",
"ingress": {
"interface": {
"name": "mon0"
}
},
"version": "2.5.3.107"
},
"log_format_version": "1.0.0"
},
"version": "1"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"bytes": 22,
"mime_type": "text/plain"
},
"version": "HTTP/1.1"
},
"network": {
"community_id": "1:Q22WBDRnlyCXH/Y/pcypXCr+nJc=",
"protocol": "http",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-interne-rd-56.gatewatcher.com",
"www.msftconnecttest.com"
],
"ip": [
"10.2.6.250",
"13.107.4.52"
]
},
"source": {
"address": "10.2.6.250",
"ip": "10.2.6.250",
"mac": "00:50:56:91:73:14",
"port": 50886
},
"url": {
"domain": "www.msftconnecttest.com",
"path": "/connecttest.txt",
"registered_domain": "msftconnecttest.com",
"subdomain": "www",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Microsoft NCSI",
"os": {
"name": "Other"
}
}
}
{
"message": "{\"source\": {\"ip\": \"172.31.47.105\", \"port\": 50066}, \"event\": {\"created\": \"2024-09-13T09:11:20.223813+00:00\", \"dataset\": \"alert\", \"end\": \"2024-09-13T09:09:11.988000\", \"module\": \"ransomware_detect\", \"kind\": \"alert\", \"category\": [\"network\", \"intrusion_detection\"], \"start\": \"2024-09-13T09:08:51.988000\", \"id\": \"f357f7d1-e322-4f67-b798-50d05f54204b\", \"severity\": 1}, \"observer\": {\"product\": \"gcenter\", \"log_format_version\": \"1.0.0\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"vendor\": \"gatewatcher\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"version\": \"2.5.4.0-rc1\", \"hostname\": \"gcap-clement-l.gatewatcher.fr\"}, \"version\": \"2.5.3.103\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\"}, \"destination\": {\"ip\": \"172.31.33.0\", \"port\": 445}, \"ecs\": {\"version\": \"8.6.0\"}, \"ransomware\": {\"alert_threshold\": 648, \"malicious_behavior_confidence\": 80, \"session_score\": 37}, \"@timestamp\": \"2024-09-13T09:11:39.629080222Z\", \"smb\": {\"session_id\": 593737889611873}, \"network\": {\"protocol\": \"smb\", \"flow_id\": 1465670492342121, \"transport\": \"tcp\", \"timestamp\": \"2024-09-13T09:08:44.877000+00:00\", \"community_id\": \"1:RA5iYDlaiu3WMutFLj5r//rbk34=\"}, \"@version\": \"1\"}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "ransomware_detect",
"severity": 1
},
"@timestamp": "2024-09-13T09:11:39.629080Z",
"destination": {
"address": "172.31.33.0",
"ip": "172.31.33.0",
"port": 445
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2024-09-13T09:11:20.223813Z",
"id": "f357f7d1-e322-4f67-b798-50d05f54204b"
},
"network": {
"flow_id": 1465670492342121,
"timestamp": "2024-09-13T09:08:44.877000Z"
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"ransomware": {
"alert_threshold": "648",
"malicious_behavior_confidence": "80",
"session_score": "37"
},
"smb": {
"session_id": 593737889611873
},
"version": "1"
},
"network": {
"community_id": "1:RA5iYDlaiu3WMutFLj5r//rbk34=",
"protocol": "smb",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"172.31.33.0",
"172.31.47.105"
]
},
"source": {
"address": "172.31.47.105",
"ip": "172.31.47.105",
"port": 50066
}
}
{
"message": "{\"observer\": {\"id\": \"\"}, \"event\": {\"kind\": \"alert\", \"dataset\": \"alert\", \"category\": [\"network\", \"intrusion_detection\"], \"module\": \"retrohunt\", \"created\": \"2022-12-14T09:51:30.455Z\", \"id\": \"8223b432-7e97-4570-a29d-254f41dbb9db\", \"severity\": 2}, \"ecs\": {\"version\": \"8.6.0\"}, \"network\": {\"ether\": \"\"}, \"source\": {\"ip\": \"127.0.0.1\", \"port\": \"80\"}, \"destination\": {\"ip\": \"127.0.0.1\", \"port\": \"8080\"}, \"matched_event\": {\"id\": \"1\"}, \"ioc\": {\"id\": \"1\"}, \"@timestamp\": \"2022-09-01T12:49:07.749Z\"}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "retrohunt",
"severity": 2
},
"@timestamp": "2022-09-01T12:49:07.749000Z",
"destination": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 8080
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2022-12-14T09:51:30.455000Z",
"id": "8223b432-7e97-4570-a29d-254f41dbb9db"
},
"matched_event": {
"id": "1"
}
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 80
}
}
{
"message": "{\"observer\": {\"vendor\": \"gatewatcher\", \"uuid\": \"78f4fed1-c9ad-52b9-b509-6b87767f501f\", \"gcap\": {\"ingress\": {\"interface\": {\"name\": \"monvirt\"}}, \"hostname\": \"gcap-clement-l.gatewatcher.fr\", \"version\": \"2.5.4.0-rc1\"}, \"version\": \"2.5.3.103\", \"log_format_version\": \"1.0.0\", \"hostname\": \"gcenter-clelyo-01.gatewatcher.com\", \"product\": \"gcenter\"}, \"source\": {\"mac\": \"00:6f:37:76:51:45\", \"port\": 62832, \"ip\": \"65.100.113.120\"}, \"metadata\": {\"flowbits\": [\"http.dottedquadhost.pdf\"]}, \"@timestamp\": \"2024-09-11T13:55:34.006Z\", \"@version\": \"1\", \"network\": {\"protocol\": \"http\", \"community_id\": \"1:8T6+TppVoaMkXwi+BTjnzAYozVc=\", \"timestamp\": \"2024-09-11T13:55:01.080901+0000\", \"transport\": \"tcp\", \"tx_id\": 0, \"flow_id\": 1331841998337663}, \"destination\": {\"mac\": \"00:43:70:57:75:55\", \"port\": 80, \"ip\": \"56.53.117.115\"}, \"flow\": {\"bytes_toclient\": 1362, \"bytes_toserver\": 358, \"pkts_toclient\": 3, \"start\": \"2024-09-11T13:55:01.079487+0000\", \"pkts_toserver\": 4}, \"url\": {\"domain\": \"56.53.117.115\", \"path\": \"/malcore_10KB_clean.pdf\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"http\": {\"request\": {\"method\": \"GET\"}, \"hostname\": \"56.53.117.115\", \"version\": \"HTTP/1.1\", \"response\": {\"status\": 200, \"mime_type\": \"application/pdf\", \"bytes\": 1135}}, \"sigflow\": {\"action\": \"allowed\", \"metadata\": {\"signature_severity\": [\"Informational\"], \"attack_target\": [\"Client_Endpoint\"], \"created_at\": [\"2019_04_23\"], \"deployment\": [\"Perimeter\"], \"performance_impact\": [\"Significant\"], \"updated_at\": [\"2022_11_21\"]}, \"signature\": \"ET INFO Dotted Quad Host PDF Request\", \"payload_printable\": \"GET /malcore_10KB_clean.pdf HTTP/1.1\\r\\nHost: 56.53.117.115\\r\\nAccept-Encoding: gzip,compress,deflate\\r\\nKeep-Alive: 300\\r\\nConnection: keep-alive\\r\\n\\r\\n\", \"packet\": \"AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA\", \"stream\": 1, \"signature_id\": 2027265, \"rev\": 4, \"category\": \"Potentially Bad Traffic\", \"gid\": 1, \"packet_info\": {\"linktype\": 1}, \"payload\": \"R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==\"}, \"event\": {\"dataset\": \"alert\", \"kind\": \"alert\", \"module\": \"sigflow_alert\", \"severity\": 2, \"category\": [\"network\", \"intrusion_detection\"], \"id\": \"58c28570-6c90-4ba9-b9b5-f72867d5fa08\", \"created\": \"2024-09-11T13:55:01.080901+0000\"}}",
"event": {
"category": [
"intrusion_detection",
"network"
],
"dataset": "alert",
"kind": "alert",
"module": "sigflow_alert",
"severity": 2
},
"@timestamp": "2024-09-11T13:55:34.006000Z",
"destination": {
"address": "56.53.117.115",
"ip": "56.53.117.115",
"mac": "00:43:70:57:75:55",
"port": 80
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2024-09-11T13:55:01.080901Z",
"id": "58c28570-6c90-4ba9-b9b5-f72867d5fa08"
},
"flow": {
"bytes_toclient": 1362,
"bytes_toserver": 358,
"pkts_toclient": 3,
"pkts_toserver": 4,
"start": "2024-09-11T13:55:01.079487Z"
},
"http": {
"hostname": "56.53.117.115"
},
"metadata": {
"flowbits": [
"http.dottedquadhost.pdf"
]
},
"network": {
"flow_id": 1331841998337663,
"timestamp": "2024-09-11T13:55:01.080901Z",
"tx_id": 0
},
"observer": {
"gcap": {
"hostname": "gcap-clement-l.gatewatcher.fr",
"ingress": {
"interface": {
"name": "monvirt"
}
},
"version": "2.5.4.0-rc1"
},
"log_format_version": "1.0.0",
"uuid": "78f4fed1-c9ad-52b9-b509-6b87767f501f"
},
"sigflow": {
"action": "allowed",
"category": "Potentially Bad Traffic",
"gid": 1,
"metadata": "{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2019_04_23\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_11_21\"]}",
"packet": "AENwV3VVAG83dlFFCABFAAAoAAEAAEAGGktBZHF4ODV1c/VwAFAa9wCtFhR7nlAQIACMOAAA",
"packet_info": {
"linktype": 1
},
"payload": "R0VUIC9tYWxjb3JlXzEwS0JfY2xlYW4ucGRmIEhUVFAvMS4xDQpIb3N0OiA1Ni41My4xMTcuMTE1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsY29tcHJlc3MsZGVmbGF0ZQ0KS2VlcC1BbGl2ZTogMzAwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
"payload_printable": "GET /malcore_10KB_clean.pdf HTTP/1.1\r\nHost: 56.53.117.115\r\nAccept-Encoding: gzip,compress,deflate\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\n\r\n",
"rev": 4,
"signature": "ET INFO Dotted Quad Host PDF Request",
"signature_id": 2027265,
"stream": 1
},
"version": "1"
},
"http": {
"request": {
"method": "GET"
},
"response": {
"bytes": 1135,
"mime_type": "application/pdf",
"status_code": 200
},
"version": "HTTP/1.1"
},
"network": {
"community_id": "1:8T6+TppVoaMkXwi+BTjnzAYozVc=",
"protocol": "http",
"transport": "tcp"
},
"observer": {
"hostname": "gcenter-clelyo-01.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"56.53.117.115",
"gcenter-clelyo-01.gatewatcher.com"
],
"ip": [
"56.53.117.115",
"65.100.113.120"
]
},
"source": {
"address": "65.100.113.120",
"ip": "65.100.113.120",
"mac": "00:6f:37:76:51:45",
"port": 62832
},
"url": {
"domain": "56.53.117.115",
"path": "/malcore_10KB_clean.pdf"
}
}
{
"message": "{\"observer\": {\"hostname\": \"gcenter-interne-rd-56.gatewatcher.com\", \"product\": \"gcenter\", \"version\": \"2.5.3.103\", \"vendor\": \"gatewatcher\", \"gcap\": {\"hostname\": \"gcap-interne-rd-55.gatewatcher.com\", \"version\": \"2.5.3.107\"}, \"log_format_version\": \"1.0.0\"}, \"event\": {\"kind\": \"metric\", \"dataset\": \"system_metrics\", \"category\": [\"host\"], \"module\": \"sigflow_stats\", \"created\": \"2022-12-14T09:51:30.455Z\", \"id\": \"f14ab432-7e97-4570-a29d-254f41dbb9db\"}, \"ecs\": {\"version\": \"8.6.0\"}, \"stats\": {\"app_layer\": {}, \"tcp\": {}, \"uptime\": 443637, \"ftp\": {}, \"flow_bypassed\": {}, \"decoder\": {}, \"detect\": {}, \"defrag\": {}, \"flow\": {}, \"capture\": {}, \"http\": {}, \"file_store\": {}}, \"@version\": \"1\", \"@timestamp\": \"2022-09-01T10:49:46.643Z\"}",
"event": {
"category": [
"host"
],
"dataset": "system_metrics",
"kind": "metric",
"module": "sigflow_stats"
},
"@timestamp": "2022-09-01T10:49:46.643000Z",
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2022-12-14T09:51:30.455000Z",
"id": "f14ab432-7e97-4570-a29d-254f41dbb9db"
},
"observer": {
"gcap": {
"hostname": "gcap-interne-rd-55.gatewatcher.com",
"version": "2.5.3.107"
},
"log_format_version": "1.0.0"
},
"version": "1"
},
"observer": {
"hostname": "gcenter-interne-rd-56.gatewatcher.com",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"gcenter-interne-rd-56.gatewatcher.com"
]
}
}
{
"message": "{\"ecs\": {\"version\": \"8.6.0\"}, \"source\": {\"ip\": \"1.2.3.2\", \"port\": 10000, \"mac\": \"55:55:55:55:99:66\"}, \"@version\": \"1\", \"observer\": {\"vendor\": \"gatewatcher\", \"product\": \"gcenter\", \"gcap\": {\"hostname\": \"hostname.test.fr\", \"version\": \"2.5.4.0-rc9\", \"ingress\": {\"interface\": {\"name\": \"testname\"}}}, \"version\": \"2.5.3.103\", \"hostname\": \"testcenter.test.fr\", \"log_format_version\": \"1.0.0\", \"uuid\": \"06699991-0000-5555-9333-577777771a36\"}, \"dns\": {\"type\": \"answer\", \"response_code\": \"NOERROR\", \"grouped\": {\"CNAME\": [\"test-switcher.test.net\"]}, \"rd\": true, \"qr\": true, \"opcode\": 0, \"answers\": {\"type\": \"CNAME\", \"name\": \"test-switcher.testdesktop.net\", \"data\": [{\"rrname\": \"test-switcher.testdesktop.net\", \"rdata\": \"test-switcher.testdesktop.net\", \"rrtype\": \"CNAME\", \"ttl\": 60}, {\"rrname\": \"test-switcher.testdesktop.net\", \"rrtype\": \"RRSIG\", \"ttl\": 60}]}, \"version\": 2, \"flags\": \"8000\", \"id\": 44444, \"ra\": true}, \"@timestamp\": \"2025-02-05T19:48:47.899Z\", \"destination\": {\"ip\": \"1.1.1.1\", \"port\": 53, \"mac\": \"00:00:00:00:00:0b\"}, \"network\": {\"timestamp\": \"2025-02-05T19:48:07.110939+0000\", \"protocol\": \"dns\", \"community_id\": \"1:MU54UuQZasAsDCTCRRR45553777=\", \"flow_id\": 1196387844666666, \"vlan\": {\"id\": 81}, \"transport\": \"udp\"}, \"event\": {\"kind\": \"event\", \"module\": \"sigflow_dns\", \"category\": [\"network\"], \"created\": \"2025-02-05T19:48:07.110939+0000\", \"id\": \"80baaf15-5d05-45a1-8052-4ac43c472e92\", \"dataset\": \"network_metadata\"}}",
"event": {
"category": [
"network"
],
"dataset": "network_metadata",
"module": "sigflow_dns"
},
"@timestamp": "2025-02-05T19:48:47.899000Z",
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
"mac": "00:00:00:00:00:0b",
"port": 53
},
"dns": {
"answers": [
{
"name": "test-switcher.testdesktop.net",
"ttl": 60,
"type": "RRSIG"
},
{
"data": "test-switcher.testdesktop.net",
"name": "test-switcher.testdesktop.net",
"ttl": 60,
"type": "CNAME"
}
],
"id": "44444",
"op_code": "0",
"type": "answer"
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2025-02-05T19:48:07.110939Z",
"id": "80baaf15-5d05-45a1-8052-4ac43c472e92"
},
"network": {
"flow_id": 1196387844666666,
"timestamp": "2025-02-05T19:48:07.110939Z"
},
"observer": {
"gcap": {
"hostname": "hostname.test.fr",
"ingress": {
"interface": {
"name": "testname"
}
},
"version": "2.5.4.0-rc9"
},
"log_format_version": "1.0.0",
"uuid": "06699991-0000-5555-9333-577777771a36"
},
"version": "1"
},
"network": {
"community_id": "1:MU54UuQZasAsDCTCRRR45553777=",
"protocol": "dns",
"transport": "udp",
"vlan": {
"id": "81"
}
},
"observer": {
"hostname": "testcenter.test.fr",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"testcenter.test.fr"
],
"ip": [
"1.1.1.1",
"1.2.3.2"
]
},
"source": {
"address": "1.2.3.2",
"ip": "1.2.3.2",
"mac": "55:55:55:55:99:66",
"port": 10000
}
}
{
"message": "{\"ecs\": {\"version\": \"8.6.0\"}, \"source\": {\"ip\": \"1.2.3.2\", \"port\": 10000, \"mac\": \"55:55:55:55:99:66\"}, \"@version\": \"1\", \"observer\": {\"vendor\": \"gatewatcher\", \"product\": \"gcenter\", \"gcap\": {\"hostname\": \"hostname.test.fr\", \"version\": \"2.5.4.0-rc9\", \"ingress\": {\"interface\": {\"name\": \"testname\"}}}, \"version\": \"2.5.3.103\", \"hostname\": \"testcenter.test.fr\", \"log_format_version\": \"1.0.0\", \"uuid\": \"06699991-0000-5555-9333-577777771a36\"}, \"dns\": {\"type\": \"answer\", \"response_code\": \"NOERROR\", \"grouped\": {\"CNAME\": [\"test-switcher.test.net\"]}, \"rd\": true, \"qr\": true, \"opcode\": 0, \"answers\": {\"type\": \"CNAME\", \"name\": \"test-switcher.testdesktop.net\"}, \"version\": 2, \"flags\": \"8000\", \"id\": 44444, \"ra\": true}, \"@timestamp\": \"2025-02-05T19:48:47.899Z\", \"destination\": {\"ip\": \"1.1.1.1\", \"port\": 53, \"mac\": \"00:00:00:00:00:0b\"}, \"network\": {\"timestamp\": \"2025-02-05T19:48:07.110939+0000\", \"protocol\": \"dns\", \"community_id\": \"1:MU54UuQZasAsDCTCRRR45553777=\", \"flow_id\": 1196387844666666, \"vlan\": {\"id\": 81}, \"transport\": \"udp\"}, \"event\": {\"kind\": \"event\", \"module\": \"sigflow_dns\", \"category\": [\"network\"], \"created\": \"2025-02-05T19:48:07.110939+0000\", \"id\": \"80baaf15-5d05-45a1-8052-4ac43c472e92\", \"dataset\": \"network_metadata\"}}",
"event": {
"category": [
"network"
],
"dataset": "network_metadata",
"module": "sigflow_dns"
},
"@timestamp": "2025-02-05T19:48:47.899000Z",
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
"mac": "00:00:00:00:00:0b",
"port": 53
},
"dns": {
"answers": [
{
"name": "CNAME",
"type": "test-switcher.testdesktop.net"
}
],
"id": "44444",
"op_code": "0",
"type": "answer"
},
"ecs": {
"version": "8.6.0"
},
"gatewatcher": {
"event": {
"created": "2025-02-05T19:48:07.110939Z",
"id": "80baaf15-5d05-45a1-8052-4ac43c472e92"
},
"network": {
"flow_id": 1196387844666666,
"timestamp": "2025-02-05T19:48:07.110939Z"
},
"observer": {
"gcap": {
"hostname": "hostname.test.fr",
"ingress": {
"interface": {
"name": "testname"
}
},
"version": "2.5.4.0-rc9"
},
"log_format_version": "1.0.0",
"uuid": "06699991-0000-5555-9333-577777771a36"
},
"version": "1"
},
"network": {
"community_id": "1:MU54UuQZasAsDCTCRRR45553777=",
"protocol": "dns",
"transport": "udp",
"vlan": {
"id": "81"
}
},
"observer": {
"hostname": "testcenter.test.fr",
"product": "gcenter",
"vendor": "gatewatcher",
"version": "2.5.3.103"
},
"related": {
"hosts": [
"testcenter.test.fr"
],
"ip": [
"1.1.1.1",
"1.2.3.2"
]
},
"source": {
"address": "1.2.3.2",
"ip": "1.2.3.2",
"mac": "55:55:55:55:99:66",
"port": 10000
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
destination.ip |
ip |
IP address of the destination. |
destination.mac |
keyword |
MAC address of the destination. |
destination.port |
long |
Port of the destination. |
dns.answers |
object |
Array of DNS answers. |
dns.id |
keyword |
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. |
dns.op_code |
keyword |
The DNS operation code that specifies the kind of query in the message. |
dns.type |
keyword |
The type of DNS event captured, query or answer. |
ecs.version |
text |
version of ECS used (mandatory field) |
email.attachments |
nested |
List of objects describing the attachments. |
email.from.address |
keyword |
The sender's email address. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.subject |
keyword |
The subject of the email message. |
email.to.address |
keyword |
Email address of recipient |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.module |
keyword |
Name of the module this data is coming from. |
event.severity |
long |
Numeric severity of the event. |
file.hash.md5 |
keyword |
MD5 hash. |
file.hash.sha1 |
keyword |
SHA1 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.size |
long |
File size in bytes. |
gatewatcher.beacon.active |
text |
beacon active field |
gatewatcher.beacon.hostname_resolution |
text |
beacon hostname_resolution field |
gatewatcher.beacon.id |
text |
beacon id field |
gatewatcher.beacon.mean_time_interval |
text |
beacon mean_time_interval |
gatewatcher.beacon.possible_cnc |
text |
beaocn possible_cnc field |
gatewatcher.beacon.session_count |
text |
beacon session_count field |
gatewatcher.beacon.type |
text |
beacon type field |
gatewatcher.dcerpc.call_id |
number |
dcerpc call_id field |
gatewatcher.dcerpc.interfaces |
text |
dcerpc interfaces field |
gatewatcher.dcerpc.req |
text |
dcerpc req field |
gatewatcher.dcerpc.request |
text |
dcerpc request field |
gatewatcher.dcerpc.res |
text |
dcerpc res field |
gatewatcher.dcerpc.response |
text |
dcerpc response field |
gatewatcher.dcerpc.rpc_version |
text |
dcerpc rpc_version field |
gatewatcher.dga.dga_count |
text |
dga dga_count field |
gatewatcher.dga.dga_ratio |
text |
dga dga_ratio field |
gatewatcher.dga.malware_behavior_confidence |
text |
dga malware_behavior_confidence field |
gatewatcher.dga.nx_domain_count |
text |
dga nx_domain_count field |
gatewatcher.dga.top_DGA |
text |
dga top_DGA field |
gatewatcher.dhcp.assigned_ip |
ip |
dhcp assigned_ip field |
gatewatcher.dhcp.client_ip |
ip |
dhcp client_ip field |
gatewatcher.dhcp.client_mac |
text |
dhcp client_mac field |
gatewatcher.dhcp.dhcp_type |
text |
dhcp dhcp_type field |
gatewatcher.dhcp.dns_servers |
text |
dhcp dns_servers field |
gatewatcher.dhcp.hostname |
text |
dhcp hostname field |
gatewatcher.dhcp.id |
number |
dhcp id field |
gatewatcher.dhcp.lease_time |
number |
dhcp lease_time field |
gatewatcher.dhcp.next_server_ip |
ip |
dhcp next_server_ip field |
gatewatcher.dhcp.relay_ip |
ip |
dhcp relay_ip field |
gatewatcher.dhcp.routers |
text |
dhcp routers field |
gatewatcher.dhcp.subnet_mask |
ip |
dhcp subnet_mask field |
gatewatcher.dhcp.type |
text |
dhcp type field |
gatewatcher.dnp3.application |
text |
dnp3 application field |
gatewatcher.dnp3.control |
text |
dnp3 control field |
gatewatcher.dnp3.dst |
number |
dnp3 dst field |
gatewatcher.dnp3.iin |
text |
dnp3 iin field |
gatewatcher.dnp3.src |
text |
dnp3 src field |
gatewatcher.dnp3.type |
text |
dnp3 type field |
gatewatcher.email.body_md5 |
text |
smtp email subject_md5 field |
gatewatcher.email.status |
text |
email status field |
gatewatcher.email.subject_md5 |
text |
smtp subject_md5 field |
gatewatcher.event.created |
datetime |
Event created field |
gatewatcher.event.id |
text |
Event id field |
gatewatcher.file.file_id |
number |
file file_id field |
gatewatcher.file.gaps |
boolean |
file gaps field |
gatewatcher.file.magic |
text |
File magic field |
gatewatcher.file.sid |
text |
file sid array field |
gatewatcher.file.state |
text |
File state field |
gatewatcher.file.stored |
boolean |
File stored field |
gatewatcher.file.tx_id |
number |
file tx_id field |
gatewatcher.files |
text |
files field |
gatewatcher.flow.bytes_toclient |
number |
flow bytes_toclient field |
gatewatcher.flow.bytes_toserver |
number |
flow bytes_toserver field |
gatewatcher.flow.pkts_toclient |
number |
flow pkts_toclient field |
gatewatcher.flow.pkts_toserver |
number |
flow pkts_toserver field |
gatewatcher.flow.start |
datetime |
flow start field |
gatewatcher.ftp.completion_code |
text |
ftp completion_code field |
gatewatcher.ftp.reply |
text |
ftp reply field |
gatewatcher.ftp.reply_received |
text |
ftp reply_received field |
gatewatcher.ftp.reply_truncated |
boolean |
ftp reply_truncated field |
gatewatcher.ftp_data.command |
text |
ftp_data command field |
gatewatcher.ftp_data.filename |
text |
ftp_data filename field |
gatewatcher.history.code |
number |
history code field |
gatewatcher.history.content |
text |
history content field |
gatewatcher.history.endpoint |
text |
history endpoint field |
gatewatcher.history.id |
number |
history id field |
gatewatcher.history.ip |
ip |
history ip field |
gatewatcher.history.method |
text |
history method field |
gatewatcher.history.name |
text |
history name field |
gatewatcher.history.type |
text |
history type field |
gatewatcher.http.accept |
text |
http accept metadata field |
gatewatcher.http.accept_language |
text |
http accept language field |
gatewatcher.http.hostname |
text |
http hostname field metadata |
gatewatcher.http.http_refer |
text |
http_refer field |
gatewatcher.ikev2.errors |
number |
ikev2 errors field |
gatewatcher.ikev2.exchange_type |
number |
ikev2 exchange_type field |
gatewatcher.ikev2.init_spi |
text |
ikev2 init_spi field |
gatewatcher.ikev2.message_id |
number |
ikev2 message_id field |
gatewatcher.ikev2.notify |
text |
ikev2 notify field |
gatewatcher.ikev2.payload |
text |
ikev2 payload field |
gatewatcher.ikev2.resp_spi |
text |
ikev2 resp_spi field |
gatewatcher.ikev2.role |
text |
ikev2 role field |
gatewatcher.ikev2.version_major |
number |
ikev2 version_major field |
gatewatcher.ikev2.version_minor |
number |
ikev2 version_minor field |
gatewatcher.ioc.campaigns |
text |
ioc campaigns field |
gatewatcher.ioc.case_id |
text |
ioc case_id field |
gatewatcher.ioc.categories |
text |
ioc categories field |
gatewatcher.ioc.creation_date |
datetime |
ioc creation_date field |
gatewatcher.ioc.description |
text |
ioc description field |
gatewatcher.ioc.external_links |
text |
ioc external_links field |
gatewatcher.ioc.families |
text |
ioc families field |
gatewatcher.ioc.kill_chain_phases |
text |
ioc kill_chain_phases field |
gatewatcher.ioc.meta_data.cwe |
text |
ioc meta_data cwe field |
gatewatcher.ioc.meta_data.descriptions |
text |
ioc meta_data descriptions field |
gatewatcher.ioc.meta_data.usageMode |
text |
ioc meta_data usageMode field |
gatewatcher.ioc.package_date |
datetime |
ioc package_date field |
gatewatcher.ioc.relations |
text |
ioc relations field |
gatewatcher.ioc.signature |
text |
ioc signature field |
gatewatcher.ioc.tags |
text |
ioc tags field |
gatewatcher.ioc.targeted_countries |
text |
ioc targeted_countires field |
gatewatcher.ioc.targeted_organizations |
text |
ioc targeted_organizations field |
gatewatcher.ioc.targeted_platforms |
text |
ioc targeted_platforms field |
gatewatcher.ioc.targeted_sectors |
text |
ioc targeted_sectors field |
gatewatcher.ioc.threat_actor |
text |
ioc threat_actor field |
gatewatcher.ioc.updated_date |
datetime |
ioc updated_date field |
gatewatcher.ioc.usage_mode |
text |
ioc usage_mode field |
gatewatcher.krb5.cname |
text |
krb5 cname field |
gatewatcher.krb5.encryption |
text |
krb5 encryption field |
gatewatcher.krb5.error_code |
text |
krb5 error_code field |
gatewatcher.krb5.failed_request |
text |
krb5 failed_request field |
gatewatcher.krb5.msg_type |
text |
krb5 msg_type field |
gatewatcher.krb5.realm |
text |
krb5 realm field |
gatewatcher.krb5.sname |
text |
krb5 sname field |
gatewatcher.krb5.weak_encryption |
boolean |
krb5 weak_encryption field |
gatewatcher.malcore.analyzed_clean |
number |
malcore analyzed_clean field |
gatewatcher.malcore.analyzed_error |
number |
malcore analyzed_error field |
gatewatcher.malcore.analyzed_infected |
number |
malcore analyzed_infected field |
gatewatcher.malcore.analyzed_other |
number |
malcore analyzed_other field |
gatewatcher.malcore.analyzed_suspicious |
number |
malcore analyzed_suspicious field |
gatewatcher.malcore.analyzers_up |
number |
malcore analyzers_up field |
gatewatcher.malcore.code |
keyword |
malcore code field |
gatewatcher.malcore.detail_scan_time |
number |
malcore detail_scan_time field |
gatewatcher.malcore.detail_threat_found |
text |
malcore detail_threat_found field |
gatewatcher.malcore.detail_wait_time |
number |
malcore detail_wait_time field |
gatewatcher.malcore.engine_id |
text |
malcore engine_id field |
gatewatcher.malcore.engines_last_update_date |
datetime |
malcore engines_last_update_date field |
gatewatcher.malcore.file_type |
text |
malcore file_type field |
gatewatcher.malcore.file_type_description |
text |
malcore file_type_description field |
gatewatcher.malcore.magic_details |
text |
malcore magic_details field |
gatewatcher.malcore.processing_time |
number |
malcore processing_time field |
gatewatcher.malcore.reporting_token |
text |
malcore reporting_token field |
gatewatcher.malcore.state |
text |
malcore state field |
gatewatcher.malcore.total_found |
text |
malcore total_found field |
gatewatcher.malicious_powershell.id |
text |
malicious_powershell id field |
gatewatcher.malicious_powershell.proba_obfuscated |
number |
malicious_powershell proba_obfuscated field |
gatewatcher.malicious_powershell.sample_id |
text |
malicious_powershell sample_id field |
gatewatcher.malicious_powershell.score |
number |
malicious_powershell score field |
gatewatcher.malicious_powershell.score_details_text |
text |
malicious_powershell score_details field |
gatewatcher.matched_event.file.gaps |
text |
matched_event file gaps field |
gatewatcher.matched_event.file.hash.md5 |
text |
matched_event file hash md5 field |
gatewatcher.matched_event.file.hash.sha256 |
text |
matched_event file hash sha256 field |
gatewatcher.matched_event.file.magic |
text |
matched_event file magic field |
gatewatcher.matched_event.file.name |
text |
matched_event file name field |
gatewatcher.matched_event.file.sid |
text |
matched_event file sid field |
gatewatcher.matched_event.file.size |
text |
matched_event file size field |
gatewatcher.matched_event.file.state |
text |
matched_event file state field |
gatewatcher.matched_event.file.stored |
text |
matched_event file stored field |
gatewatcher.matched_event.file.tx_id |
text |
matched_event file tx_id field |
gatewatcher.matched_event.id |
text |
matched_event id field |
gatewatcher.metadata.flowbits |
text |
metadata flowbits field |
gatewatcher.mqtt.connack |
text |
mqtt connack field |
gatewatcher.nba.action |
text |
nba action field |
gatewatcher.nba.category |
text |
nba category field |
gatewatcher.nba.gid |
text |
nba gid field |
gatewatcher.nba.metadata.performance_impact |
text |
nba metadata performance_impact field |
gatewatcher.nba.metadata.signature_severity |
text |
nba metadata signature_severity field |
gatewatcher.nba.packet |
text |
nba packet field |
gatewatcher.nba.payload |
text |
nba payload field |
gatewatcher.nba.payload_printable |
text |
nba payload_printable field |
gatewatcher.nba.rev |
text |
nba rev field |
gatewatcher.nba.signature |
text |
nba signature field |
gatewatcher.nba.signature_id |
text |
nba signature_id field |
gatewatcher.nba.stream |
text |
nba stream field |
gatewatcher.network.flow_id |
number |
Gatewatcher specific flow_id for network part |
gatewatcher.network.timestamp |
datetime |
Network timestamp field |
gatewatcher.network.tx_id |
number |
tx_id network field |
gatewatcher.nfs.file_tx |
boolean |
nfs file_tx field |
gatewatcher.nfs.filename |
text |
nfs filename field |
gatewatcher.nfs.hhash |
text |
nfs hhash field |
gatewatcher.nfs.id |
number |
nfs id field |
gatewatcher.nfs.procedure |
text |
nfs procedure field |
gatewatcher.nfs.status |
text |
nfs status field |
gatewatcher.nfs.type |
text |
nfs type field |
gatewatcher.nfs.version |
number |
nfs version field |
gatewatcher.notification.component |
text |
notification component field |
gatewatcher.notification.description |
text |
notification description field |
gatewatcher.notification.details |
text |
notification details field |
gatewatcher.notification.external_redirection |
text |
notification external_redirection field |
gatewatcher.notification.internal_redirection |
text |
notification internal_redirection field |
gatewatcher.notification.resolution |
text |
notification resolution field |
gatewatcher.notification.risk |
number |
notification risk field |
gatewatcher.notification.title |
text |
notification title field |
gatewatcher.observer.gcap.hostname |
text |
GCap hostname field |
gatewatcher.observer.gcap.ingress.interface.name |
text |
Gatewatcher ingress interface name |
gatewatcher.observer.gcap.version |
text |
GCap version observer field |
gatewatcher.observer.log_format_version |
text |
Observer log format version field |
gatewatcher.observer.uuid |
text |
Observer UUID field |
gatewatcher.ransomware.alert_threshold |
text |
ransomware alert_threshold field |
gatewatcher.ransomware.malicious_behavior_confidence |
text |
ransomware malicious_behavior_confidence field |
gatewatcher.ransomware.session_score |
text |
ransomware session_score field |
gatewatcher.rdp.channels |
text |
rdp channels field |
gatewatcher.rdp.client |
text |
rdp client field |
gatewatcher.rdp.cookie |
text |
rdp cookie field |
gatewatcher.rdp.event_type |
text |
rdp event_type field |
gatewatcher.rdp.protocol |
text |
rdp protocol field |
gatewatcher.rdp.server_supports |
text |
rdp server_supports field |
gatewatcher.rdp.tx_id |
number |
rdp tx_id field |
gatewatcher.rfb.authentication |
text |
rfb authentication field |
gatewatcher.rfb.client_protocol_version |
text |
rfb client_protocol_version field |
gatewatcher.rfb.server_protocol_version |
text |
rfb server_protocol_version field |
gatewatcher.rfb.server_security_failure_reason |
text |
rfb server_security_failure_reason field |
gatewatcher.shellcode.analysis_text |
text |
shellcode analysis field |
gatewatcher.shellcode.encodings |
array |
shellcode encodings field |
gatewatcher.shellcode.id |
text |
shellcode id field |
gatewatcher.shellcode.sample_id |
text |
shellcode sample_id field |
gatewatcher.shellcode.sub_type |
text |
shellcode sub_type field |
gatewatcher.sigflow.action |
text |
sigflow action field |
gatewatcher.sigflow.category |
text |
sigflow category field |
gatewatcher.sigflow.gid |
number |
sigflow gid field |
gatewatcher.sigflow.metadata |
text |
sigflow metadata field |
gatewatcher.sigflow.packet |
text |
sigflow packet field |
gatewatcher.sigflow.payload |
text |
sigflow payload field |
gatewatcher.sigflow.payload_printable |
text |
sigflow payload_printable field |
gatewatcher.sigflow.rev |
number |
sigflow rev field |
gatewatcher.sigflow.signature |
text |
sigflow signature field |
gatewatcher.sigflow.signature_id |
number |
sigflow signature_id field |
gatewatcher.sigflow.stream |
number |
sigflow stream field |
gatewatcher.sip.method |
text |
sip method field |
gatewatcher.sip.request_line |
text |
sip request_line field |
gatewatcher.sip.uri |
text |
sip uri field |
gatewatcher.sip.version |
text |
sip version field |
gatewatcher.smb.command |
text |
smb command field |
gatewatcher.smb.dialect |
text |
smb dialect field |
gatewatcher.smb.id |
number |
smb id field |
gatewatcher.smb.session_id |
number |
smb session id field |
gatewatcher.smb.status |
text |
smb status field |
gatewatcher.smb.status_code |
text |
smb status_code field |
gatewatcher.smb.tree_id |
number |
smb tree_id field |
gatewatcher.smtp.helo |
text |
smtp helo field |
gatewatcher.smtp.mail_from |
text |
smtp mail from field |
gatewatcher.smtp.rcpt_to |
text |
smtp recipients field |
gatewatcher.snmp.community |
text |
snmp community field |
gatewatcher.snmp.pdu_type |
text |
snmp pdu_type field |
gatewatcher.snmp.vars |
text |
snmp vars field |
gatewatcher.snmp.version |
number |
snmp version field |
gatewatcher.ssh.client.hassh |
text |
ssh client hassh field |
gatewatcher.ssh.client.proto_version |
text |
ssh client proto_version field |
gatewatcher.ssh.client.software_version |
text |
ssh client software_version field |
gatewatcher.ssh.server.hassh |
text |
ssh server hassh field |
gatewatcher.ssh.server.proto_version |
text |
ssh server proto_version field |
gatewatcher.ssh.server.software_version |
text |
ssh server software_version field |
gatewatcher.syslog.facility.code |
text |
syslog facility code field |
gatewatcher.syslog.facility.name |
text |
syslog facility name field |
gatewatcher.syslog.message |
text |
syslog message field |
gatewatcher.syslog.priority |
text |
syslog priority field |
gatewatcher.syslog.severity.name |
text |
syslog severity name field |
gatewatcher.tftp.file |
text |
tftp file field |
gatewatcher.tftp.mode |
text |
tftp mode field |
gatewatcher.tftp.packet |
text |
tftp packet field |
gatewatcher.user_agent.major |
text |
user_agent major field |
gatewatcher.user_agent.minor |
text |
user_agent minor field |
gatewatcher.user_agent.os.major |
text |
user_agent os major field |
gatewatcher.user_agent.patch |
text |
user_agent patch field |
gatewatcher.version |
text |
@version field |
http.request.method |
keyword |
HTTP request method. |
http.request.mime_type |
keyword |
Mime type of the body of the request. |
http.response.bytes |
long |
Total size in bytes of the response (body and headers). |
http.response.mime_type |
keyword |
Mime type of the body of the response. |
http.response.status_code |
long |
HTTP response status code. |
http.version |
keyword |
HTTP version. |
network.application |
keyword |
Application level protocol name. |
network.community_id |
keyword |
A hash of source and destination IPs and ports. |
network.protocol |
keyword |
Application protocol name. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number . |
network.vlan.id |
keyword |
VLAN ID as reported by the observer. |
network.vlan.name |
keyword |
Optional VLAN name as reported by the observer. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.port |
long |
Port of the source. |
threat.indicator.marking.tlp |
keyword |
Indicator TLP marking |
threat.indicator.type |
keyword |
Type of indicator |
tls.client.server_name |
keyword |
Hostname the client is trying to connect to. Also called the SNI. |
tls.server.certificate |
keyword |
PEM-encoded stand-alone certificate offered by the server. |
tls.server.certificate_chain |
keyword |
Array of PEM-encoded certificates that make up the certificate chain offered by the server. |
tls.server.hash.md5 |
keyword |
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. |
tls.server.hash.sha1 |
keyword |
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. |
tls.server.hash.sha256 |
keyword |
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. |
tls.server.issuer |
keyword |
Subject of the issuer of the x.509 certificate presented by the server. |
tls.server.subject |
keyword |
Subject of the x.509 certificate presented by the server. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
url.domain |
keyword |
Domain of the url. |
url.full |
wildcard |
Full unparsed URL. |
url.path |
wildcard |
Path of the request, such as "/search". |
user_agent.device.name |
keyword |
Name of the device. |
user_agent.name |
keyword |
Name of the user agent. |
user_agent.original |
keyword |
Unparsed user_agent string. |
user_agent.os.family |
keyword |
OS family (such as redhat, debian, freebsd, windows). |
user_agent.os.name |
keyword |
Operating system name, without the version. |
user_agent.os.version |
keyword |
Operating system version as a raw string. |
user_agent.version |
keyword |
Version of the user agent. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.