Skip to content

Gatewatcher AionIQ

Overview

Gatewatcher AionIQ is a detection and response platform for your network that identifies malicious actions and suspicious behaviors.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Network intrusion detection system AIONIQ identify suspicious behaviors
Network protocol analysis AIONIQ analyze traffic protocol

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind ``
Category malware, network
Type info

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "{\"@timestamp\":\"2022-06-03T15:00:20.531Z\",\"detail_wait_time\":18,\"event_type\":\"malware\",\"total_found\":\"3/16\",\"type\":\"malcore\",\"analyzed_clean\":13,\"analyzed_error\":0,\"SHA256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"dest_port\":49804,\"timestamp\":\"2022-06-03T14:59:08.780474+0000\",\"state\":\"Infected\",\"engine_id\":{\"3\":{\"scan_result\":\"CLEAN\",\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"\"},\"4\":{\"scan_result\":\"INFECTED\",\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"Win32/Exploit.CVE-2022-30190.A trojan\"},\"6\":{\"scan_result\":\"CLEAN\",\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\"},\"10\":{\"scan_result\":\"CLEAN\",\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\"},\"13\":{\"scan_result\":\"CLEAN\",\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\"},\"2\":{\"scan_result\":\"CLEAN\",\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"\"},\"12\":{\"scan_result\":\"CLEAN\",\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"\"},\"1\":{\"scan_result\":\"INFECTED\",\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"Exploit/HTML.CVE-2022-30190.S1841\"},\"14\":{\"scan_result\":\"CLEAN\",\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\"},\"9\":{\"scan_result\":\"CLEAN\",\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"\"},\"15\":{\"scan_result\":\"CLEAN\",\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"\"},\"7\":{\"scan_result\":\"CLEAN\",\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"\"},\"5\":{\"scan_result\":\"SUSPICIOUS\",\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"HEUR:Exploit.Script.Generic\"},\"0\":{\"scan_result\":\"CLEAN\",\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"\"},\"8\":{\"scan_result\":\"CLEAN\",\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"\"},\"11\":{\"scan_result\":\"CLEAN\",\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\"}},\"detail_threat_found\":\"Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic\",\"analyzed_suspicious\":1,\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"host\":\"network.internal\",\"src_port\":80,\"flow_id\":1686930575880829,\"processing_time\":359,\"file_type_description\":\"Not available\",\"timestamp_analyzed\":\"2022-06-03T15:00:20.531Z\",\"dest_ip\":\"1.2.3.4\",\"reporting_token\":\"No GBOX\",\"severity\":1,\"gcenter\":[\"gcenter-nti.gatewatcher.com\",\"gcenter-nti.gatewatcher.com\"],\"analyzed_other\":0,\"analyzed_infected\":2,\"app_proto\":\"http\",\"detail_scan_time\":341,\"src_ip\":\"9.8.7.6\",\"magic_details\":\"HTML document, ASCII text, with very long lines\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"analyzers_up\":16,\"file_type\":\"Not available\",\"in_iface\":\"monvirt\",\"code\":1,\"engines_last_update_date\":\"2022-06-01T21:22:55Z\",\"gcap\":\"gcap-nti.gatewatcher.com\",\"uuid\":\"73a1884d-94a6-4800-9b08-6daa3281ce8f\"}",
    "event": {
        "category": [
            "malware"
        ],
        "type": [
            "info"
        ],
        "severity": 1,
        "kind": "event"
    },
    "@timestamp": "2022-06-03T15:00:20.531000Z",
    "source": {
        "ip": "9.8.7.6",
        "port": 80,
        "address": "9.8.7.6"
    },
    "destination": {
        "ip": "1.2.3.4",
        "port": 49804,
        "address": "1.2.3.4"
    },
    "observer": {
        "name": "gcap-nti.gatewatcher.com",
        "version": "0.2",
        "hostname": "network.internal",
        "type": "firewall"
    },
    "network": {
        "transport": "TCP",
        "protocol": "http"
    },
    "gatewatcher": {
        "type": "malcore",
        "state": "Infected",
        "gcenter": [
            "gcenter-nti.gatewatcher.com",
            "gcenter-nti.gatewatcher.com"
        ],
        "gcap": "gcap-nti.gatewatcher.com",
        "flow_id": "1686930575880829",
        "timestamp_analyzed": "2022-06-03T15:00:20.531Z",
        "timestamp_detected": "2022-06-03T14:59:08.780Z",
        "event_type": "malware",
        "malcore": {
            "code": "1",
            "detail_threat_found": "Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic"
        },
        "reporting_token": "No GBOX"
    },
    "file": {
        "name": "/exploit.html",
        "size": 6105,
        "hash": {
            "md5": "16e3fcee85f81ec9e9c75dd13fb08c01",
            "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
        }
    },
    "url": {
        "path": "/exploit.html",
        "domain": "www.xmlformats.com",
        "top_level_domain": "com",
        "subdomain": "www",
        "registered_domain": "xmlformats.com"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "user_agent": {
        "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)"
    },
    "related": {
        "hash": [
            "16e3fcee85f81ec9e9c75dd13fb08c01",
            "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
        ],
        "hosts": [
            "network.internal"
        ],
        "ip": [
            "1.2.3.4",
            "9.8.7.6"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.373Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"alert\",\"payload\":\"SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFRodSwgMDIgSnVuIDIwMjIgMjI6Mzc6MjIgR01UClNlcnZlcjogQXBhY2hlLzIuNC40MSAoVWJ1bnR1KQpMYXN0LU1vZGlmaWVkOiBUaHUsIDAyIEp1biAyMDIyIDIyOjMwOjM0IEdNVApFVGFnOiAiMTdkOS01ZTA3ZThkZGI0NTA4LWd6aXAiCkFjY2VwdC1SYW5nZXM6IGJ5dGVzClZhcnk6IEFjY2VwdC1FbmNvZGluZwpDb250ZW50LUVuY29kaW5nOiBnemlwCkNvbnRlbnQtTGVuZ3RoOiAyNDg1CktlZXAtQWxpdmU6IHRpbWVvdXQ9NSwgbWF4PTEwMApDb25uZWN0aW9uOiBLZWVwLUFsaXZlCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sCgp0ZXN0Cg==\",\"packet\":\"CAAnjitsCAAnk+hwCABFAAAoBRhAAD8GMWkKAQHewKg4yABQwow7Z24SQI3k4FAQAfUWzAAA\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"app_proto\":\"http\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"alert\":{\"action\":\"allowed\",\"rev\":2,\"signature\":\"ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)\",\"category\":\"Potentially Bad Traffic\",\"gid\":1,\"metadata\":{\"updated_at\":[\"2020_11_17\"],\"created_at\":[\"2020_04_13\"],\"former_category\":[\"HUNTING\"],\"signature_severity\":[\"Informational\"],\"attack_target\":[\"Client_Endpoint\"],\"deployment\":[\"Perimeter\"],\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"]},\"signature_id\":2841990,\"severity\":2},\"flow\":{\"pkts_toserver\":5,\"bytes_toserver\":798,\"start\":\"2022-06-03T14:59:08.750205+0000\",\"pkts_toclient\":4,\"bytes_toclient\":3052},\"files\":[{\"filename\":\"/exploit.html\",\"state\":\"CLOSED\",\"tx_id\":0,\"sid\":[1100029],\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"size\":6105,\"stored\":false}],\"proto\":\"TCP\",\"stream\":1,\"host\":\"network.internal\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"ether\":{\"src_mac\":\"08:00:27:8e:2b:6c\",\"dest_mac\":\"08:00:27:93:e8:70\"},\"src_port\":80,\"flow_id\":1686930575880829,\"payload_printable\":\"HTTP/1.1 200 OK\\r\\nDate: Thu, 02 Jun 2022 22:37:22 GMT\\r\\nServer: Apache/2.4.41 (Ubuntu)\\r\\nLast-Modified: Thu, 02 Jun 2022 22:30:34 GMT\\r\\nETag: \\\"17d9-5e07e8ddb4508-gzip\\\"\\r\\nAccept-Ranges: bytes\\r\\nVary: Accept-Encoding\\r\\nContent-Encoding: gzip\\r\\nContent-Length: 2485\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html\\r\\n\\r\\n...........Xko........\\n.F&.$VS..]pmYRa.Vd9q.(.........gW......#7....G....s.=.RO.....q..&n.....0.k...|{D.....!6.....V&nB.6.oVap......}7........l..>..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\\\"...!:.............C./.Z.....\\rP$S,.t<Y..m.E.]5Y-...Sx.A..1...[W.@.......kKlb...m.3..n./......c...\\n..@y0.....5.........$ .#..|\\r.......;.w}....`.)..u....U^.....lD...D.#...&...jaT.........@@..Lf..6l.z........p>.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\\n...B......q.IR....\\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\\rm.VcK....p:....P.Dj...\\nD*0u*..b..(..P...\\\\S..Q*VT'......m.............7B..D./\\\"...gX..\\\".9W....I.=.9......T.%.U....J{b.l.\\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\\\..zZ\\\"\\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\\\&#'EUT...;Xt?...P.%W'.,@(\\r.+Y...4.y~.{d.&xn\\\"...../].....k.m.ZK`..M.lr.....VK.\\\"z&.R+.V.<-..U.\\\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\\\"S\\\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\\\........H...Y...MA...`U.8..O..z.J.l#91..\\\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^<z..G...|.G....\\n)p,.|...v7.............LMY._.o.......y.......\",\"packet_info\":{\"linktype\":1},\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.373Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":0,\"uuid\":\"525084c9-9a40-4dc9-81fb-27d5efe6b965\",\"severity\":2}",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ],
        "severity": 2,
        "kind": "alert",
        "action": "allowed"
    },
    "@timestamp": "2022-06-03T14:59:41.373000Z",
    "source": {
        "ip": "9.8.7.6",
        "port": 80,
        "bytes": 798,
        "packets": 5,
        "address": "9.8.7.6"
    },
    "destination": {
        "ip": "1.2.3.4",
        "port": 49804,
        "bytes": 3052,
        "packets": 4,
        "address": "1.2.3.4"
    },
    "observer": {
        "name": "gcap-sekoia.gatewatcher.com",
        "version": "0.2",
        "hostname": "network.internal",
        "type": "firewall",
        "mac": [
            "08:00:27:8e:2b:6c",
            "08:00:27:93:e8:70"
        ]
    },
    "network": {
        "transport": "TCP",
        "protocol": "http"
    },
    "gatewatcher": {
        "type": "suricata",
        "gcenter": [
            "gcenter-sekoia.gatewatcher.com",
            "gcenter-sekoia.gatewatcher.com"
        ],
        "gcap": "gcap-sekoia.gatewatcher.com",
        "flow_id": "1686930575880829",
        "timestamp_analyzed": "2022-06-03T14:59:41.373Z",
        "timestamp_detected": "2022-06-03T14:59:08.780Z",
        "event_type": "alert"
    },
    "url": {
        "path": "/exploit.html",
        "domain": "www.xmlformats.com",
        "top_level_domain": "com",
        "subdomain": "www",
        "registered_domain": "xmlformats.com"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "user_agent": {
        "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)"
    },
    "rule": {
        "name": "ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)",
        "id": "2841990",
        "category": "Potentially Bad Traffic"
    },
    "related": {
        "hosts": [
            "network.internal"
        ],
        "ip": [
            "1.2.3.4",
            "9.8.7.6"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.374Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"fileinfo\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"type\":\"suricata\",\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"src_port\":80,\"flow_id\":1686930575880829,\"app_proto\":\"http\",\"in_iface\":\"monvirt\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.374Z\",\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"uuid\":\"a2d71147-3283-4136-9dc1-df9beaffd301\",\"proto\":\"TCP\"}",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ],
        "kind": "event"
    },
    "@timestamp": "2022-06-03T14:59:41.374000Z",
    "source": {
        "ip": "9.8.7.6",
        "port": 80,
        "address": "9.8.7.6"
    },
    "destination": {
        "ip": "1.2.3.4",
        "port": 49804,
        "address": "1.2.3.4"
    },
    "observer": {
        "name": "gcap-sekoia.gatewatcher.com",
        "version": "0.2",
        "hostname": "gcap-sekoia.gatewatcher.com",
        "type": "firewall"
    },
    "network": {
        "transport": "TCP",
        "protocol": "http"
    },
    "gatewatcher": {
        "type": "suricata",
        "gcenter": [
            "gcenter-sekoia.gatewatcher.com",
            "gcenter-sekoia.gatewatcher.com"
        ],
        "gcap": "gcap-sekoia.gatewatcher.com",
        "flow_id": "1686930575880829",
        "timestamp_analyzed": "2022-06-03T14:59:41.374Z",
        "timestamp_detected": "2022-06-03T14:59:08.780Z",
        "event_type": "fileinfo"
    },
    "url": {
        "path": "/exploit.html",
        "domain": "www.xmlformats.com",
        "top_level_domain": "com",
        "subdomain": "www",
        "registered_domain": "xmlformats.com"
    },
    "http": {
        "request": {
            "method": "GET"
        },
        "response": {
            "status_code": 200
        }
    },
    "user_agent": {
        "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)"
    },
    "file": {
        "name": "/exploit.html",
        "size": 6105,
        "hash": {
            "md5": "16e3fcee85f81ec9e9c75dd13fb08c01",
            "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
        }
    },
    "related": {
        "hash": [
            "16e3fcee85f81ec9e9c75dd13fb08c01",
            "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c"
        ],
        "hosts": [
            "gcap-sekoia.gatewatcher.com"
        ],
        "ip": [
            "1.2.3.4",
            "9.8.7.6"
        ]
    }
}
{
    "message": "{\"@timestamp\":\"2022-06-03T14:59:41.378Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"http\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"src_ip\":\"9.8.7.6\",\"dest_port\":80,\"proto\":\"TCP\",\"http\":{\"content_type\":\"text/html\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"connection\":\"Keep-Alive\",\"authorization\":\"Bearer\",\"length\":0,\"server\":\"Apache/2.4.41 (Ubuntu)\",\"url\":\"/exploit.html\",\"http_user_agent\":\"Microsoft Office Existence Discovery\",\"date\":\"Thu, 02 Jun 2022 22:37:22 GMT\",\"protocol\":\"HTTP/1.1\",\"http_parsed_user_agent\":{\"os_name\":\"Other\",\"os_full\":\"Other\",\"name\":\"Other\",\"device\":\"Other\",\"os\":\"Other\"},\"content_length\":\"6105\",\"last_modified\":\"Thu, 02 Jun 2022 22:30:34 GMT\",\"vary\":\"Accept-Encoding\",\"http_method\":\"HEAD\",\"status\":200},\"host\":\"gcap-sekoia.gatewatcher.com\",\"timestamp_detected\":\"2022-06-03T14:59:08.833Z\",\"ether\":{\"src_mac\":\"00:17:a4:77:09:20\",\"dest_mac\":\"a0:36:9f:0f:b1:70\"},\"src_port\":49804,\"flow_id\":1686930575880829,\"in_iface\":\"monvirt\",\"dest_ip\":\"1.2.3.4\",\"timestamp_analyzed\":\"2022-06-03T14:59:41.378Z\",\"metadata\":{\"flowbits\":[\"Office.UA\"]},\"gcap\":\"gcap-sekoia.gatewatcher.com\",\"tx_id\":4,\"uuid\":\"4f1bd378-9439-4c1c-ab1d-4b3ba6c22b87\"}",
    "event": {
        "category": [
            "network"
        ],
        "type": [
            "info"
        ],
        "kind": "event"
    },
    "@timestamp": "2022-06-03T14:59:41.378000Z",
    "source": {
        "ip": "9.8.7.6",
        "port": 49804,
        "address": "9.8.7.6"
    },
    "destination": {
        "ip": "1.2.3.4",
        "port": 80,
        "address": "1.2.3.4"
    },
    "observer": {
        "name": "gcap-sekoia.gatewatcher.com",
        "version": "0.2",
        "hostname": "gcap-sekoia.gatewatcher.com",
        "type": "firewall",
        "mac": [
            "00:17:a4:77:09:20",
            "a0:36:9f:0f:b1:70"
        ]
    },
    "network": {
        "transport": "TCP"
    },
    "gatewatcher": {
        "type": "suricata",
        "gcenter": [
            "gcenter-sekoia.gatewatcher.com",
            "gcenter-sekoia.gatewatcher.com"
        ],
        "gcap": "gcap-sekoia.gatewatcher.com",
        "flow_id": "1686930575880829",
        "timestamp_analyzed": "2022-06-03T14:59:41.378Z",
        "timestamp_detected": "2022-06-03T14:59:08.833Z",
        "event_type": "http"
    },
    "url": {
        "path": "/exploit.html",
        "domain": "www.xmlformats.com",
        "top_level_domain": "com",
        "subdomain": "www",
        "registered_domain": "xmlformats.com"
    },
    "http": {
        "request": {
            "method": "HEAD"
        },
        "response": {
            "status_code": 200
        }
    },
    "user_agent": {
        "original": "Microsoft Office Existence Discovery"
    },
    "related": {
        "hosts": [
            "gcap-sekoia.gatewatcher.com"
        ],
        "ip": [
            "1.2.3.4",
            "9.8.7.6"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
destination.bytes long Bytes sent from the destination to the source.
destination.ip ip IP address of the destination.
destination.packets long Packets sent from the destination to the source.
destination.port long Port of the destination.
dns.id keyword The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
dns.question.name keyword The name being queried.
dns.question.type keyword The type of record being queried.
dns.type keyword The type of DNS event captured, query or answer.
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.severity long Numeric severity of the event.
event.type keyword Event type. The third categorization field in the hierarchy.
file.hash.md5 keyword MD5 hash.
file.hash.sha256 keyword SHA256 hash.
file.name keyword Name of the file including the extension, without the directory.
file.size long File size in bytes.
gatewatcher.event_type keyword Type of event
gatewatcher.flow_id keyword Identifier of the flow
gatewatcher.gcap keyword Name of the gcap
gatewatcher.gcenter keyword Name of the associated gcenter
gatewatcher.malcore.code keyword Return code of the malcore analysis
gatewatcher.malcore.detail_threat_found keyword Type of the detected threat
gatewatcher.malcore.file keyword Identifier of the file
gatewatcher.malcore.magic keyword The magic number of the executable of the malware
gatewatcher.malcore.replica keyword Analysis is a replica of another previous one
gatewatcher.nb_rescans long Number of retroact analysis
gatewatcher.reporting_token keyword Token used by Gbox
gatewatcher.retroact keyword Analysis result per retroact
gatewatcher.state keyword Analysis result
gatewatcher.timestamp_analyzed keyword Timestamp of the alert processing by gcenter
gatewatcher.timestamp_detected keyword Timestamp of the file collection by gcap
gatewatcher.type keyword Type of analysis
http.request.method keyword HTTP request method.
http.response.status_code long HTTP response status code.
http.version keyword HTTP version.
network.protocol keyword Application protocol name.
network.transport keyword Protocol Name corresponding to the field iana_number.
observer.hostname keyword Hostname of the observer.
observer.mac keyword MAC addresses of the observer.
observer.name keyword Custom name of the observer.
observer.type keyword The type of the observer the data is coming from.
observer.version keyword Observer version.
rule.category keyword Rule category
rule.id keyword Rule ID
rule.name keyword Rule name
rule.version keyword Rule version
source.bytes long Bytes sent from the source to the destination.
source.ip ip IP address of the source.
source.packets long Packets sent from the source to the destination.
source.port long Port of the source.
url.domain keyword Domain of the url.
url.path wildcard Path of the request, such as "/search".
user_agent.original keyword Unparsed user_agent string.

Configure

Prerequisites

An internal log concentrator (Rsyslog) is required to collect and forward events to SEKOIA.IO.

Enable Syslog forwarding

Log on your GCenter and follow this guide to enable syslog forwarding. Set the hostname to your log concentrator and the port number to 514. Select json as the codec, 5424 as RFC and tcp as the protocol.

Create the intake

Go to the intake page and create a new intake from the format Gatewatcher AionIQ.

Transport to SEKOIA.IO

Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.

Further Readings