Created
November 29, 2022 13:37
-
-
Save P1llus/4d01f857bcd4e5eaf1338ad2892f0630 to your computer and use it in GitHub Desktop.
ECS test document
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"@timestamp": "2021-01-13T10:13:08.000Z", | |
"agent": { | |
"build": { | |
"original": "metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]" | |
}, | |
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", | |
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", | |
"name": "docker-fleet-agent", | |
"type": "filebeat", | |
"version": "8.0.0" | |
}, | |
"client": { | |
"address": "89.160.20.156", | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"bytes": 23, | |
"domain": "d111111abcdef8.cloudfront.net", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"ip": "192.168.0.2", | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"nat": { | |
"ip": "10.0.0.2", | |
"port": 3389 | |
}, | |
"packets": 54, | |
"port": 54, | |
"registered_domain": "d111111abcdef8.cloudfront.net", | |
"subdomain": "d111111abcdef8", | |
"top_level_domain": "d111111abcdef8", | |
"user": { | |
"domain": "TEST", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"hash": "12354dfsngdftbsvesawcd", | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm", | |
"roles": [ | |
"role1", | |
"role2" | |
], | |
"group": { | |
"name": "test-name", | |
"domain": "test.domain", | |
"id": "test-id" | |
} | |
} | |
}, | |
"cloud": { | |
"account": { | |
"id": "428152502467", | |
"name": "elastic-beats" | |
}, | |
"availability_zone": "us-east-1c", | |
"instance": { | |
"id": "i-1234567890abcdef0", | |
"name": "instance-name" | |
}, | |
"machine": { | |
"type": "t2.medium" | |
}, | |
"origin": { | |
"account": { | |
"id": "428152502467", | |
"name": "elastic-beats" | |
}, | |
"availability_zone": "us-east-1c", | |
"instance": { | |
"id": "i-1234567890abcdef0", | |
"name": "instance-name" | |
}, | |
"machine": { | |
"type": "t2.medium" | |
}, | |
"project": { | |
"id": "my-project", | |
"name": "project-name" | |
}, | |
"provider": "aws", | |
"region": "us-east-1", | |
"service": { | |
"name": "service-name" | |
} | |
}, | |
"project": { | |
"id": "my-project", | |
"name": "project-name" | |
}, | |
"provider": "aws", | |
"region": "us-east-1", | |
"service": { | |
"name": "service-name" | |
}, | |
"target": { | |
"account": { | |
"id": "428152502467", | |
"name": "elastic-beats" | |
}, | |
"availability_zone": "us-east-1c", | |
"instance": { | |
"id": "i-1234567890abcdef0", | |
"name": "instance-name" | |
}, | |
"machine": { | |
"type": "t2.medium" | |
}, | |
"project": { | |
"id": "my-project", | |
"name": "project-name" | |
}, | |
"provider": "aws", | |
"region": "us-east-1", | |
"service": { | |
"name": "service-name" | |
} | |
} | |
}, | |
"container": { | |
"cpu": { | |
"usage": 0.08265027322397175 | |
}, | |
"disk": { | |
"read": { | |
"bytes": 123 | |
}, | |
"write": { | |
"bytes": 123 | |
} | |
}, | |
"id": "7f3ca1f1b2b310362e90f700d2b2e52ebd46ef6ddf10c0704f22b25686c466ab", | |
"image": { | |
"name": "metricbeat_beat", | |
"hash": { | |
"all": "[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]" | |
}, | |
"tag": [ | |
"tag1", | |
"tag2" | |
] | |
}, | |
"labels": { | |
"com_docker_compose_config-hash": "e3e0a2c6e5d1afb741bc8b1ecb09cda0395886b7a3e5084a9fd110be46d70f78", | |
"com_docker_compose_container-number": "1" | |
}, | |
"memory": { | |
"usage": 0.08265027322397175 | |
}, | |
"name": "metricbeat_beat_run_8ba23fa682a6", | |
"network": { | |
"egress": { | |
"bytes": 123 | |
}, | |
"ingress": { | |
"bytes": 123 | |
} | |
}, | |
"runtime": "docker" | |
}, | |
"data_stream": { | |
"dataset": "elasticsearch.stack_monitoring.cluster_stats", | |
"namespace": "ep", | |
"type": "metrics" | |
}, | |
"destination": { | |
"address": "89.160.20.156", | |
"bytes": 23, | |
"domain": "d111111abcdef8.cloudfront.net", | |
"ip": "192.168.0.2", | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"nat": { | |
"ip": "10.0.0.2", | |
"port": 3389 | |
}, | |
"packets": 54, | |
"port": 54, | |
"registered_domain": "d111111abcdef8.cloudfront.net", | |
"subdomain": "d111111abcdef8", | |
"top_level_domain": "d111111abcdef8", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"user": { | |
"domain": "TEST", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"hash": "12354dfsngdftbsvesawcd", | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm", | |
"roles": [ | |
"role1", | |
"role2" | |
], | |
"group": { | |
"name": "test-name", | |
"domain": "test.domain", | |
"id": "test-id" | |
} | |
} | |
}, | |
"device": { | |
"id": "deviceid", | |
"manufacturer": "device manufacturer", | |
"model": { | |
"identifier": "device-identifier", | |
"name": "device-ident-name" | |
} | |
}, | |
"dll": { | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"name": "dllname", | |
"path": "C:\\Windows\\System32\\kernel32.dll", | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123 | |
}] | |
} | |
}, | |
"dns": { | |
"answers": [{ | |
"data": "203.0.113.9", | |
"type": "PTR", | |
"class": "IN", | |
"name": "dnsanswername", | |
"ttl": 123 | |
}], | |
"header_flags": [ | |
"RD", | |
"RA" | |
], | |
"id": "62111", | |
"op_code": "QUERY", | |
"question": { | |
"class": "IN", | |
"name": "www.sub.test.com", | |
"registered_domain": "test.com", | |
"subdomain": "sub", | |
"top_level_domain": "com", | |
"type": "AAAA" | |
}, | |
"resolved_ip": [ | |
"10.10.10.10", | |
"192.168.1.1" | |
], | |
"response_code": "NOERROR", | |
"type": "answer" | |
}, | |
"ecs": { | |
"version": "8.0.0" | |
}, | |
"email": { | |
"attachments": [{ | |
"file": { | |
"extension": "txt", | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"mime_type": "text/plain", | |
"name": "attachment.txt", | |
"size": 123543 | |
} | |
}], | |
"bcc": { | |
"address": [ | |
"test@example.com", | |
"test@example2.com" | |
] | |
}, | |
"cc": { | |
"address": [ | |
"test@example.com", | |
"test@example2.com" | |
] | |
}, | |
"content_type": "text/plain", | |
"delivery_timestamp": "2020-11-10T22:12:34.8196921Z", | |
"direction": "inbound", | |
"from": { | |
"address": [ | |
"test@example.com", | |
"test@example2.com" | |
] | |
}, | |
"local_id": "c26dbea0-80d5-463b-b93c-4e8b708219ce", | |
"message_id": "81ce15$8r2j59@mail01.example.com", | |
"origination_timestamp": "2020-11-10T22:12:34.8196921Z", | |
"reply_to": { | |
"address": [ | |
"test@example.com", | |
"test@example2.com" | |
] | |
}, | |
"sender": { | |
"address": "senderaddr@example.com" | |
}, | |
"subject": "emailsubject", | |
"to": { | |
"address": [ | |
"test@example.com", | |
"test@example2.com" | |
] | |
}, | |
"x_mailer": "Spambot v2.5" | |
}, | |
"error": { | |
"id": "1235", | |
"message": "errormessage", | |
"stack_trace": "stacktracetxt", | |
"type": "java.lang.NullPointerException" | |
}, | |
"event": { | |
"action": "pwd-change", | |
"agent_id_status": "verified", | |
"category": [ | |
"authentication" | |
], | |
"code": "1235", | |
"created": "2016-05-23T08:05:34.857Z", | |
"dataset": "apache.access", | |
"duration": 123, | |
"end": "2016-05-23T08:05:34.857Z", | |
"hash": "123456789012345678901234567890ABCD", | |
"id": "1235", | |
"ingested": "2016-05-23T08:05:34.857Z", | |
"kind": "event", | |
"module": "apache", | |
"original": "Sep 19 08:26:10 host CEF:0|Security|", | |
"outcome": "success", | |
"provider": "kernel", | |
"reason": "killed process", | |
"reference": "https://system.example.com/event/#0001234", | |
"risk_score": 12.12, | |
"risk_score_norm": 12.12, | |
"sequence": 12, | |
"severity": 3, | |
"start": "2016-05-23T08:05:34.857Z", | |
"timezone": "Europe/Amsterdam", | |
"type": [ | |
"info", | |
"user" | |
], | |
"url": "https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe" | |
}, | |
"faas": { | |
"coldstart": true, | |
"execution": "af9d5aa4-a685-4c5f-a22b-444f80b3cc28", | |
"id": "arn:aws:lambda:us-west-2:123456789012:function:my-function", | |
"name": "my-function", | |
"trigger": [{ | |
"request_id": "1231123", | |
"type": "http" | |
}], | |
"version": "123" | |
}, | |
"file": { | |
"accessed": "2021-01-13T10:13:08.000Z", | |
"attributes": [ | |
"readonly", | |
"system" | |
], | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"created": "2021-01-13T10:13:08.000Z", | |
"ctime": "2021-01-13T10:13:08.000Z", | |
"device": "sda", | |
"directory": "/home/test", | |
"drive_letter": "C", | |
"elf": { | |
"architecture": "x86-64", | |
"byte_order": "Little Endian", | |
"cpu_type": "Intel", | |
"creation_date": "2021-01-13T10:13:08.000Z", | |
"exports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"header": { | |
"abi_version": "versionname", | |
"class": "headerclass", | |
"data": "elfheaderdata", | |
"entrypoint": 123, | |
"object_version": "headerobjversion", | |
"os_abi": "osabi", | |
"type": "headertype", | |
"version": "headerversion", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e" | |
}, | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"chi2": 100, | |
"entropy": 123, | |
"flags": "sectionsflag", | |
"name": "sectioname", | |
"physical_offset": "physoffset", | |
"physical_size": 123, | |
"type": "sectionstype", | |
"var_entropy": 123, | |
"virtual_address": 123, | |
"virtual_size": 123 | |
}], | |
"segments": [{ | |
"sections": "elfsegments", | |
"type": "elftype" | |
}], | |
"shared_libraries": [ | |
"lib1", | |
"lib2" | |
], | |
"telfhash": "telfhash" | |
}, | |
"extension": "png", | |
"fork_name": "Zone.Identifer", | |
"gid": "1001", | |
"group": "filegroup", | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"inode": "123123", | |
"macho": { | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}], | |
"symhash": "d3ccf195b62a9279c3c19af1080497ec" | |
}, | |
"mime_type": "text/plain", | |
"mode": "0444", | |
"mtime": "2021-01-13T10:13:08.000Z", | |
"name": "file.png", | |
"owner": "testuser", | |
"path": "C:\\Windows\\System32\\kernel32.dll", | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}] | |
}, | |
"size": 123, | |
"target_path": "/some/path", | |
"type": "filetype", | |
"uid": "1001", | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"group": { | |
"domain": "testdomain", | |
"id": "1233", | |
"name": "groupname" | |
}, | |
"host": { | |
"architecture": "x86_64", | |
"boot": { | |
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db" | |
}, | |
"cpu": { | |
"usage": 0.08265027322397175 | |
}, | |
"disk": { | |
"read": { | |
"bytes": 123 | |
}, | |
"write": { | |
"bytes": 123 | |
} | |
}, | |
"domain": "d111111abcdef8.cloudfront.net", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"hostname": "testhostname", | |
"id": "deviceid", | |
"ip": [ | |
"192.168.0.2", | |
"10.10.10.10" | |
], | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"name": "hostname", | |
"network": { | |
"egress": { | |
"bytes": 123, | |
"packets": 123 | |
}, | |
"ingress": { | |
"bytes": 123, | |
"packets": 123 | |
} | |
}, | |
"os": { | |
"family": "debian", | |
"full": "Mac OS Mojave", | |
"kernel": "4.4.4-112-generic", | |
"name": "MAC OS X", | |
"platform": "darwin", | |
"type": "macos", | |
"version": "10.14.1" | |
}, | |
"pid_ns_ino": "123123", | |
"risk": { | |
"calculated_levels": "High", | |
"calculated_score": 880.73, | |
"calculated_score_norm": 88.73, | |
"static_level": "High", | |
"static_score": 830.0, | |
"static_score_norm": 83.0 | |
}, | |
"type": "t2.medium", | |
"uptime": 1234 | |
}, | |
"http": { | |
"request": { | |
"body": { | |
"bytes": 123, | |
"content": "hello world" | |
}, | |
"bytes": 123, | |
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", | |
"method": "POST", | |
"mime_type": "image/gif", | |
"referrer": "https://example.com" | |
}, | |
"response": { | |
"body": { | |
"bytes": 123, | |
"content": "hello world" | |
}, | |
"bytes": 123, | |
"mime_type": "image/gif", | |
"status_code": 404 | |
}, | |
"version": "1.1" | |
}, | |
"labels": { | |
"field1": "value", | |
"field2": "value2" | |
}, | |
"log": { | |
"file": { | |
"path": "/var/log/fun-times.log" | |
}, | |
"level": "error", | |
"logger": "org.elasticsearch.bootstrap.Bootstrap", | |
"origin": { | |
"file": { | |
"line": 42, | |
"name": "filename" | |
}, | |
"function": "init" | |
}, | |
"syslog": { | |
"appname": "sshd", | |
"facility": { | |
"code": 123, | |
"name": "local7" | |
}, | |
"hostname": "example-host", | |
"msgid": "ID47", | |
"priority": 123, | |
"procid": "534123", | |
"severity": { | |
"code": 3, | |
"name": "Error" | |
}, | |
"structured_data": { | |
"testfield1": "asd", | |
"testfield2": "asd" | |
}, | |
"version": "1" | |
} | |
}, | |
"message": "the connection is not enabled", | |
"network": { | |
"application": "aim", | |
"bytes": 123, | |
"community_id": "1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=", | |
"direction": "inbound", | |
"forwarded_ip": "192.2.2.2", | |
"iana_number": "6", | |
"inner": { | |
"vlan": { | |
"id": "10", | |
"name": "vlanname" | |
} | |
}, | |
"name": "networkname", | |
"packets": 123, | |
"protocol": "http", | |
"transport": "tcp", | |
"type": "ipv4", | |
"vlan": { | |
"id": "10", | |
"name": "vlanname" | |
} | |
}, | |
"observer": { | |
"egress": { | |
"interface": { | |
"alias": "outside", | |
"id": "interfaceid", | |
"name": "interfacename" | |
}, | |
"vlan": { | |
"id": "10", | |
"name": "vlanname" | |
}, | |
"zone": "EgressZone" | |
}, | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"hostname": "observerhostname", | |
"ingress": { | |
"interface": { | |
"alias": "outside", | |
"id": "interfaceid", | |
"name": "interfacename" | |
}, | |
"vlan": { | |
"id": "10", | |
"name": "vlanname" | |
}, | |
"zone": "EgressZone" | |
}, | |
"ip": [ | |
"10.0.0.2", | |
"192.1.1.1" | |
], | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"name": "observername", | |
"os": { | |
"family": "debian", | |
"full": "Mac OS Mojave", | |
"kernel": "4.4.4-112-generic", | |
"name": "MAC OS X", | |
"platform": "darwin", | |
"type": "macos", | |
"version": "10.14.1" | |
}, | |
"product": "s200", | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"type": "firewall", | |
"vendor": "Checkpoint", | |
"version": "10.10" | |
}, | |
"orchestrator": { | |
"api_version": "beta1", | |
"cluster": { | |
"id": "123", | |
"name": "clustername", | |
"url": "http://clusterurl.com", | |
"version": "12.2" | |
}, | |
"namespace": "kube-system", | |
"organization": "elastic", | |
"resource": { | |
"id": "123", | |
"ip": [ | |
"10.10.10.10", | |
"192.1.1.1" | |
], | |
"name": "test-pod", | |
"parent": { | |
"type": "DaemonSet" | |
}, | |
"type": "service" | |
}, | |
"type": "kubernetes" | |
}, | |
"organization": { | |
"id": "orgid", | |
"name": "orgname" | |
}, | |
"package": { | |
"architecture": "x86-64", | |
"build_version": "36f4f7e89dd61b0988b12ee000b98966867710cd", | |
"checksum": "68b329da9893e34099c7d8ad5cb9c940", | |
"description": "some package description", | |
"install_scope": "global", | |
"installed": "2020-07-16T03:15:39Z", | |
"license": "Apache License 2.0", | |
"name": "package name", | |
"path": "/usr/local/Cellar/go/1.12.9/", | |
"reference": "https://golang.org", | |
"size": 123, | |
"type": "rpm", | |
"version": "1.12.9" | |
}, | |
"process": { | |
"args": [ | |
"/bin/ssh", | |
"user", | |
"10.10.10.2" | |
], | |
"args_count": 3, | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"command_line": "/usr/bin/ssh -l user 10.0.0.16", | |
"elf": { | |
"architecture": "x86-64", | |
"byte_order": "Little Endian", | |
"cpu_type": "Intel", | |
"creation_date": "2021-01-13T10:13:08.000Z", | |
"exports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"header": { | |
"abi_version": "versionname", | |
"class": "headerclass", | |
"data": "elfheaderdata", | |
"entrypoint": 123, | |
"object_version": "headerobjversion", | |
"os_abi": "osabi", | |
"type": "headertype", | |
"version": "headerversion" | |
}, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"chi2": 123, | |
"entropy": 100, | |
"flags": "sectionsflag", | |
"name": "sectionname", | |
"physical_offset": "physoffset", | |
"physical_size": 123, | |
"type": "sectionstype", | |
"var_entropy": 123, | |
"virtual_address": 123, | |
"virtual_size": 123 | |
}], | |
"segments": [{ | |
"sections": "elfsegments", | |
"type": "elftype" | |
}], | |
"shared_libraries": [ | |
"lib1", | |
"lib2" | |
], | |
"telfhash": "telfhash" | |
}, | |
"end": "2016-05-23T08:05:34.853Z", | |
"entity_id": "c2c455d9f99375d", | |
"entry_leader": { | |
"args": [ | |
"/bin/ssh", | |
"user", | |
"10.10.10.2" | |
], | |
"args_count": 3, | |
"attested_groups": { | |
"name": "groupname" | |
}, | |
"attested_user": { | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm" | |
}, | |
"command_line": "/usr/bin/ssh -l user 10.0.0.16", | |
"entity_id": "c2c455d9f99375d", | |
"entry_meta": { | |
"source": { | |
"ip": "10.10.10.10", | |
"type": "sshd" | |
} | |
}, | |
"executable": "/usr/bin/ssh", | |
"group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"interactive": true, | |
"name": "entryprocessname", | |
"parent": { | |
"entity_id": "c2c455d9f99375d", | |
"pid": 123, | |
"session_leader": { | |
"entity_id": "c2c455d9f99375d", | |
"pid": 123, | |
"start": "2016-05-23T08:05:34.857Z" | |
}, | |
"start": "2016-05-23T08:05:34.857Z" | |
}, | |
"pid": 123, | |
"real_group": { | |
"id": "123", | |
"name": "groupname" | |
}, | |
"real_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"same_as_process": true, | |
"saved_group": { | |
"id": "savedgroupid", | |
"name": "savedgroupname" | |
}, | |
"saved_user": { | |
"id": "saveduserid", | |
"name": "savedusername" | |
}, | |
"start": "2016-05-23T08:05:34.857Z", | |
"supplemental_groups": { | |
"id": "suppgroupid", | |
"name": "suppgroupname" | |
}, | |
"tty": { | |
"char_device": { | |
"major": 4, | |
"minor": 2 | |
} | |
}, | |
"user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"working_directory": "/home/test" | |
}, | |
"env_vars": [ | |
"PATH=/usr/local/bin:/usr/bin", | |
"USER=ubuntu" | |
], | |
"executable": "/usr/bin/ssh", | |
"exit_code": 123, | |
"group_leader": { | |
"args": [ | |
"/bin/ssh", | |
"10.10.10.2", | |
"user" | |
], | |
"args_count": 3, | |
"command_line": "/usr/bin/ssh -l user 10.0.0.16", | |
"entity_id": "c2c455d9f99375d", | |
"executable": "/usr/bin/ssh", | |
"group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"interactive": true, | |
"name": "ssh", | |
"pid": 123, | |
"real_group": { | |
"id": "123", | |
"name": "groupname" | |
}, | |
"real_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"same_as_process": true, | |
"saved_group": { | |
"id": "savedgroupid", | |
"name": "savedgroupname" | |
}, | |
"saved_user": { | |
"id": "saveduserid", | |
"name": "savedusername" | |
}, | |
"start": "2016-05-23T08:05:34.857Z", | |
"supplemental_groups": { | |
"id": "suppgroupid", | |
"name": "suppgroupname" | |
}, | |
"tty": { | |
"char_device": { | |
"major": 4, | |
"minor": 2 | |
} | |
}, | |
"user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"working_directory": "/home/test" | |
}, | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"interactive": true, | |
"io": { | |
"bytes_skipped": [{ | |
"length": 123, | |
"offset": 123 | |
}], | |
"max_bytes_per_process_exceeded": true, | |
"text": "some longer test text", | |
"total_bytes_captured": 123, | |
"total_bytes_skipped": 123, | |
"type": "iotype", | |
"macho": { | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}], | |
"symhash": "d3ccf195b62a9279c3c19af1080497ec" | |
}, | |
"name": "processname", | |
"parent": { | |
"args": [ | |
"/bin/ssh", | |
"user", | |
"10.10.10.2" | |
], | |
"args_count": 3, | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"command_line": "/usr/bin/ssh -l user 10.0.0.16", | |
"elf": { | |
"architecture": "x86-64", | |
"byte_order": "Little Endian", | |
"cpu_type": "Intel", | |
"creation_date": "2021-01-13T10:13:08.000Z", | |
"exports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"header": { | |
"abi_version": "versionname", | |
"class": "headerclass", | |
"data": "elfheaderdata", | |
"entrypoint": 123, | |
"object_version": "headerobjversion", | |
"os_abi": "osabi", | |
"type": "headertype", | |
"version": "headerversion" | |
}, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"chi2": 123, | |
"entropy": 100, | |
"flags": "sectionsflag", | |
"name": "sectionname", | |
"physical_offset": "physoffset", | |
"physical_size": 123, | |
"type": "sectionstype", | |
"var_entropy": 123, | |
"virtual_address": 123, | |
"virtual_size": 123 | |
}], | |
"segments": [{ | |
"sections": "elfsegments", | |
"type": "elftype" | |
}], | |
"shared_libraries": [ | |
"lib1", | |
"lib2" | |
], | |
"telfhash": "telfhash" | |
}, | |
"end": "2016-05-23T08:05:34.853Z", | |
"entity_id": "c2c455d9f99375d", | |
"executable": "/usr/bin/ssh", | |
"exit_code": 123, | |
"group": { | |
"name": "test-name", | |
"id": "test-id" | |
}, | |
"group_leader": { | |
"entity_id": "c2c455d9f99375d", | |
"pid": 123, | |
"start": "2016-05-23T08:05:34.857Z" | |
}, | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"interactive": true, | |
"macho": { | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}], | |
"symhash": "d3ccf195b62a9279c3c19af1080497ec" | |
}, | |
"name": "processname", | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}] | |
}, | |
"pgid": 123, | |
"pid": 123, | |
"real_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"real_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"saved_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"saved_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"start": "2016-05-23T08:05:34.857Z", | |
"supplemental_groups": { | |
"id": "suppgroupid", | |
"name": "suppgroupname" | |
}, | |
"thread": { | |
"id": 123, | |
"name": "threadname" | |
}, | |
"title": "proctitle", | |
"tty": { | |
"char_device": { | |
"major": 4, | |
"minor": 2 | |
} | |
}, | |
"uptime": 123, | |
"user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"working_directory": "/home/test" | |
}, | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}] | |
}, | |
"pgid": 123, | |
"pid": 123, | |
"previous": { | |
"args": [ | |
"/usr/bin/ssh", | |
"user", | |
"10.10.10.1" | |
], | |
"args_count": 3, | |
"executable": "/usr/bin/ssh" | |
}, | |
"real_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"real_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"saved_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"saved_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"session_leader": { | |
"args": [ | |
"/usr/bin/ssh", | |
"user", | |
"10.10.10.1" | |
], | |
"args_count": 3, | |
"command_line": "/usr/bin/ssh -l user 10.0.0.16", | |
"entity_id": "c2c455d9f99375d", | |
"executable": "/usr/bin/ssh", | |
"group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"interactive": true, | |
"name": "processname", | |
"parent": { | |
"entity_id": "c2c455d9f99375d", | |
"pid": 123, | |
"session_leader": { | |
"entity_id": "c2c455d9f99375d", | |
"pid": 123, | |
"start": "2016-05-23T08:05:34.857Z" | |
}, | |
"start": "2016-05-23T08:05:34.857Z" | |
}, | |
"pid": 123, | |
"real_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"real_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"same_as_process": true, | |
"saved_group": { | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"saved_user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"start": "2016-05-23T08:05:34.857Z", | |
"supplemental_groups": { | |
"id": "suppgroupid", | |
"name": "suppgroupname" | |
}, | |
"tty": { | |
"char_device": { | |
"major": 4, | |
"minor": 2 | |
} | |
}, | |
"user": { | |
"id": "userid", | |
"name": "username" | |
}, | |
"working_directory": "/home/test" | |
}, | |
"start": "2016-05-23T08:05:34.857Z", | |
"supplemental_groups": { | |
"id": "123", | |
"name": "suppgroupname" | |
}, | |
"thread": { | |
"id": 123, | |
"name": "threadname" | |
}, | |
"title": "proctitle", | |
"tty": { | |
"char_device": { | |
"major": 4, | |
"minor": 2 | |
}, | |
"columns": 80, | |
"rows": 23 | |
}, | |
"uptime": 123, | |
"user": { | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm" | |
}, | |
"working_directory": "/home/test" | |
} | |
}, | |
"registry": { | |
"data": { | |
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=", | |
"strings": [ | |
"C:\\rta\\red_ttp\\bin\\myapp.exe", | |
"C:\\rta\\red_ttp\\bin\\myapp2.exe" | |
], | |
"type": "REG_SZ" | |
}, | |
"hive": "HKLM", | |
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", | |
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", | |
"value": "Debugger" | |
}, | |
"related": { | |
"hash": [ | |
"asdojigiopsj349850+", | |
"asdojigiopsj349850gdfh" | |
], | |
"hosts": [ | |
"hostname1", | |
"hostname2" | |
], | |
"ip": [ | |
"10.10.10.10", | |
"192.1.1.1" | |
], | |
"user": [ | |
"test", | |
"test2" | |
] | |
}, | |
"rule": { | |
"author": [ | |
"authorname1", | |
"authorname2" | |
], | |
"category": "Attempted Info Leak", | |
"description": "ruledescription", | |
"id": "ruleid", | |
"license": "rulelicense", | |
"name": "rulename", | |
"reference": "rulereference", | |
"ruleset": "rulesetname", | |
"uuid": "ruileuuid", | |
"version": "ruleversion" | |
}, | |
"server": { | |
"address": "89.160.20.156", | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"bytes": 23, | |
"domain": "d111111abcdef8.cloudfront.net", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"ip": "192.168.0.2", | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"nat": { | |
"ip": "10.0.0.2", | |
"port": 3389 | |
}, | |
"packets": 54, | |
"port": 54, | |
"registered_domain": "d111111abcdef8.cloudfront.net", | |
"subdomain": "d111111abcdef8", | |
"top_level_domain": "d111111abcdef8", | |
"user": { | |
"domain": "TEST", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"name": "test-name", | |
"domain": "test.domain", | |
"id": "test-id" | |
}, | |
"hash": "12354dfsngdftbsvesawcd", | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
} | |
}, | |
"service": { | |
"environment": "serviceenvname", | |
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", | |
"id": "serviceid", | |
"name": "servicename", | |
"node": { | |
"name": "servicenodename", | |
"role": "servicerole", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
}, | |
"origin": { | |
"address": "89.160.20.156", | |
"environment": "serviceenvname", | |
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", | |
"id": "serviceid", | |
"name": "servicename", | |
"node": { | |
"name": "servicenodename", | |
"role": "servicerole", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
}, | |
"state": "originstate", | |
"type": "origintype", | |
"version": "originversion" | |
}, | |
"state": "servicestate", | |
"target": { | |
"address": "89.160.20.156", | |
"environment": "serviceenvname", | |
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", | |
"id": "serviceid", | |
"name": "servicename", | |
"node": { | |
"name": "servicenodename", | |
"role": "servicerole", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
}, | |
"state": "originstate", | |
"type": "origintype", | |
"version": "originversion" | |
}, | |
"type": "servicetype", | |
"version": "serviceversion" | |
}, | |
"source": { | |
"address": "89.160.20.156", | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"bytes": 23, | |
"domain": "d111111abcdef8.cloudfront.net", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"ip": "192.168.0.2", | |
"mac": [ | |
"02:42:ac:1b:00:07" | |
], | |
"nat": { | |
"ip": "10.0.0.2", | |
"port": 3389 | |
}, | |
"packets": 54, | |
"port": 54, | |
"registered_domain": "d111111abcdef8.cloudfront.net", | |
"subdomain": "d111111abcdef8", | |
"top_level_domain": "d111111abcdef8", | |
"user": { | |
"domain": "TEST", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"name": "test-name", | |
"domain": "test.domain", | |
"id": "test-id" | |
}, | |
"hash": "12354dfsngdftbsvesawcd", | |
"id": "S-1-5-21-1717121054-434620538-60925301-2794", | |
"name": "at_adm", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
} | |
}, | |
"span": { | |
"id": "spanid" | |
}, | |
"tags": [ | |
"preserve_original_event" | |
], | |
"threat": { | |
"enrichments": [{ | |
"indicator": { | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"confidence": "Low", | |
"description": "indicator description", | |
"email": { | |
"address": "test@example.com" | |
}, | |
"file": { | |
"accessed": "2021-01-13T10:13:08.000Z", | |
"attributes": [ | |
"readonly", | |
"system" | |
], | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"created": "2021-01-13T10:13:08.000Z", | |
"ctime": "2021-01-13T10:13:08.000Z", | |
"device": "sda", | |
"directory": "/home/test", | |
"drive_letter": "C", | |
"elf": { | |
"architecture": "x86-64", | |
"byte_order": "Little Endian", | |
"cpu_type": "Intel", | |
"creation_date": "2021-01-13T10:13:08.000Z", | |
"exports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"header": { | |
"abi_version": "versionname", | |
"class": "headerclass", | |
"data": "elfheaderdata", | |
"entrypoint": 123, | |
"object_version": "headerobjversion", | |
"os_abi": "osabi", | |
"type": "headertype", | |
"version": "headerversion", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e" | |
}, | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"chi2": 100, | |
"entropy": 123, | |
"flags": "sectionsflag", | |
"name": "sectioname", | |
"physical_offset": "physoffset", | |
"physical_size": 123, | |
"type": "sectionstype", | |
"var_entropy": 123, | |
"virtual_address": 123, | |
"virtual_size": 123 | |
}], | |
"segments": [{ | |
"sections": "elfsegments", | |
"type": "elftype" | |
}], | |
"shared_libraries": [ | |
"lib1", | |
"lib2" | |
], | |
"telfhash": "telfhash" | |
}, | |
"extension": "png", | |
"fork_name": "Zone.Identifer", | |
"gid": "1001", | |
"group": "filegroup", | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"inode": "123123", | |
"macho": { | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}], | |
"symhash": "d3ccf195b62a9279c3c19af1080497ec" | |
}, | |
"mime_type": "text/plain", | |
"mode": "0444", | |
"mtime": "2021-01-13T10:13:08.000Z", | |
"name": "file.png", | |
"owner": "testuser", | |
"path": "C:\\Windows\\System32\\kernel32.dll", | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}] | |
}, | |
"size": 123, | |
"target_path": "/some/path", | |
"type": "filetype", | |
"uid": "1001", | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"first_seen": "2021-01-13T10:13:08.000Z", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"ip": "10.0.0.2", | |
"last_seen": "2021-01-13T10:13:08.000Z", | |
"marking": { | |
"tlp": { | |
"version": "2.0" | |
} | |
}, | |
"modified_at": "2021-01-13T10:13:08.000Z", | |
"port": 123, | |
"provider": "lrz_urlhaus", | |
"reference": "https://system.example.com/indicator/0001234", | |
"registry": { | |
"data": { | |
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=", | |
"strings": [ | |
"C:\\rta\\red_ttp\\bin\\myapp.exe", | |
"C:\\rta\\red_ttp\\bin\\myapp2.exe" | |
], | |
"type": "REG_SZ" | |
}, | |
"hive": "HKLM", | |
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", | |
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", | |
"value": "Debugger" | |
}, | |
"scanner_stats": 123, | |
"sightings": 123, | |
"type": "artifact", | |
"url": { | |
"domain": "elastic.co", | |
"extension": "png", | |
"fragment": "top", | |
"full": "www.elastic.co/test.png", | |
"original": "www.elastic.co/test.png", | |
"password": "password123", | |
"path": "/test.png", | |
"port": 123, | |
"query": "?somesearch=123", | |
"registered_domain": "registered_domain", | |
"scheme": "https", | |
"subdomain": "somesubdomain", | |
"top_level_domain": "d111111abcdef8", | |
"username": "urluser" | |
}, | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
}, | |
"matched": { | |
"atomic": "domain.com", | |
"field": "file.hash.sha1", | |
"id": "ff93aee5-86a1-4a61-b0e6-0cdc313d01b5", | |
"index": "filebeat-8.0.0-2021.05.23-000011", | |
"occured": "2021-10-05T17:00:58.326Z", | |
"type": "indicator_match_rule" | |
} | |
} | |
}], | |
"feed": { | |
"dashboard_id": "5ba16340-72e6-11eb-a3e3-b3cc7c78a70f", | |
"description": "Description of the threat feed in a UI friendly format.", | |
"name": "AlienVault OTX", | |
"reference": "https://otx.alienvault.com" | |
}, | |
"framework": "MITRE ATT&CK", | |
"group": { | |
"alias": [ | |
"Magecart Group 6", | |
"Magecart Group 5" | |
], | |
"id": "FIN6", | |
"reference": "groupreference" | |
}, | |
"indicator": { | |
"as": { | |
"number": 29518, | |
"organization": { | |
"name": "Bredband2 AB" | |
} | |
}, | |
"confidence": "Low", | |
"description": "indicator description", | |
"email": { | |
"address": "test@example.com" | |
}, | |
"file": { | |
"accessed": "2021-01-13T10:13:08.000Z", | |
"attributes": [ | |
"readonly", | |
"system" | |
], | |
"code_signature": { | |
"digest_algorithm": "sha256", | |
"exists": true, | |
"signing_id": "com.apple.xpc.proxy", | |
"status": "N/A", | |
"subject_name": "Microsoft", | |
"team_id": "EQHXZ8M8AV", | |
"timestamp": "2021-01-01T12:10:30Z", | |
"trusted": true, | |
"valid": true | |
}, | |
"created": "2021-01-13T10:13:08.000Z", | |
"ctime": "2021-01-13T10:13:08.000Z", | |
"device": "sda", | |
"directory": "/home/test", | |
"drive_letter": "C", | |
"elf": { | |
"architecture": "x86-64", | |
"byte_order": "Little Endian", | |
"cpu_type": "Intel", | |
"creation_date": "2021-01-13T10:13:08.000Z", | |
"exports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"header": { | |
"abi_version": "versionname", | |
"class": "headerclass", | |
"data": "elfheaderdata", | |
"entrypoint": 123, | |
"object_version": "headerobjversion", | |
"os_abi": "osabi", | |
"type": "headertype", | |
"version": "headerversion", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e" | |
}, | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"chi2": 100, | |
"entropy": 123, | |
"flags": "sectionsflag", | |
"name": "sectioname", | |
"physical_offset": "physoffset", | |
"physical_size": 123, | |
"type": "sectionstype", | |
"var_entropy": 123, | |
"virtual_address": 123, | |
"virtual_size": 123 | |
}], | |
"segments": [{ | |
"sections": "elfsegments", | |
"type": "elftype" | |
}], | |
"shared_libraries": [ | |
"lib1", | |
"lib2" | |
], | |
"telfhash": "telfhash" | |
}, | |
"extension": "png", | |
"fork_name": "Zone.Identifer", | |
"gid": "1001", | |
"group": "filegroup", | |
"hash": { | |
"md5": "somemd5hash", | |
"sha1": "somesha1hash", | |
"sha256": "somesha256hash", | |
"sha384": "somesha384hash", | |
"sha512": "somesha512hash", | |
"ssdeep": "somessdeephash", | |
"tlsh": "sometlshhash" | |
}, | |
"inode": "123123", | |
"macho": { | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}], | |
"symhash": "d3ccf195b62a9279c3c19af1080497ec" | |
}, | |
"mime_type": "text/plain", | |
"mode": "0444", | |
"mtime": "2021-01-13T10:13:08.000Z", | |
"name": "file.png", | |
"owner": "testuser", | |
"path": "C:\\Windows\\System32\\kernel32.dll", | |
"pe": { | |
"company": "Microsoft Corporation", | |
"description": "Notepad", | |
"file_version": "10.0.17763.475 (WinBuild.160101.0800)", | |
"original_file_name": "NOTEPAD.EXE", | |
"product": "Microsoft« Windows« Operating System", | |
"architecture": "x86", | |
"imphash": "0c6803c4e922103c4dca5963aad36ddf", | |
"import_hash": "d41d8cd98f00b204e9800998ecf8427e", | |
"imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"imports_names_entropy": 123, | |
"imports_names_var_entropy": 123, | |
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975", | |
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491", | |
"go_imports": { | |
"field1": "value1", | |
"field2": "value2" | |
}, | |
"go_imports_names_entropy": 123, | |
"go_imports_names_var_entropy": 123, | |
"go_stripped": true, | |
"sections": [{ | |
"entropy": 100, | |
"name": "sectionname", | |
"physical_size": 123, | |
"var_entropy": 123, | |
"virtual_size": 123 | |
}] | |
}, | |
"size": 123, | |
"target_path": "/some/path", | |
"type": "filetype", | |
"uid": "1001", | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"first_seen": "2021-01-13T10:13:08.000Z", | |
"geo": { | |
"city_name": "Linköping", | |
"continent_code": "NA", | |
"name": "custom-name", | |
"postal_code": "12354", | |
"timezone": "America/Argentina/Buenos_Aires", | |
"continent_name": "Europe", | |
"country_iso_code": "SE", | |
"country_name": "Sweden", | |
"location": { | |
"lat": 58.4167, | |
"lon": 15.6167 | |
}, | |
"region_iso_code": "SE-E", | |
"region_name": "Östergötland County" | |
}, | |
"ip": "10.0.0.2", | |
"last_seen": "2021-01-13T10:13:08.000Z", | |
"marking": { | |
"tlp": { | |
"version": "2.0" | |
} | |
}, | |
"modified_at": "2021-01-13T10:13:08.000Z", | |
"port": 123, | |
"provider": "lrz_urlhaus", | |
"reference": "https://system.example.com/indicator/0001234", | |
"registry": { | |
"data": { | |
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=", | |
"strings": [ | |
"C:\\rta\\red_ttp\\bin\\myapp.exe", | |
"C:\\rta\\red_ttp\\bin\\myapp2.exe" | |
], | |
"type": "REG_SZ" | |
}, | |
"hive": "HKLM", | |
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe", | |
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", | |
"value": "Debugger" | |
}, | |
"scanner_stats": 123, | |
"sightings": 123, | |
"type": "artifact", | |
"url": { | |
"domain": "elastic.co", | |
"extension": "png", | |
"fragment": "top", | |
"full": "www.elastic.co/test.png", | |
"original": "www.elastic.co/test.png", | |
"password": "password123", | |
"path": "/test.png", | |
"port": 123, | |
"query": "?somesearch=123", | |
"registered_domain": "registered_domain", | |
"scheme": "https", | |
"subdomain": "somesubdomain", | |
"top_level_domain": "d111111abcdef8", | |
"username": "urluser" | |
}, | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"software": { | |
"alias": [ | |
"X-Agent", | |
"X-Agent2" | |
], | |
"id": "S0552", | |
"name": "AdFind", | |
"platforms": [ | |
"AWS", | |
"Azure" | |
], | |
"reference": "https://attack.mitre.org/software/S0552/", | |
"type": "Malware" | |
}, | |
"tactic": { | |
"id": "TA0002", | |
"name": "Execution", | |
"reference": [ | |
"https://attack.mitre.org/tactics/TA0002/", | |
"https://attack.mitre.org/tactics/TA0003/" | |
] | |
}, | |
"technique": { | |
"id": [ | |
"T1059", | |
"T1053" | |
], | |
"name": [ | |
"Command and Scripting Interpreter", | |
"Command and Scripting Interpreter2" | |
], | |
"reference": [ | |
"https://attack.mitre.org/techniques/T1059/", | |
"https://attack.mitre.org/techniques/T1051/" | |
], | |
"subtechnique": { | |
"id": [ | |
"T1059.001", | |
"T1059.002" | |
], | |
"name": [ | |
"PowerShell", | |
"PowerShell2" | |
], | |
"reference": [ | |
"https://attack.mitre.org/techniques/T1059/001/", | |
"https://attack.mitre.org/techniques/T1059/002/" | |
] | |
} | |
} | |
}, | |
"tls": { | |
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", | |
"client": { | |
"certificate": "MII...", | |
"certificate_chain": [ | |
"chain1", | |
"chain2" | |
], | |
"hash": { | |
"md5": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC", | |
"sha1": "9E393D93138888D288266C2D915214D1D1CCEB2A", | |
"sha256": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0" | |
}, | |
"issuer": "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com", | |
"ja3": "d4e5b18d6b55c71272893221c96ba240", | |
"not_after": "2021-01-01T00:00:00.000Z", | |
"not_before": "1970-01-01T00:00:00.000Z", | |
"server_name": "www.elastic.co", | |
"subject": "CN=myclient, OU=Documentation Team, DC=example, DC=com", | |
"supported_ciphers": [ | |
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38", | |
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | |
], | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"curve": "secp256r1", | |
"established": true, | |
"next_protocol": "http/1.1", | |
"resumed": true, | |
"server": { | |
"certificate": "MII...", | |
"certificate_chain": [ | |
"chain1", | |
"chain2" | |
], | |
"hash": { | |
"md5": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC", | |
"sha1": "9E393D93138888D288266C2D915214D1D1CCEB2A", | |
"sha256": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0" | |
}, | |
"issuer": "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com", | |
"ja3": "d4e5b18d6b55c71272893221c96ba240", | |
"not_after": "2021-01-01T00:00:00.000Z", | |
"not_before": "1970-01-01T00:00:00.000Z", | |
"server_name": "www.elastic.co", | |
"subject": "CN=myclient, OU=Documentation Team, DC=example, DC=com", | |
"supported_ciphers": [ | |
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38", | |
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | |
], | |
"x509": { | |
"alternative_names": [ | |
"testalternativename", | |
"anothername" | |
], | |
"issuer": { | |
"common_name": "Example SHA2 High Assurance Server CA", | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA", | |
"locality": [ | |
"Mountain View", | |
"Testlocality" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"www.example.com", | |
"www.example.co.uk" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"not_after": "2020-07-16T03:15:39Z", | |
"not_before": "2020-07-16T03:15:39Z", | |
"public_key_algorithm": "RSA", | |
"public_key_curve": "nistp521", | |
"public_key_exponent": 65537, | |
"public_key_size": 123, | |
"serial_number": "55FBB9C7DEBF09809D12CCAA", | |
"signature_algorithm": "SHA256-RSA", | |
"subject": { | |
"common_name": [ | |
"shared.global.example.net", | |
"test.example.com" | |
], | |
"country": [ | |
"US", | |
"NL" | |
], | |
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net", | |
"locality": [ | |
"Florida", | |
"Mountain View" | |
], | |
"organization": [ | |
"Example Inc", | |
"Elastic BV" | |
], | |
"organizational_unit": [ | |
"testorgunit", | |
"testanotherorgunit" | |
], | |
"state_or_province": [ | |
"California", | |
"Florida" | |
] | |
}, | |
"version_number": "3" | |
} | |
}, | |
"version": "1.2", | |
"version_protocol": "tls" | |
}, | |
"trace": { | |
"id": "traceid" | |
}, | |
"transaction": { | |
"id": "transactionid" | |
}, | |
"url": { | |
"domain": "elastic.co", | |
"extension": "png", | |
"fragment": "top", | |
"full": "www.elastic.co/test.png", | |
"original": "www.elastic.co/test.png", | |
"password": "password123", | |
"path": "/test.png", | |
"port": 123, | |
"query": "?somesearch=123", | |
"registered_domain": "registered_domain", | |
"scheme": "https", | |
"subdomain": "somesubdomain", | |
"top_level_domain": "d111111abcdef8", | |
"username": "urluser" | |
}, | |
"user": { | |
"changes": { | |
"domain": "www.elastic.co", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"domain": "groupdomain", | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"hash": "123456789012345678901234567890ABCD", | |
"id": "userid", | |
"name": "username", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
}, | |
"domain": "www.elastic.co", | |
"effective": { | |
"domain": "www.elastic.co", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"domain": "groupdomain", | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"hash": "123456789012345678901234567890ABCD", | |
"id": "userid", | |
"name": "username", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
}, | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"domain": "groupdomain", | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"hash": "123456789012345678901234567890ABCD", | |
"id": "userid", | |
"name": "username", | |
"risk": { | |
"calculated_levels": "High", | |
"calculated_score": 880.73, | |
"calculated_score_norm": 88.73, | |
"static_level": "High", | |
"static_score": 830.0, | |
"static_score_norm": 83.0 | |
}, | |
"roles": [ | |
"role1", | |
"role2" | |
], | |
"target": { | |
"domain": "www.elastic.co", | |
"email": "test@test.com", | |
"full_name": "somename", | |
"group": { | |
"domain": "groupdomain", | |
"id": "groupid", | |
"name": "groupname" | |
}, | |
"hash": "123456789012345678901234567890ABCD", | |
"id": "userid", | |
"name": "username", | |
"roles": [ | |
"role1", | |
"role2" | |
] | |
} | |
}, | |
"user_agent": { | |
"name": "Safari", | |
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", | |
"os": { | |
"family": "debian", | |
"full": "Mac OS Mojave", | |
"kernel": "4.4.4-112-generic", | |
"name": "MAC OS X", | |
"platform": "darwin", | |
"type": "macos", | |
"version": "10.14.1" | |
}, | |
"version": "12.0" | |
}, | |
"vulnerability": { | |
"category": [ | |
"Firewall", | |
"Host" | |
], | |
"classification": "CVSS", | |
"description": "Vulnerability description", | |
"enumeration": "CVE", | |
"id": "CVE-2020-001", | |
"reference": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111", | |
"report_id": "20191018.0001", | |
"scanner": { | |
"vendor": "Tenable" | |
}, | |
"score": { | |
"base": 5.5, | |
"environmental": 5.5, | |
"temporal": 2.2, | |
"version": "2.0" | |
}, | |
"severity": "Critical" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment