Created
September 28, 2023 14:31
-
-
Save rafaelfoster/f040881cf9a0fceee327e71670c25f4d to your computer and use it in GitHub Desktop.
This is an example of the config.json file to be used along with FortiEDR Custom Connectors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "FABRIC_ENV_CONFIG": { | |
| "IpAddress": "192.168.0.1", | |
| "port": "443", | |
| "User": "admin", | |
| "Password": "senha", | |
| "ApiToken": "VERY_SECURE_PASSWORD" | |
| }, | |
| "PARAMS": { | |
| "DeviceCollectorGroup": [ | |
| "Xperts_Workshop" | |
| ], | |
| "ConnectorPassword": "", | |
| "ConnectorHost": "172.31.10.185", | |
| "ConnectorPort": "443", | |
| "EventDestination": "File Execution Attempt", | |
| "EventClassification": "ClassificationMalicious", | |
| "DeviceLastLoggedUser": [ | |
| "CONTOSO\\jsmith" | |
| ], | |
| "ConnectorUsername": "", | |
| "entireEvent": "{\"updateTime\":1677690207794,\"requestJson\":null,\"sendToSupportOnly\":false,\"LoggedUsers\":[{\"Name\":\"CONTOSO\\\\jsmith\",\"LogonTime\":1677677240}],\"EventType\":8192,\"Alerts\":[{\"updateTime\":1677690207469,\"Rule\":6028528,\"RuleContentId\":\"1069\",\"Process\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\WINWORD.EXE\",\"ProcessScriptModule\":\"\",\"ProcessMountPoint\":\"C:\",\"StackType\":\"PRE EXECUTE\",\"Severity\":\"Debug\",\"Action\":\"Log\",\"KeyCrc\":2071279189776064047,\"ProcessCrc\":15003897663347345090,\"KeyPathCrc\":6216577119925837441,\"ProcessPathCrc\":14107441564881122095,\"KeyScriptCrc\":14641965438258302285,\"ProcessScriptCrc\":0,\"KeyShaCrc\":10506955858040694515,\"ProcessShaCrc\":16585679118704548357,\"IsKeyBinary\":false,\"Key\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"KeyScriptModule\":\"start\",\"MountPoint\":\"C:\",\"UseBoth\":false,\"UseProcess\":null,\"UseAnyKeyPath\":null,\"UseAnyProcessPath\":null,\"UseProcessScript\":null,\"UseKeyScript\":null,\"KeyVendor\":\"Microsoft Corporation\",\"ProcessVendor\":\"Microsoft Corporation\",\"OS\":\"Windows\",\"KeySha\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"ProcessSha\":\"U0p+qcZ7qz6PLUGXe/Q9Qd/pUc8=\",\"KeyAnalysisFlags\":528384,\"ProcessAnalysisFlags\":4096,\"Is64bit\":false,\"KeyUser\":\"CONTOSO\\\\jsmith\",\"ProcessUser\":\"CONTOSO\\\\jsmith\",\"ParentProcess\":[{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\WINWORD.EXE\",\"ScriptModule\":\"\",\"Sha1Hash\":\"U0p+qcZ7qz6PLUGXe/Q9Qd/pUc8=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":15003897663347345090,\"PathCrc\":14107441564881122095,\"ScriptCrc\":0,\"ShaCrc\":16585679118704548357,\"IsDefault\":true,\"ProcessUniqueId\":1608381492,\"HasScript\":null,\"NormalizedProcess\":\"\\\\program files (x86)\\\\microsoft office\\\\office12\\\\winword.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\OUTLOOK.EXE\",\"ScriptModule\":\"\",\"Sha1Hash\":\"MZbXbJ9DIT0cP2RkoLOVx2w+nME=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":1161366615605516519,\"PathCrc\":14107441564881122095,\"ScriptCrc\":0,\"ShaCrc\":8286726992197581387,\"IsDefault\":false,\"ProcessUniqueId\":-1896592626,\"HasScript\":null,\"NormalizedProcess\":\"\\\\program files (x86)\\\\microsoft office\\\\office12\\\\outlook.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"T1TToMHHkhGoIsxYnz60SmJoAuw=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":3955251661086875420,\"PathCrc\":18306218986367795181,\"ScriptCrc\":0,\"ShaCrc\":15692382155961880953,\"IsDefault\":false,\"ProcessUniqueId\":1799522290,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\explorer.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"bQxq6mvOBRZnYQhbHWElWPgdh3o=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"\",\"Flags\":4096,\"Crc\":15418664567836328261,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":14930812819147439359,\"IsDefault\":false,\"ProcessUniqueId\":690138474,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\userinit.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\winlogon.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"aGSEMOQdoSQhXI42vNhcoMFxQwQ=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"Local System\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":10930988437419661298,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":13079750379920297834,\"IsDefault\":false,\"ProcessUniqueId\":-1693602753,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\winlogon.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\smss.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"xDhkDpTNw6ADfUe4IoptqeopOvQ=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"Local System\",\"MountPoint\":\"\",\"Flags\":16781312,\"Crc\":17574719438793526979,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":12119775869530236441,\"IsDefault\":false,\"ProcessUniqueId\":-778854178,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\smss.exe\"},{\"Executable\":\"SYSTEM\",\"ScriptModule\":\"\",\"Sha1Hash\":\"\",\"Vendor\":\"\",\"User\":\"Local System\",\"MountPoint\":\"C:\",\"Flags\":0,\"Crc\":5376111682879364321,\"PathCrc\":0,\"ScriptCrc\":0,\"ShaCrc\":0,\"IsDefault\":false,\"ProcessUniqueId\":-1802966437,\"HasScript\":null,\"NormalizedProcess\":\"system\"}],\"UseParent\":true,\"KeyHasScript\":true,\"ProcessHasScript\":null,\"Policy\":null,\"MitreTags\":null,\"Stacks\":[{\"StackNum\":0}],\"WhitelistingReputation\":\"ReputationGood\",\"WhitelistingExpirationTime\":1680964139011,\"Index\":3,\"MainApp\":{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"ScriptModule\":\"start\",\"HasScript\":true,\"Sha1Hash\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"Vendor\":\"Microsoft Corporation\",\"Flags\":528384,\"MountPoint\":\"C:\",\"User\":\"CONTOSO\\\\jsmith\",\"Crc\":0,\"PathCrc\":0,\"ScriptCrc\":0,\"ShaCrc\":0,\"MalwareLikelihoodPercent\":0,\"MalwareLikelihoodPercentEffective\":0,\"Src\":\"StackInfo\",\"ExtWhiteListing\":{\"Hash\":{\"Hash\":\"1DD63EDD445413719BF9A4494BF7028F9BC097F3\",\"HashType\":\"SHA1\"},\"ExtWhiteListing\":{\"Reputation\":\"ReputationGood\",\"Certainty\":70,\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\",\"Expiration\":1680964139011},\"CombinedReputation\":\"ReputationGood\",\"AvDetection\":false,\"RLDetails\":{\"RLReputation\":\"ReputationGood\",\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\"}}},\"ClassificationRules\":[{\"ClassificationRuleId\":1626,\"Description\":\"Whitelist all\"},{\"ClassificationRuleId\":1624,\"Description\":\"\"},{\"ClassificationRuleId\":1630,\"Description\":\"\"},{\"ClassificationRuleId\":1638,\"Description\":\"\"},{\"ClassificationRuleId\":1625,\"Description\":\"Only sandbox\"},{\"ClassificationRuleId\":1608,\"Description\":\"\"},{\"ClassificationRuleId\":1627,\"Description\":\"\"},{\"ClassificationRuleId\":1628,\"Description\":\"\"},{\"ClassificationRuleId\":1503,\"Description\":\"Suppress from prob. good\"}],\"MatchedClassificationRules\":[{\"ClassificationRuleId\":1626,\"Description\":\"Whitelist all\"},{\"ClassificationRuleId\":1624,\"Description\":\"\"},{\"ClassificationRuleId\":1630,\"Description\":\"\"},{\"ClassificationRuleId\":1628,\"Description\":\"\"},{\"ClassificationRuleId\":1503,\"Description\":\"Suppress from prob. good\"}],\"Classification\":\"ClassificationGood\",\"ExtWhiteListing\":{\"Hash\":{\"Hash\":\"1DD63EDD445413719BF9A4494BF7028F9BC097F3\",\"HashType\":\"SHA1\"},\"ExtWhiteListing\":{\"Reputation\":\"ReputationGood\",\"Certainty\":70,\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\",\"Expiration\":1680964139011},\"CombinedReputation\":\"ReputationGood\",\"AvDetection\":false,\"RLDetails\":{\"RLReputation\":\"ReputationGood\",\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\"}},\"IsSuppressed\":true,\"OriginalClassification\":\"ClassificationInconclusive\",\"IsOriginallySuppressed\":false,\"ClassifyCount\":1,\"ForcedClassification\":null,\"ClassificationOriginStackData\":null,\"OriginalClassificationOriginStackData\":null,\"ClassificationChanges\":[{\"ClassificationChangedTo\":\"ClassificationProbablyGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"},{\"ClassificationChangedTo\":\"ClassificationGood\"}],\"ClassificationRulesMapSecurityLevel\":\"Strict\",\"ReputationSource\":0,\"ShouldHaveBeenSuppressed\":true,\"ReputationSourceExt\":{\"ReputationSource\":\"Key\"},\"OriginalReputationSource\":null,\"PolicyModeWhenAlertWasIssued\":\"Simulation\",\"IsKeySigned\":true,\"IsProcessSigned\":true},{\"updateTime\":1677690207509,\"Rule\":6028523,\"RuleContentId\":\"1034\",\"Process\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\WINWORD.EXE\",\"ProcessScriptModule\":\"\",\"ProcessMountPoint\":\"C:\",\"StackType\":\"ANY\",\"Severity\":\"Critical\",\"Action\":\"Block\",\"KeyCrc\":10775410618625056436,\"ProcessCrc\":15921292732174948245,\"KeyPathCrc\":6216577119925837441,\"ProcessPathCrc\":14107441564881122095,\"KeyScriptCrc\":14641965438258302285,\"ProcessScriptCrc\":0,\"KeyShaCrc\":8612138133733286072,\"ProcessShaCrc\":33893438198029390,\"IsKeyBinary\":false,\"Key\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"KeyScriptModule\":\"start\",\"MountPoint\":\"C:\",\"UseBoth\":true,\"UseProcess\":null,\"UseAnyKeyPath\":null,\"UseAnyProcessPath\":null,\"UseProcessScript\":null,\"UseKeyScript\":null,\"KeyVendor\":\"Microsoft Corporation\",\"ProcessVendor\":\"Microsoft Corporation\",\"OS\":\"Windows\",\"KeySha\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"ProcessSha\":\"U0p+qcZ7qz6PLUGXe/Q9Qd/pUc8=\",\"KeyAnalysisFlags\":528384,\"ProcessAnalysisFlags\":4096,\"Is64bit\":false,\"KeyUser\":\"CONTOSO\\\\jsmith\",\"ProcessUser\":\"CONTOSO\\\\jsmith\",\"ParentProcess\":[{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\WINWORD.EXE\",\"ScriptModule\":\"\",\"Sha1Hash\":\"U0p+qcZ7qz6PLUGXe/Q9Qd/pUc8=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":15921292732174948245,\"PathCrc\":14107441564881122095,\"ScriptCrc\":0,\"ShaCrc\":33893438198029390,\"IsDefault\":true,\"ProcessUniqueId\":646710062,\"HasScript\":null,\"NormalizedProcess\":\"\\\\program files (x86)\\\\microsoft office\\\\office12\\\\winword.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\OUTLOOK.EXE\",\"ScriptModule\":\"\",\"Sha1Hash\":\"MZbXbJ9DIT0cP2RkoLOVx2w+nME=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":2077644611890710960,\"PathCrc\":14107441564881122095,\"ScriptCrc\":0,\"ShaCrc\":10760257178702904320,\"IsDefault\":false,\"ProcessUniqueId\":-1153902431,\"HasScript\":null,\"NormalizedProcess\":\"\\\\program files (x86)\\\\microsoft office\\\\office12\\\\outlook.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"T1TToMHHkhGoIsxYnz60SmJoAuw=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":15838450176826039015,\"PathCrc\":18306218986367795181,\"ScriptCrc\":0,\"ShaCrc\":4580944508571899698,\"IsDefault\":false,\"ProcessUniqueId\":489124701,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\explorer.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"bQxq6mvOBRZnYQhbHWElWPgdh3o=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"CONTOSO\\\\jsmith\",\"MountPoint\":\"\",\"Flags\":4096,\"Crc\":4095042343674201278,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":2981564962656008884,\"IsDefault\":false,\"ProcessUniqueId\":-592858562,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\userinit.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\winlogon.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"aGSEMOQdoSQhXI42vNhcoMFxQwQ=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"Local System\",\"MountPoint\":\"C:\",\"Flags\":4096,\"Crc\":8834997019021283849,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":6039565713202678049,\"IsDefault\":false,\"ProcessUniqueId\":459938923,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\winlogon.exe\"},{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\smss.exe\",\"ScriptModule\":\"\",\"Sha1Hash\":\"xDhkDpTNw6ADfUe4IoptqeopOvQ=\",\"Vendor\":\"Microsoft Corporation\",\"User\":\"Local System\",\"MountPoint\":\"\",\"Flags\":16781312,\"Crc\":4578142750318678409,\"PathCrc\":16685994471062951977,\"ScriptCrc\":0,\"ShaCrc\":5649296649232474194,\"IsDefault\":false,\"ProcessUniqueId\":541892424,\"HasScript\":null,\"NormalizedProcess\":\"\\\\windows\\\\system32\\\\smss.exe\"},{\"Executable\":\"SYSTEM\",\"ScriptModule\":\"\",\"Sha1Hash\":\"\",\"Vendor\":\"\",\"User\":\"Local System\",\"MountPoint\":\"C:\",\"Flags\":0,\"Crc\":8860767732138049744,\"PathCrc\":0,\"ScriptCrc\":0,\"ShaCrc\":0,\"IsDefault\":false,\"ProcessUniqueId\":1730069004,\"HasScript\":null,\"NormalizedProcess\":\"system\"}],\"UseParent\":true,\"KeyHasScript\":true,\"ProcessHasScript\":null,\"Policy\":null,\"MitreTags\":null,\"Stacks\":[{\"StackNum\":0},{\"StackNum\":0}],\"WhitelistingReputation\":\"ReputationGood\",\"WhitelistingExpirationTime\":1680964139011,\"Index\":2,\"MainApp\":{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"ScriptModule\":\"start\",\"HasScript\":true,\"Sha1Hash\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"Vendor\":\"Microsoft Corporation\",\"Flags\":528384,\"MountPoint\":\"C:\",\"User\":\"CONTOSO\\\\jsmith\",\"Crc\":0,\"PathCrc\":0,\"ScriptCrc\":0,\"ShaCrc\":0,\"MalwareLikelihoodPercent\":0,\"MalwareLikelihoodPercentEffective\":0,\"Src\":\"StackInfo\",\"ExtWhiteListing\":{\"Hash\":{\"Hash\":\"1DD63EDD445413719BF9A4494BF7028F9BC097F3\",\"HashType\":\"SHA1\"},\"ExtWhiteListing\":{\"Reputation\":\"ReputationGood\",\"Certainty\":70,\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\",\"Expiration\":1680964139011},\"CombinedReputation\":\"ReputationGood\",\"AvDetection\":false,\"RLDetails\":{\"RLReputation\":\"ReputationGood\",\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\"}}},\"ClassificationRules\":[{\"ClassificationRuleId\":1511,\"Description\":\"\"},{\"ClassificationRuleId\":1527,\"Description\":\"\"},{\"ClassificationRuleId\":1515,\"Description\":\"\"},{\"ClassificationRuleId\":1606,\"Description\":\"\"},{\"ClassificationRuleId\":1504,\"Description\":\"Suppress from good\"}],\"MatchedClassificationRules\":[],\"Classification\":\"ClassificationProbablyMalicious\",\"ExtWhiteListing\":{\"Hash\":{\"Hash\":\"1DD63EDD445413719BF9A4494BF7028F9BC097F3\",\"HashType\":\"SHA1\"},\"ExtWhiteListing\":{\"Reputation\":\"ReputationGood\",\"Certainty\":70,\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\",\"Expiration\":1680964139011},\"CombinedReputation\":\"ReputationGood\",\"AvDetection\":false,\"RLDetails\":{\"RLReputation\":\"ReputationGood\",\"MalwareType\":\"Unknown\",\"FamilyName\":\"Unknown\",\"ThreatName\":\"Unknown\"}},\"IsSuppressed\":false,\"OriginalClassification\":\"ClassificationInconclusive\",\"IsOriginallySuppressed\":false,\"ClassifyCount\":0,\"ForcedClassification\":true,\"ClassificationOriginStackData\":null,\"OriginalClassificationOriginStackData\":null,\"ClassificationChanges\":[],\"ClassificationRulesMapSecurityLevel\":\"Strict\",\"ReputationSource\":0,\"ShouldHaveBeenSuppressed\":false,\"ReputationSourceExt\":{\"ReputationSource\":\"Key\"},\"OriginalReputationSource\":null,\"PolicyModeWhenAlertWasIssued\":\"Simulation\",\"IsKeySigned\":true,\"IsProcessSigned\":true}],\"EventId\":995320673,\"Version\":11,\"ApplicationOwner\":null,\"FirstSeen\":1677589412000,\"LastSeen\":1677690206000,\"Protocol\":null,\"LocalIp\":null,\"HostName\":\"Win10-Victim\",\"LocalPort\":null,\"RemoteIp\":null,\"RemoteUrl\":null,\"Country\":null,\"Asn\":null,\"RemotePort\":null,\"Count\":11,\"MainProcessId\":4892,\"OperatingSystem\":\"Windows 10 Pro\",\"OS\":\"Windows\",\"OsVersion\":\"2009\",\"GlobalAggregationCrc\":1790532398390621887,\"GlobalShaAggregationCrc\":8661371617719933597,\"Application\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"MountPoint\":\"C:\",\"AppScriptModule\":\"start\",\"Is64bit\":false,\"IsSigned\":true,\"AppSha\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"AppVendor\":\"Microsoft Corporation\",\"EventSource\":\"Collector\",\"EventCoreVersion\":\"5.2.0.2426\",\"AutomationData\":{\"exportUrls\": {\"pdflink\": \"test\", \"anotherlink\": \"test\"}, \"comment\": \"Malicious cmd execution originating from Office software has been detected.\", \"comment.localized\": [{\"translation_key\": \"fcs.analysis.cmdline.indicator.cmd.webex4\"}], \"informationBlock\": [{\"image\": \"File\", \"title\": \"File\", \"title.localized\": [{\"translation_key\": \"automation.analysis.file.title\"}], \"items\": [{\"signed\": null, \"title\": \"cmd.exe\", \"link\": \"cmd.exe\", \"image\": \"Signed.svg\", \"values\": [{\"note\": \"\", \"more\": null, \"linker\": \"\", \"value\": \"Safe\", \"key\": \"Sandbox execution\"}, {\"note\": \"\", \"more\": null, \"linker\": \"\", \"value\": \"Inconclusive\", \"key\": \"YARA IOC scan\"}, {\"note\": \"\", \"more\": {\"MD5\": \"844dc165b24fe114978ca2c2e8d30453\", \"AUTHENTIHASH\": \"bf5774a6236293e51b89616b8452d3bf5fa02634a14fdd5485ba38cb588e6ffa\", \"SHA1\": \"1dd63edd445413719bf9a4494bf7028f9bc097f3\", \"SSDEEP\": \"6144:ZeW6Mov7R2skwCYsCMAeqk5wUGMsfiKqnqbtfmem:ZpozRSDoNunHkdXm\", \"VHASH\": \"0250666d155d15156cz570013@z\", \"SHA256\": \"a47311af139d7cd7c8f4c8c29bc5c6df4ff8d592f2728f823a4ca96a7af48723\"}, \"virusTotal\": \"True\", \"linker\": \"\", \"copyable\": \"True\", \"value\": \"1dd63edd445413719bf9a4494bf7028f9bc097f3\", \"key\": \"SHA1\"}, {\"note\": \"Based on: FortiLabs, Reputation, FortiGuard, VirusTotal, ReversingLabs, FortiSandbox, FortiEDR Machine Learning\", \"note.localized\": [{\"translation_key\": \"automation.analysis.network.and.extended.data.ip.reputation.note.based.on\", \"params\": [{\"english\": \"FortiLabs, Reputation, FortiGuard, VirusTotal, ReversingLabs, FortiSandbox, FortiEDR Machine Learning\"}]}], \"more\": null, \"linker\": \"\", \"value\": \"Safe\", \"value.localized\": [{\"translation_key\": \"enum.Classification.ClassificationGood\"}], \"key\": \"Hash reputation\", \"key.localized\": [{\"translation_key\": \"automation.analysis.file.hash.reputation.subtitle\"}]}]}]}, {\"image\": \"Memory\", \"title\": \"Memory\", \"title.localized\": [{\"translation_key\": \"automation.analysis.memory.title\"}], \"items\": []}, {\"image\": \"Network\", \"title\": \"Network & Extended Data\", \"title.localized\": [{\"translation_key\": \"automation.analysis.network.and.extended.data.title\"}], \"items\": []}], \"classificationList\": [{\"image\": \"suspicious\", \"date\": \"02/28/2023 13:03:32\", \"description\": \"Fortinet\", \"title\": \"Suspicious\", \"title.localized\": [{\"translation_key\": \"enum.Classification.ClassificationProbablyMalicious\"}]}, {\"image\": \"malicious\", \"date\": \"03/01/2023 14:51:13\", \"description\": \"FortiCloudServices\", \"title\": \"Malicious\", \"title.localized\": [{\"translation_key\": \"enum.Classification.ClassificationMalicious\"}]}]},\"AggregationEventId\":3150190626634687329,\"AgentVersion\":\"5.2.0.2426\",\"ManagementServerVersion\":\"5.2.1.2800\",\"WhitelistingExpired\":false,\"MoreAddresses\":false,\"EventClassification\":\"ClassificationProbablyMalicious\",\"EventClassificationSourceAlert\":2,\"AppDetails\":{\"Executable\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\",\"ScriptModule\":\"start\",\"HasScript\":true,\"Sha1Hash\":\"HdY+3URUE3Gb+aRJS/cCj5vAl/M=\",\"Vendor\":\"Microsoft Corporation\",\"Flags\":528384,\"MountPoint\":\"C:\",\"User\":\"CONTOSO\\\\jsmith\",\"Crc\":0,\"PathCrc\":0,\"ScriptCrc\":0,\"ShaCrc\":0},\"AppSourceAlert\":2,\"ClassifierModelVersion\":2,\"SuppressedAlertCount\":1,\"ContentVersion\":\"7694\",\"EventClassificationOriginStackData\":null,\"EventRLStatuses\":[{\"Hash\":\"1DD63EDD445413719BF9A4494BF7028F9BC097F3\",\"RLResult\":\"ReputationGood\",\"IsAlertGenerated\":false},{\"Hash\":\"4BBABAD3734F98FC3363EB87C37288D7553C1407\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"534A7EA9C67BAB3E8F2D41977BF43D41DFE951CF\",\"RLResult\":\"ReputationGood\",\"IsAlertGenerated\":false},{\"Hash\":\"18B4AA3688FEE99105F459CA1F417BA77312AE36\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"B0DAA8DEAB355698AA8A4FAD9F9D375A49DF7726\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"67D7F22A5C165FEF12A7CDE598AC7FBD16E8C5C5\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"B47F7AAE50E2E8970783BBA2FE04C8374F291E2D\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"2A5D9FBC66B4827D06B096129303AA6856246FF7\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"81214C806DA8BB6AF1CA9AAA0E3BB3BE56D8F258\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"52AC141AFA1FB3E2F27AA262475F910C4F6FAC19\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"3196D76C9F43213D1C3F6464A0B395C76C3E9CC1\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"4F54D3A0C1C79211A822CC589F3EB44A626802EC\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"6D0C6AEA6BCE05166761085B1D612558F81D877A\",\"RLResult\":\"ReputationGood\",\"IsAlertGenerated\":false},{\"Hash\":\"68648430E41DA124215C8E36BCD85CA0C1714304\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false},{\"Hash\":\"C438640E94CDC3A0037D47B8228A6DA9EA293AF4\",\"RLResult\":\"ReputationKnown\",\"IsAlertGenerated\":false}],\"SecurityLevelWhenIssued\":\"Strict\",\"EventClassificationStage\":2,\"ReputationSource\":null,\"ShouldHaveBeenSuppressed\":null,\"EventRlMissing\":[],\"RepPreResolveTimerCount\":0,\"RepPreResWastedTimeMs\":0,\"RepPreResAllowedDelayMs\":null,\"EventWorkerTimeMs\":0,\"WasDeffered\":false,\"LastSentToECS\":1677690207794,\"WasChangedOnDeferrer\":false,\"EventDigest\":null,\"CoreHostName\":null,\"DeferrerChanges\":\"NoChange\",\"ConfigurationVersion\":81993,\"FlowInfoFlags\":0,\"SavedQueryId\":null,\"EdrDetails\":null,\"RemediateDevice\":{\"Processes\":[{\"Pid\":10120,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\"},{\"Pid\":8420,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\WINWORD.EXE\"},{\"Pid\":3352,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files (x86)\\\\Microsoft Office\\\\Office12\\\\OUTLOOK.EXE\"},{\"Pid\":7332,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\"},{\"Pid\":4308,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\"},{\"Pid\":3808,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Pid\":5396,\"Path\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\smss.exe\"}],\"Executables\":[\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\SysWOW64\\\\cmd.exe\"]},\"CustomerName\":null,\"Exceptions\":null,\"MacAddresses\":null,\"CollectorGroup\":null,\"EventAggId\":null,\"ForensicsChart\":null,\"EventUniqueId\":null,\"IsSuppressedEvent\":false,\"IsEventReportedByDeviceNotSupportingWildcardsOrIpSets\":null,\"Muted\":null,\"MuteEndTime\":null,\"DeviceMetadata\":null,\"Action\":\"SimulationBlock\",\"AgentId\":6088549,\"Organization\":\"latam_cse\",\"OrganizationId\":3326247,\"ManagementDbId\":6385449,\"StackInfos\":null,\"ProcessAggregationCrc\":160509089177992244,\"DeviceAggregationCrc\":4364517353808007215,\"ProcessShaAggregationCrc\":4505292797028512323,\"DeviceShaAggregationCrc\":9813082411017300323,\"IsRepPreResEnabled\":false,\"IsRepPreResolveTimedOut\":false,\"AggregationClassification\":\"ClassificationMalicious\",\"AggregationClassificationSource\":\"ECS\"}", | |
| "ConnectorApiKey": "tywyncmy7r8wrNQ9Gcdwt43Gk1q0js", | |
| "EventId": 6385449, | |
| "EventTime": 1677589412000, | |
| "DeviceName": "Win10-Victim", | |
| "EventProcessName": "cmd.exe", | |
| "DeviceExternalIP": "200.200.200.200", | |
| "ConnectorName": "JOHNC_FGT_QuarantineHost", | |
| "EventProcessPath": "\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\cmd.exe", | |
| "DeviceMAC": [ | |
| "0A-11-E4-11-00-00" | |
| ], | |
| "EventRdiId": 995320673, | |
| "EventProcessHash": "HdY+3URUE3Gb+aRJS/cCj5vAl/M=", | |
| "DeviceInternalIP": "172.31.10.56", | |
| "EventTriggeringPoliciesAndRules": { | |
| "Johnc - Execution Prevention": [ | |
| "Suspicious Script Execution - A script was executed in a suspicious context" | |
| ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment