From 360b142fb468cdc2a6e108911046ae22ed984268 Mon Sep 17 00:00:00 2001 From: Yaniv Shasha Date: Thu, 31 Mar 2022 13:12:42 -0700 Subject: [PATCH] commit --- Sample Data/CEF/Fortigate.json | 55 +++++ Sample Data/CEF/ZScaler.json | 52 +++++ Sample Data/CEF/ZScaler.json.bak | 52 +++++ Sample Data/SecurityEvent/RiskIQ_scenrio.json | 191 ++++++++++++++++++ .../SecurityEvent/RiskIQ_scenrio.json.bak | 62 ++++++ 5 files changed, 412 insertions(+) create mode 100644 Sample Data/CEF/Fortigate.json create mode 100644 Sample Data/CEF/ZScaler.json create mode 100644 Sample Data/CEF/ZScaler.json.bak create mode 100644 Sample Data/SecurityEvent/RiskIQ_scenrio.json create mode 100644 Sample Data/SecurityEvent/RiskIQ_scenrio.json.bak diff --git a/Sample Data/CEF/Fortigate.json b/Sample Data/CEF/Fortigate.json new file mode 100644 index 00000000000..d3aa8474fc9 --- /dev/null +++ b/Sample Data/CEF/Fortigate.json @@ -0,0 +1,55 @@ +[ + { + "TimeGenerated": "3/31/2022, 10:52:35.857 AM", + "DeviceVendor": "Fortinet", + "DeviceProduct": "Fortigate", + "DeviceEventClassID": 28704, + "LogSeverity": 2, + "Computer": "Contoso-MainFW", + "CommunicationDirection": 1, + "DestinationPort": 3389, + "DestinationIP": "192.168.20.58", + "Message": "Remote.Access: RDP,", + "Protocol": 6, + "SourcePort": 15577, + "SourceIP": "213.252.245.73", + "RemoteIP": 0, + "RemotePort": 3389, + "DeviceVersion": "v6.4.7", + "Activity": "utm:app-ctrl signature pass", + "AdditionalExtensions": "FortinetFortiGateeventtime=1647873918304240923;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=1059028704;cat=utm:app-ctrl;FortinetFortiGatesubtype=app-ctrl;FortinetFortiGateeventtype=signature;FortinetFortiGatelevel=information;FortinetFortiGatevd=root;FortinetFortiGateappid=15511;FortinetFortiGatesrcintfrole=wan;FortinetFortiGatedstintfrole=lan;FortinetFortiGatepolicyid=3;FortinetFortiGateapplist=default;FortinetFortiGateaction=pass;FortinetFortiGateappcat=Remote.Access;FortinetFortiGateapp=RDP;FortinetFortiGateincidentserialno=212209995;FortinetFortiGateapprisk=high", + "ApplicationProtocol": "RDP", + "DeviceExternalID": "FGVM4VTM21000724", + "DeviceInboundInterface": "port1", + "DeviceOutboundInterface": "port2", + "ExternalID": 14430578, + "Type": "CommonSecurityLog" + }, + { + "TimeGenerated": "3/31/2022, 10:52:35.857 AM", + "DeviceVendor": "Fortinet", + "DeviceProduct": "Fortigate", + "DeviceEventClassID": 28704, + "LogSeverity": 2, + "Computer": "Contoso-MainFW", + "CommunicationDirection": 1, + "DestinationPort": 3389, + "DestinationIP": "192.168.20.44", + "Message": "Remote.Access: RDP,", + "Protocol": 6, + "SourcePort": 15577, + "SourceIP": "104.168.141.190", + "RemoteIP": 0, + "RemotePort": 3389, + "DeviceVersion": "v6.4.7", + "Activity": "utm:app-ctrl signature pass", + "AdditionalExtensions": "FortinetFortiGateeventtime=1647873918304240923;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=1059028704;cat=utm:app-ctrl;FortinetFortiGatesubtype=app-ctrl;FortinetFortiGateeventtype=signature;FortinetFortiGatelevel=information;FortinetFortiGatevd=root;FortinetFortiGateappid=15511;FortinetFortiGatesrcintfrole=wan;FortinetFortiGatedstintfrole=lan;FortinetFortiGatepolicyid=3;FortinetFortiGateapplist=default;FortinetFortiGateaction=pass;FortinetFortiGateappcat=Remote.Access;FortinetFortiGateapp=RDP;FortinetFortiGateincidentserialno=212209995;FortinetFortiGateapprisk=high", + "ApplicationProtocol": "RDP", + "DeviceExternalID": "FGVM4VTM21000724", + "DeviceInboundInterface": "port1", + "DeviceOutboundInterface": "port2", + "ExternalID": 14430578, + "Type": "CommonSecurityLog", + "_ResourceId": "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/microsoft.compute/virtualmachines/soc-fw-cef" + } +] \ No newline at end of file diff --git a/Sample Data/CEF/ZScaler.json b/Sample Data/CEF/ZScaler.json new file mode 100644 index 00000000000..e018f47bf56 --- /dev/null +++ b/Sample Data/CEF/ZScaler.json @@ -0,0 +1,52 @@ +[ + { + "TimeGenerated": "3/30/2022, 10:52:35.857 AM", + "DeviceVendor": "Fortinet", + "DeviceProduct": "Fortigate", + "DeviceEventClassID": 28704, + "LogSeverity": 2, + "Computer": "Contoso-MainFW", + "CommunicationDirection": 1, + "DestinationPort": 3389, + "DestinationIP": "192.168.20.58", + "Message": "Remote.Access: RDP,", + "Protocol": 6, + "SourcePort": 15577, + "SourceIP": "213.252.245.73", + "RemoteIP": 0, + "RemotePort": 3389, + "DeviceVersion": "v6.4.7", + "Activity": "utm:app-ctrl signature pass", + "AdditionalExtensions": "FortinetFortiGateeventtime=1647873918304240923;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=1059028704;cat=utm:app-ctrl;FortinetFortiGatesubtype=app-ctrl;FortinetFortiGateeventtype=signature;FortinetFortiGatelevel=information;FortinetFortiGatevd=root;FortinetFortiGateappid=15511;FortinetFortiGatesrcintfrole=wan;FortinetFortiGatedstintfrole=lan;FortinetFortiGatepolicyid=3;FortinetFortiGateapplist=default;FortinetFortiGateaction=pass;FortinetFortiGateappcat=Remote.Access;FortinetFortiGateapp=RDP;FortinetFortiGateincidentserialno=212209995;FortinetFortiGateapprisk=high", + "ApplicationProtocol": "RDP", + "DeviceExternalID": "FGVM4VTM21000724", + "DeviceInboundInterface": "port1", + "DeviceOutboundInterface": "port2", + "ExternalID": 14430578, + "Type": "CommonSecurityLog" + }, + { + "TimeGenerated": "3/31/2022, 08:18:20.276 AM", + "DeviceVendor": "Zscaler", + "DeviceProduct": "NSSWeblog", + "DeviceEventClassID": "Allowed", + "LogSeverity": 3, + "DeviceAction": "Allowed", + "SimplifiedDeviceAction": "Allowed", + "Computer": "zscaler-nss-Contoso", + "CommunicationDirection": 1, + "DestinationIP": "108.167.132.213", + "SourceIP": "192.168.20.44", + "DeviceVersion": 5.7, + "Activity": "Allowed", + "AdditionalExtensions": "reason=Allowed;outcome=200;cat=Internet Services;rulelabel=None;ruletype=None;urlclass=Business Use;devicemodel=Virtual Machine", + "ApplicationProtocol": "HTTP", + "DestinationServiceName": "General Browsing", + "DestinationDnsDomain": "dayvidmarketingdireto.com.br", + "FileType": "None", + "ReceivedBytes": 550, + "SentBytes": 307, + "RequestURL": "http://dayvidmarketingdireto.com.br/shii/office-RD117/", + "SourceUserName": "benjamin@contoso.com" + } +] \ No newline at end of file diff --git a/Sample Data/CEF/ZScaler.json.bak b/Sample Data/CEF/ZScaler.json.bak new file mode 100644 index 00000000000..d069a5a73e8 --- /dev/null +++ b/Sample Data/CEF/ZScaler.json.bak @@ -0,0 +1,52 @@ +[ + { + "TimeGenerated": "3/30/2022, 10:52:35.857 AM", + "DeviceVendor": "Fortinet", + "DeviceProduct": "Fortigate", + "DeviceEventClassID": 28704, + "LogSeverity": 2, + "Computer": "Contoso-MainFW", + "CommunicationDirection": 1, + "DestinationPort": 3389, + "DestinationIP": "192.168.20.58", + "Message": "Remote.Access: RDP,", + "Protocol": 6, + "SourcePort": 15577, + "SourceIP": "213.252.245.73", + "RemoteIP": 0, + "RemotePort": 3389, + "DeviceVersion": "v6.4.7", + "Activity": "utm:app-ctrl signature pass", + "AdditionalExtensions": "FortinetFortiGateeventtime=1647873918304240923;FortinetFortiGatetz=-0700;FortinetFortiGatelogid=1059028704;cat=utm:app-ctrl;FortinetFortiGatesubtype=app-ctrl;FortinetFortiGateeventtype=signature;FortinetFortiGatelevel=information;FortinetFortiGatevd=root;FortinetFortiGateappid=15511;FortinetFortiGatesrcintfrole=wan;FortinetFortiGatedstintfrole=lan;FortinetFortiGatepolicyid=3;FortinetFortiGateapplist=default;FortinetFortiGateaction=pass;FortinetFortiGateappcat=Remote.Access;FortinetFortiGateapp=RDP;FortinetFortiGateincidentserialno=212209995;FortinetFortiGateapprisk=high", + "ApplicationProtocol": "RDP", + "DeviceExternalID": "FGVM4VTM21000724", + "DeviceInboundInterface": "port1", + "DeviceOutboundInterface": "port2", + "ExternalID": 14430578, + "Type": "CommonSecurityLog", + }, + { + "TimeGenerated": "3/31/2022, 08:18:20.276 AM", + "DeviceVendor": "Zscaler", + "DeviceProduct": "NSSWeblog", + "DeviceEventClassID": "Allowed", + "LogSeverity": 3, + "DeviceAction": "Allowed", + "SimplifiedDeviceAction": "Allowed", + "Computer": "zscaler-nss-Contoso", + "CommunicationDirection": 1, + "DestinationIP": "108.167.132.213", + "SourceIP": "192.168.20.44", + "DeviceVersion": 5.7, + "Activity": "Allowed", + "AdditionalExtensions": "reason=Allowed;outcome=200;cat=Internet Services;rulelabel=None;ruletype=None;urlclass=Business Use;devicemodel=Virtual Machine", + "ApplicationProtocol": "HTTP", + "DestinationServiceName": "General Browsing", + "DestinationDnsDomain": "dayvidmarketingdireto.com.br", + "FileType": "None", + "ReceivedBytes": 550, + "SentBytes": 307, + "RequestURL": "http://dayvidmarketingdireto.com.br/shii/office-RD117/", + "SourceUserName": "benjamin@contoso.com" + } +] \ No newline at end of file diff --git a/Sample Data/SecurityEvent/RiskIQ_scenrio.json b/Sample Data/SecurityEvent/RiskIQ_scenrio.json new file mode 100644 index 00000000000..12f3154dbf9 --- /dev/null +++ b/Sample Data/SecurityEvent/RiskIQ_scenrio.json @@ -0,0 +1,191 @@ +[ + { + "TimeGenerated": "3/31/2022, 10:51:35.857 AM", + "Account": "contoso\\benjamin", + "AccountType": "User", + "Computer": "benjamin-pc", + "EventSourceName": "Microsoft-Windows-Security-Auditing", + "Channel": "Security", + "Task": 1, + "Level": 0, + "EventData": "", + "EventID": 4624, + "Activity": "4624 - An account was successfully logged on.", + "SourceComputerId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d2", + "EventOriginId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d3", + "ManagementGroupName": "AOI-8ecf8077-cf51-4820-aadd-14040956f35d", + "AccessList": "", + "AccessMask": "", + "AccessReason": "", + "AuthenticationLevel": "", + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1842", + "ImpersonationLevel": "%%1833", + "IpAddress": "104.168.141.190", + "IpPort": 0, + "KeyLength": 128, + "LmPackageName": "NTLM V2", + "LogonGuid": "00000000-0000-0000-0000-000000000000", + "LogonHours": "", + "LogonID": "", + "LogonProcessName": "NtLmSsp", + "LogonType": 3, + "LogonTypeName": "3 - Network", + "Process": "-", + "ProcessId": "0x0", + "ProcessName": "-", + "SubjectAccount": "-\\-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetAccount": "contoso\\benjamin", + "TargetDomainName": "contoso", + "TargetInfo": "", + "TargetLinkedLogonId": "0x0", + "TargetLogonGuid": "", + "TargetLogonId": "0xb627c", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "benjamin", + "TargetUserSid": "S-1-5-21-2769934187-2433420870-601450644-3108", + "TemplateContent": "", + "TemplateDSObjectFQDN": "", + "TemplateInternalName": "", + "TemplateOID": "", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "benjamin-pc", + "PartitionKey": "" + }, + { + "TimeGenerated": "3/31/2022, 14:51:35.857 PM", + "Account": "contoso\\benjamin", + "AccountType": "User", + "Computer": "benjamin-pc", + "EventSourceName": "Microsoft-Windows-Security-Auditing", + "Channel": "Security", + "Task": 13312, + "Level": 8, + "EventID": 4688, + "Activity": "4688 - A new process has been created.", + "EventOriginId": "69324c1a-22a9-43b9-afde-b582e4ef00d5", + "ManagementGroupName": "AOI-8ecf8077-cf51-4820-aadd-14040956f35d", + "CommandLine": "sekurlsa::pth /user:Administrateur //domain:contoso//ntlm:f193d757b4d487ab7e5a3743f038f713 //run:cmd", + "MandatoryLabel": "S-1-16-8192", + "NewProcessId": "0x14cc", + "NewProcessName": "C:\\tools\\mimikatz_trunk\\x64\\mimikatz.exe", + "ParentProcessName": "C:\\Windows\\System32\\cmd.exe", + "Process": "mimikatz.exe", + "ProcessId": "0x1a50", + "SubjectAccount": "contoso\\benjamin", + "SubjectDomainName": "contoso", + "SubjectLogonId": "0xc4eda", + "SubjectUserName": "benjamin", + "SubjectUserSid": "S-1-5-21-2769934187-2433420870-601450555-3108", + "SubStatus": "", + "TableId": "", + "TargetAccount": "-\\-", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-5-21-2769934187-2433420870-601450555-3108", + "TokenElevationType": "%%1938", + "Type": "SecurityEvent" + }, + { + "TimeGenerated": "3/31/2022, 10:51:35.857 AM", + "Account": "contoso\\kdickens", + "AccountType": "User", + "Computer": "karla-pc", + "EventSourceName": "Microsoft-Windows-Security-Auditing", + "Channel": "Security", + "Task": 1, + "Level": 0, + "EventData": "", + "EventID": 4624, + "Activity": "4624 - An account was successfully logged on.", + "SourceComputerId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d2", + "EventOriginId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d3", + "ManagementGroupName": "AOI-8ecf8077-cf51-4820-aadd-14040956f35d", + "AccessList": "", + "AccessMask": "", + "AccessReason": "", + "AuthenticationLevel": "", + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1842", + "ImpersonationLevel": "%%1833", + "IpAddress": "213.252.245.73", + "IpPort": 0, + "KeyLength": 128, + "LmPackageName": "NTLM V2", + "LogonGuid": "00000000-0000-0000-0000-000000000000", + "LogonHours": "", + "LogonID": "", + "LogonProcessName": "NtLmSsp", + "LogonType": 3, + "LogonTypeName": "3 - Network", + "Process": "-", + "ProcessId": "0x0", + "ProcessName": "-", + "SubjectAccount": "-\\-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetAccount": "contoso\\kdickens", + "TargetDomainName": "contoso", + "TargetInfo": "", + "TargetLinkedLogonId": "0x0", + "TargetLogonGuid": "", + "TargetLogonId": "0xb627c", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "kdickens", + "TargetUserSid": "S-1-5-21-2769934187-2433420870-601450644-3108", + "TemplateContent": "", + "TemplateDSObjectFQDN": "", + "TemplateInternalName": "", + "TemplateOID": "", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "karla-pc", + "PartitionKey": "" + }, + { + "TimeGenerated": "3/31/2022, 14:51:35.857 PM", + "Account": "contoso\\kdickens", + "AccountType": "User", + "Computer": "karla-pc", + "EventSourceName": "Microsoft-Windows-Security-Auditing", + "Channel": "Security", + "Task": 13312, + "Level": 8, + "EventID": 4688, + "Activity": "4688 - A new process has been created.", + "EventOriginId": "69324c1a-22a9-43b9-afde-b582e4ef00d5", + "ManagementGroupName": "AOI-8ecf8077-cf51-4820-aadd-14040956f35d", + "CommandLine": "nmap -T4 -A -v -oX c:\\users\\kdickens\\appdata\\local\\temp\\zenmap-qvrzjk.xml 192.168.50.22", + "MandatoryLabel": "S-1-16-8192", + "NewProcessId": "0x14cc", + "NewProcessName": "C:\\Program Files (x86)\\Nmap\\nmap.exe", + "ParentProcessName": "C:\\Program Files (x86)\\Nmap\\zenmap.exe", + "Process": "nmap.exe", + "ProcessId": "0x1a50", + "SubjectAccount": "contoso\\kdickens", + "SubjectDomainName": "contoso", + "SubjectLogonId": "0xc4eda", + "SubjectUserName": "kdickens", + "SubjectUserSid": "S-1-5-21-2769934187-2433420870-601450644-3108", + "SubStatus": "", + "TableId": "", + "TargetAccount": "-\\-", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-5-21-2769934187-2433420870-601450644-3108", + "TokenElevationType": "%%1938", + "Type": "SecurityEvent" + } +] + diff --git a/Sample Data/SecurityEvent/RiskIQ_scenrio.json.bak b/Sample Data/SecurityEvent/RiskIQ_scenrio.json.bak new file mode 100644 index 00000000000..e3be02b8b35 --- /dev/null +++ b/Sample Data/SecurityEvent/RiskIQ_scenrio.json.bak @@ -0,0 +1,62 @@ +[ + { + "TimeGenerated": "3/31/2022, 10:51:35.857 AM", + "Account": "contoso\\benjamin", + "AccountType": "User", + "Computer": "benjamin-pc", + "EventSourceName": "Microsoft-Windows-Security-Auditing", + "Channel": "Security", + "Task": 1, + "Level": 0, + "EventData": "", + "EventID": 4624, + "Activity": "4624 - An account was successfully logged on.", + "SourceComputerId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d2", + "EventOriginId": "4f09bae2-4803-4aa4-8b80-0e2ea66218d3", + "ManagementGroupName": "AOI-8ecf8077-cf51-4820-aadd-14040956f35d", + "AccessList": "", + "AccessMask": "", + "AccessReason": "", + "AuthenticationLevel": "", + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1842", + "ImpersonationLevel": "%%1833", + "IpAddress": "104.168.141.190", + "IpPort": 0, + "KeyLength": 128, + "LmPackageName": "NTLM V2", + "LogonGuid": "00000000-0000-0000-0000-000000000000", + "LogonHours": "", + "LogonID": "", + "LogonProcessName": "NtLmSsp", + "LogonType": 3, + "LogonTypeName": "3 - Network", + "Process": "-", + "ProcessId": "0x0", + "ProcessName": "-", + "SubjectAccount": "-\\-", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetAccount": "contoso\\benjamin", + "TargetDomainName": "contoso", + "TargetInfo": "", + "TargetLinkedLogonId": "0x0", + "TargetLogonGuid": "", + "TargetLogonId": "0xb627c", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "benjamin", + "TargetUserSid": "S-1-5-21-2769934187-2433420870-601450644-3108", + "TemplateContent": "", + "TemplateDSObjectFQDN": "", + "TemplateInternalName": "", + "TemplateOID": "", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "benjamin-pc", + "PartitionKey": "" + } +] +