Keren Tseytlin created METRON-327:
-------------------------------------
Summary: Create Cylance Parser
Key: METRON-327
URL: https://issues.apache.org/jira/browse/METRON-327
Project: Metron
Issue Type: New Feature
Reporter: Keren Tseytlin
Priority: Minor
Create a parser for Cylance logs.
Sample Cylance Device log line:
<116>Jul 8 17:48:40 sysloghost CylancePROTECT Event Type: Device, Event Name:
SystemSecurity, Device Name: a0999b134871, Agent Version: 1.2.1350.541, IP
Address: (291.390.9.143), MAC Address: (A9987B134871, CE9F7E54EAA1), Logged On
Users: (harrypotter), OS: MAC OS X El Capitan 10.11.5 x64 10.11.5#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:48:40",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Device",
"event_name": "SystemSecurity",
"device_name": "a0999b134871",
"agent_version": "1.2.1350.541",
"ip_addresses": "291.390.9.143",
"mac_addresses": "A9987B134871, CE9F7E54EAA1",
"users": "harrypotter",
"operating_system": "MAC OS X El Capitan 10.11.5 x64 10.11.5"
}
{code}
Sample Cylance ThreatClassification log line:
<116>Jul 8 17:47:42 sysloghost CylancePROTECT Event Type: ThreatClassification,
Event Name: ResearchSaved, Threat Class: PUP, Threat Subclass: Adware, SHA256:
E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9, MD5:
689A96F71161190A819X0X9D7341I9B#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016 17:47:42",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9",
"md5": "689A96F71161190A819X0X9D7341I9B"
}
{code}
Sample Cylance Threat log line:
<116>Jul 8 17:50:30 sysloghost CylancePROTECT Event Type: Threat, Event Name:
corrupt_found, Device Name: DEP5CG6987D2F, IP Address: (222.765.9.8,
2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109), File Name: olivanders,
Path: c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\, Drive Type: None, SHA256:
AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6, MD5: ,
Status: Corrupt, Cylance Score: 0, Found Date: 7/8/2016 5:50:30 PM, File Type:
Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:50:30",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Threat",
"event_name": "corrupt_found",
"device_name": "DEP5CG6987D2F",
"ip_addresses": "222.765.9.8, 2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109",
"file_name": "olivanders",
"path": "c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\",
"drive_type": "None",
"sha256":
"AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6",
"status": "Corrupt",
"cylance_score": "0",
"found_data": "7/8/2016 5:50:30 PM",
"file_type": "Executable",
"is_running": "False",
"auto_run": "False",
"detected_by": "FileWatcher"
}
{code}
Sample Cylance Repeated log line:
<116>Jul 8 17:47:22 sysloghost CylancePROTECT message repeated 2 times: [Event
Type: ThreatClassification, Event Name: ResearchSaved, Threat Class: PUP,
Threat Subclass: Adware, SHA256:
E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9, MD5:
689A96F71098726A8193D8P0X8341E6B #015]
Data after parsing:
{code:json}
{
"priority": "116",
"timestamp": "July 8th 2016 17:47:22",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"repeat_count": "2",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9",
"md5": "689A96F71098726A8193D8P0X8341E6B"
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
