[
https://issues.apache.org/jira/browse/METRON-327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keren Tseytlin updated METRON-327:
----------------------------------
Description:
Create a parser for Cylance logs.
Sample Cylance Device log line:
<116>Jul 8 17:48:40 sysloghost CylancePROTECT Event Type: Device, Event Name:
SystemSecurity, Device Name: a0999b134871, Agent Version: 1.2.1350.541, IP
Address: (291.390.9.143), MAC Address: (A9987B134871, CE9F7E54EAA1), Logged On
Users: (harrypotter), OS: MAC OS X El Capitan 10.11.5 x64 10.11.5#015
Data after parsing:
{code:none}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:48:40",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Device",
"event_name": "SystemSecurity",
"device_name": "a0999b134871",
"agent_version": "1.2.1350.541",
"ip_addresses": "291.390.9.143",
"mac_addresses": "A9987B134871, CE9F7E54EAA1",
"users": "harrypotter",
"operating_system": "MAC OS X El Capitan 10.11.5 x64 10.11.5"
}
{code}
Sample Cylance ThreatClassification log line:
<116>Jul 8 17:47:42 sysloghost CylancePROTECT Event Type: ThreatClassification,
Event Name: ResearchSaved, Threat Class: PUP, Threat Subclass: Adware, SHA256:
E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9, MD5:
689A96F71161190A819X0X9D7341I9B#015
Data after parsing:
{code:none}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016 17:47:42",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9",
"md5": "689A96F71161190A819X0X9D7341I9B"
}
{code}
Sample Cylance Threat log line:
<116>Jul 8 17:50:30 sysloghost CylancePROTECT Event Type: Threat, Event Name:
corrupt_found, Device Name: DEP5CG6987D2F, IP Address: (222.765.9.8,
2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109), File Name: olivanders,
Path: c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\, Drive Type: None, SHA256:
AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6, MD5: ,
Status: Corrupt, Cylance Score: 0, Found Date: 7/8/2016 5:50:30 PM, File Type:
Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher#015
Data after parsing:
{code:none}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:50:30",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Threat",
"event_name": "corrupt_found",
"device_name": "DEP5CG6987D2F",
"ip_addresses": "222.765.9.8, 2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109",
"file_name": "olivanders",
"path": "c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\",
"drive_type": "None",
"sha256":
"AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6",
"status": "Corrupt",
"cylance_score": "0",
"found_data": "7/8/2016 5:50:30 PM",
"file_type": "Executable",
"is_running": "False",
"auto_run": "False",
"detected_by": "FileWatcher"
}
{code}
Sample Cylance Repeated log line:
<116>Jul 8 17:47:22 sysloghost CylancePROTECT message repeated 2 times: [Event
Type: ThreatClassification, Event Name: ResearchSaved, Threat Class: PUP,
Threat Subclass: Adware, SHA256:
E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9, MD5:
689A96F71098726A8193D8P0X8341E6B #015]
Data after parsing:
{code:none}
{
"priority": "116",
"timestamp": "July 8th 2016 17:47:22",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"repeat_count": "2",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9",
"md5": "689A96F71098726A8193D8P0X8341E6B"
}
{code}
was:
Create a parser for Cylance logs.
Sample Cylance Device log line:
<116>Jul 8 17:48:40 sysloghost CylancePROTECT Event Type: Device, Event Name:
SystemSecurity, Device Name: a0999b134871, Agent Version: 1.2.1350.541, IP
Address: (291.390.9.143), MAC Address: (A9987B134871, CE9F7E54EAA1), Logged On
Users: (harrypotter), OS: MAC OS X El Capitan 10.11.5 x64 10.11.5#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:48:40",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Device",
"event_name": "SystemSecurity",
"device_name": "a0999b134871",
"agent_version": "1.2.1350.541",
"ip_addresses": "291.390.9.143",
"mac_addresses": "A9987B134871, CE9F7E54EAA1",
"users": "harrypotter",
"operating_system": "MAC OS X El Capitan 10.11.5 x64 10.11.5"
}
{code}
Sample Cylance ThreatClassification log line:
<116>Jul 8 17:47:42 sysloghost CylancePROTECT Event Type: ThreatClassification,
Event Name: ResearchSaved, Threat Class: PUP, Threat Subclass: Adware, SHA256:
E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9, MD5:
689A96F71161190A819X0X9D7341I9B#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016 17:47:42",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9",
"md5": "689A96F71161190A819X0X9D7341I9B"
}
{code}
Sample Cylance Threat log line:
<116>Jul 8 17:50:30 sysloghost CylancePROTECT Event Type: Threat, Event Name:
corrupt_found, Device Name: DEP5CG6987D2F, IP Address: (222.765.9.8,
2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109), File Name: olivanders,
Path: c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\, Drive Type: None, SHA256:
AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6, MD5: ,
Status: Corrupt, Cylance Score: 0, Found Date: 7/8/2016 5:50:30 PM, File Type:
Executable, Is Running: False, Auto Run: False, Detected By: FileWatcher#015
Data after parsing:
{code:json}
{
"source:type": "cylance",
"priority": "116",
"timestamp": "July 8th 2016, 17:50:30",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"event_type": "Threat",
"event_name": "corrupt_found",
"device_name": "DEP5CG6987D2F",
"ip_addresses": "222.765.9.8, 2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109",
"file_name": "olivanders",
"path": "c:\program files (x86)\chamberofsecrets\net wand provider for
harry\15.00\help\",
"drive_type": "None",
"sha256":
"AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6",
"status": "Corrupt",
"cylance_score": "0",
"found_data": "7/8/2016 5:50:30 PM",
"file_type": "Executable",
"is_running": "False",
"auto_run": "False",
"detected_by": "FileWatcher"
}
{code}
Sample Cylance Repeated log line:
<116>Jul 8 17:47:22 sysloghost CylancePROTECT message repeated 2 times: [Event
Type: ThreatClassification, Event Name: ResearchSaved, Threat Class: PUP,
Threat Subclass: Adware, SHA256:
E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9, MD5:
689A96F71098726A8193D8P0X8341E6B #015]
Data after parsing:
{code:json}
{
"priority": "116",
"timestamp": "July 8th 2016 17:47:22",
"hostname": "sysloghost",
"process": "CylancePROTECT",
"repeat_count": "2",
"event_type": "ThreatClassification",
"event_name": "ResearchSaved",
"threat_class": "PUP",
"threat_subclass": "Adware",
"sha256":
"E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9",
"md5": "689A96F71098726A8193D8P0X8341E6B"
}
{code}
> Create Cylance Parser
> ---------------------
>
> Key: METRON-327
> URL: https://issues.apache.org/jira/browse/METRON-327
> Project: Metron
> Issue Type: New Feature
> Reporter: Keren Tseytlin
> Priority: Minor
>
> Create a parser for Cylance logs.
> Sample Cylance Device log line:
> <116>Jul 8 17:48:40 sysloghost CylancePROTECT Event Type: Device, Event Name:
> SystemSecurity, Device Name: a0999b134871, Agent Version: 1.2.1350.541, IP
> Address: (291.390.9.143), MAC Address: (A9987B134871, CE9F7E54EAA1), Logged
> On Users: (harrypotter), OS: MAC OS X El Capitan 10.11.5 x64 10.11.5#015
> Data after parsing:
> {code:none}
> {
> "source:type": "cylance",
> "priority": "116",
> "timestamp": "July 8th 2016, 17:48:40",
> "hostname": "sysloghost",
> "process": "CylancePROTECT",
> "event_type": "Device",
> "event_name": "SystemSecurity",
> "device_name": "a0999b134871",
> "agent_version": "1.2.1350.541",
> "ip_addresses": "291.390.9.143",
> "mac_addresses": "A9987B134871, CE9F7E54EAA1",
> "users": "harrypotter",
> "operating_system": "MAC OS X El Capitan 10.11.5 x64 10.11.5"
> }
> {code}
> Sample Cylance ThreatClassification log line:
> <116>Jul 8 17:47:42 sysloghost CylancePROTECT Event Type:
> ThreatClassification, Event Name: ResearchSaved, Threat Class: PUP, Threat
> Subclass: Adware, SHA256:
> E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9, MD5:
> 689A96F71161190A819X0X9D7341I9B#015
> Data after parsing:
> {code:none}
> {
> "source:type": "cylance",
> "priority": "116",
> "timestamp": "July 8th 2016 17:47:42",
> "hostname": "sysloghost",
> "process": "CylancePROTECT",
> "event_type": "ThreatClassification",
> "event_name": "ResearchSaved",
> "threat_class": "PUP",
> "threat_subclass": "Adware",
> "sha256":
> "E6D8C4F1484BB5T2G89PR9EC91048F4DE533DC3CB37C13021077DD8C564C81F9",
> "md5": "689A96F71161190A819X0X9D7341I9B"
> }
> {code}
> Sample Cylance Threat log line:
> <116>Jul 8 17:50:30 sysloghost CylancePROTECT Event Type: Threat, Event Name:
> corrupt_found, Device Name: DEP5CG6987D2F, IP Address: (222.765.9.8,
> 2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
> 2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109), File Name:
> olivanders, Path: c:\program files (x86)\chamberofsecrets\net wand provider
> for harry\15.00\help\, Drive Type: None, SHA256:
> AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6, MD5: ,
> Status: Corrupt, Cylance Score: 0, Found Date: 7/8/2016 5:50:30 PM, File
> Type: Executable, Is Running: False, Auto Run: False, Detected By:
> FileWatcher#015
> Data after parsing:
> {code:none}
> {
> "source:type": "cylance",
> "priority": "116",
> "timestamp": "July 8th 2016, 17:50:30",
> "hostname": "sysloghost",
> "process": "CylancePROTECT",
> "event_type": "Threat",
> "event_name": "corrupt_found",
> "device_name": "DEP5CG6987D2F",
> "ip_addresses": "222.765.9.8, 2600:1003:b02c:f691:7c70:e3d0:1303:ff9c,
> 2600:1003:b02c:f691:80f4:59ba:8412:2648, 234.19.56.109",
> "file_name": "olivanders",
> "path": "c:\program files (x86)\chamberofsecrets\net wand provider for
> harry\15.00\help\",
> "drive_type": "None",
> "sha256":
> "AD123456F9B97E4EEAEF987654143FEFAB39106B707857C48PB085B8AD6E90E6",
> "status": "Corrupt",
> "cylance_score": "0",
> "found_data": "7/8/2016 5:50:30 PM",
> "file_type": "Executable",
> "is_running": "False",
> "auto_run": "False",
> "detected_by": "FileWatcher"
> }
> {code}
> Sample Cylance Repeated log line:
> <116>Jul 8 17:47:22 sysloghost CylancePROTECT message repeated 2 times:
> [Event Type: ThreatClassification, Event Name: ResearchSaved, Threat Class:
> PUP, Threat Subclass: Adware, SHA256:
> E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9, MD5:
> 689A96F71098726A8193D8P0X8341E6B #015]
> Data after parsing:
> {code:none}
> {
> "priority": "116",
> "timestamp": "July 8th 2016 17:47:22",
> "hostname": "sysloghost",
> "process": "CylancePROTECT",
> "repeat_count": "2",
> "event_type": "ThreatClassification",
> "event_name": "ResearchSaved",
> "threat_class": "PUP",
> "threat_subclass": "Adware",
> "sha256":
> "E6D8C4F1234BB3F1B25FA9EC91048F4DE098DC3CB37C13021077DD8C765C81F9",
> "md5": "689A96F71098726A8193D8P0X8341E6B"
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
