Check Point Harmony Endpoint
编辑Check Point Harmony Endpoint
编辑Check Point Harmony Endpoint 集成允许您从 Harmony Endpoint 管理服务中摄取数据 (https://www.checkpoint.com/harmony/endpoint/)。
Harmony Endpoint EPMaaS (Endpoint Management as a Service) 是用于管理端点安全策略和部署的云服务。它提供高级威胁防御和检测功能,以保护端点免受恶意软件、勒索软件和其他复杂攻击。该解决方案通过行为分析、机器学习和威胁情报提供实时保护。
有关详细信息,请参阅 Harmony Endpoint 管理指南
设置
编辑要从 Check Point Harmony Endpoint 收集数据,需要您 Harmony Endpoint 实例中的以下参数
编辑- 服务器 URL
- 客户端 ID
- 密钥
要使用此集成,请生成一个 API 密钥。API 密钥由客户端 ID 和密钥组成。用户可以通过浏览到 GLOBAL SETTINGS > API Keys 的 Infinity Portal 创建 API 密钥。创建 API 密钥时,请确保将服务设置为 Logs as a Service。
要创建 API 密钥,请参阅 Check Point 的 Infinity API 指南。服务器列表也可以在那里找到。
以下是用于微调的可选参数
编辑- 初始间隔:将提取现有日志的初始间隔。
- 间隔:将提取新日志的间隔。
- 限制:设置每次 API 搜索查询返回的结果数。
- 页面限制:设置每次 API 搜索查询中每页返回的结果数。
在 Elastic 中启用集成
编辑- 在 Kibana 中,转到“管理”>“集成”
- 在“搜索集成”搜索栏中,键入 Check Point Harmony Endpoint
- 从搜索结果中单击“Check Point Harmony Endpoint”集成。
- 单击“添加 Check Point Harmony Endpoint”按钮以添加集成。
- 添加所有必需的集成配置参数,例如服务器 URL、客户端 ID、密钥。对于所有数据流,必须提供这些参数才能检索日志。
- 保存集成。
数据流
编辑- 反机器人:这是针对机器人的行为保护。单个机器人可以产生多个威胁。网络犯罪分子通常在高级持续性威胁 (APT) 攻击中使用机器人来针对特定个人或组织。
- 反恶意软件:保护计算机免受病毒、间谍软件和其他恶意软件的侵害。它使用实时和计划扫描来检测和消除威胁,以防止它们损害您的计算机。
- 取证:此组件监视文件操作、进程和网络活动是否存在可疑行为。它分析其他客户端组件或 Check Point 安全网关检测到的攻击,并对恶意文件应用补救措施。
- 威胁仿真:检测零日和未知攻击。端点计算机上的文件被发送到沙箱进行仿真,以揭示规避性零日攻击。
- 威胁提取:主动保护用户免受下载的恶意文件的侵害。它在检查原始文件是否存在潜在威胁的同时,快速提供安全文件。
- URL 过滤:定义您的组织内可访问的网站。URL 过滤策略由选定的站点以及应用于它们的操作模式组成。
- 零网络钓鱼:检查各种网站特征,以确保网站没有冒充其他网站以恶意收集个人信息。它会生成潜在网络钓鱼网站的警报。
日志参考
编辑反机器人
编辑这是 反机器人 数据集。
示例
一个 antibot 的示例事件如下所示
{
"@timestamp": "2024-09-02T08:53:44.000Z",
"agent": {
"ephemeral_id": "cebc2bcd-9723-4948-bfd6-fc0e0dfd5784",
"id": "d4e5bf31-1f9a-4721-9f32-d3d87eca6898",
"name": "elastic-agent-88462",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"antibot": {
"advanced_info": "\"exclusions\":[{\"exclusion_engine_type\":\"Anti Bot exclusions\",\"exclusion_type\":\"URL\",\"exclusion_value\":{\"default_value\":\"http://www.threat-cloud.com/test/files/MediumConfidenceBot.html\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "Medium",
"description": "Detected bot activity [Anti-Bot test.TC.e]. To exclude: On the Harmony Endpoint Management add an exclusion of type \"URL\" with value: \"http://www.threat-cloud.com/test/files/MediumConfidenceBot.html\"",
"event_type": "Anti Bot Event",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {
"action": "Communication with C&C"
},
"packet_capture": "Packet Capture",
"packet_capture_unique_id": "6c239c74-89a9-4797-ab6b-75a2b2a6afd7",
"policy": {
"date": "2024-08-29T13:12:51.0000000Z",
"name": "Default Anti-Bot settings",
"number": 2
},
"product": {
"family": "Endpoint",
"name": "Anti-Bot"
},
"protection_type": "URL Reputation",
"proxy_src_ip": "89.160.20.128",
"sequencenum": 16777215,
"severity": "Critical",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.antibot",
"namespace": "78732",
"type": "logs"
},
"destination": {
"geo": {
"country_name": "UnitedStates"
},
"ip": "89.160.20.128"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d4e5bf31-1f9a-4721-9f32-d3d87eca6898",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.antibot",
"id": "a4640108-91b1-0f19-66d5-7d9d00000000",
"ingested": "2024-10-24T05:31:25Z",
"kind": "event",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "bd075be9d011daaa82c3f9ff2572076e"
},
"name": "chrome.exe",
"size": 2742376,
"type": "exe"
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"process": {
"user": {
"name": "admin"
}
},
"related": {
"hash": [
"bd075be9d011daaa82c3f9ff2572076e"
],
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102",
"89.160.20.128"
],
"user": [
"admin"
]
},
"rule": {
"name": "Anti-Bot test.TC.e"
},
"tags": [
"forwarded"
],
"url": {
"original": "www.threat-cloud.com"
},
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.antibot.advanced_info |
用于配置排除的内部字段 |
keyword |
checkpoint_harmony_endpoint.antibot.attack_status |
攻击状态 |
keyword |
checkpoint_harmony_endpoint.antibot.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.antibot.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.antibot.confidence_level |
置信度 |
keyword |
checkpoint_harmony_endpoint.antibot.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.antibot.detected_by |
检测到事件的组件 |
keyword |
checkpoint_harmony_endpoint.antibot.dst_country |
目标国家 |
keyword |
checkpoint_harmony_endpoint.antibot.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.antibot.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.antibot.malware.action |
恶意软件操作 |
keyword |
checkpoint_harmony_endpoint.antibot.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.antibot.packet_capture_unique_id |
唯一数据包捕获 ID |
keyword |
checkpoint_harmony_endpoint.antibot.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.antibot.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.antibot.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.antibot.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.antibot.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.antibot.protection_type |
检测来源 - 手动配置时可以是 IOC,也可以是 URL/IP/CMI 信誉 |
keyword |
checkpoint_harmony_endpoint.antibot.proxy_src_ip |
流量发送到的地址 |
ip |
checkpoint_harmony_endpoint.antibot.resource |
HTTP 请求中的资源 |
keyword |
checkpoint_harmony_endpoint.antibot.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.antibot.service_domain |
服务域名 |
keyword |
checkpoint_harmony_endpoint.antibot.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.antibot.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.antibot.suspicious_events |
EFR 报告的 ID(如果相关/存在) |
text |
checkpoint_harmony_endpoint.antibot.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.antibot.type |
日志类型 |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出了 ECS 字段范围。它们在 ECS 文档中进行了描述。
反恶意软件
编辑这是 反恶意软件 数据集。
示例
一个 antimalware 的示例事件如下所示
{
"@timestamp": "2024-09-02T09:09:07.000Z",
"agent": {
"ephemeral_id": "972620ca-77a9-4305-991a-5bd475860580",
"id": "4cdb965a-db2a-4ec3-9abf-6e20dbb120c9",
"name": "elastic-agent-21918",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"antimalware": {
"action_details": "Infected",
"advanced_info": "\"exclusions\":[{\"exclusion_engine_type\":\"File & Folder exclusions (system, scheduled and on-demand)\",\"exclusion_type\":\"Path\",\"exclusion_value\":{\"default_value\":\"md5:\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"md5 taken from file C:\\\\\Users\\\\\admin\\\\\AppData\\\\\Local\\\\\Temp\\\\\9e68140d-22bb-4e96-8aaa-70ec80eb2dc4.tmp\"}}]",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "High",
"connectivity_state": "Connected",
"engine_version": "3.90",
"event_type": "Infection",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {
"category": "Malware"
},
"packet_capture": "Packet Capture",
"packet_capture_unique_id": "31dc576b-7192-49bf-b2fc-b40c93f84b7c",
"policy": {
"date": "2024-08-29T13:12:46.0000000Z",
"name": "Default Anti-Malware settings for the entire organization",
"number": 3
},
"product": {
"family": "Endpoint",
"name": "Anti-Malware"
},
"protection_type": "Protection",
"sequencenum": 16777215,
"severity": "High",
"signature_version": "202409011444",
"src": "10.35.38.102",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.antimalware",
"namespace": "85578",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "4cdb965a-db2a-4ec3-9abf-6e20dbb120c9",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.antimalware",
"id": "a4640108-91b1-0f19-66d5-815d0000000f",
"ingested": "2024-10-24T05:32:25Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"file": {
"name": "9e68140d-22bb-4e96-8aaa-70ec80eb2dc4.tmp"
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "Mal/ShellDl-A"
},
"source": {
"ip": [
"10.35.38.102"
]
},
"tags": [
"forwarded"
],
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.antimalware.Number_of_items.detected |
检测到的项目数 |
integer |
checkpoint_harmony_endpoint.antimalware.Number_of_items.scanned |
扫描的项目数 |
integer |
checkpoint_harmony_endpoint.antimalware.Number_of_items.treated |
处理的项目数 |
integer |
checkpoint_harmony_endpoint.antimalware.action_details |
恶意软件操作详细信息 |
keyword |
checkpoint_harmony_endpoint.antimalware.advanced_info |
用于配置排除的内部字段 |
text |
checkpoint_harmony_endpoint.antimalware.attack_status |
攻击状态 |
keyword |
checkpoint_harmony_endpoint.antimalware.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.antimalware.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.antimalware.confidence_level |
置信度 |
keyword |
checkpoint_harmony_endpoint.antimalware.connectivity_state |
当前应用的 AM 策略类型(已连接/已断开/受限) |
keyword |
checkpoint_harmony_endpoint.antimalware.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.antimalware.detected_by |
检测到事件的组件 |
keyword |
checkpoint_harmony_endpoint.antimalware.duration |
扫描时长 |
long |
checkpoint_harmony_endpoint.antimalware.engine_version |
引擎版本 |
keyword |
checkpoint_harmony_endpoint.antimalware.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.antimalware.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.antimalware.integrity_av_invoke_type |
扫描类型 |
keyword |
checkpoint_harmony_endpoint.antimalware.malware.category |
恶意软件类别 |
keyword |
checkpoint_harmony_endpoint.antimalware.orig |
ip |
|
checkpoint_harmony_endpoint.antimalware.os_name |
安装在源端点计算机上的操作系统的名称 |
keyword |
checkpoint_harmony_endpoint.antimalware.os_version |
安装在源端点计算机上的操作系统的构建版本 |
keyword |
checkpoint_harmony_endpoint.antimalware.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.antimalware.packet_capture_unique_id |
唯一数据包捕获 ID |
keyword |
checkpoint_harmony_endpoint.antimalware.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.antimalware.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.antimalware.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.antimalware.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.antimalware.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.antimalware.protection_type |
检测来源 - 手动配置时可以是 IOC,也可以是 URL/IP/CMI 信誉 |
keyword |
checkpoint_harmony_endpoint.antimalware.proxy_src_ip |
流量发送到的地址 |
ip |
checkpoint_harmony_endpoint.antimalware.result |
更新结果 |
keyword |
checkpoint_harmony_endpoint.antimalware.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.antimalware.service_domain |
服务域名 |
keyword |
checkpoint_harmony_endpoint.antimalware.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.antimalware.signature_version |
签名版本 |
keyword |
checkpoint_harmony_endpoint.antimalware.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.antimalware.suspicious_events |
识别的可疑事件 |
text |
checkpoint_harmony_endpoint.antimalware.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.antimalware.type |
日志类型 |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出了 ECS 字段范围。它们在 ECS 文档中进行了描述。
取证
编辑这是 取证 数据集。
示例
以下是一个 forensics 的示例事件:
{
"@timestamp": "2024-09-03T08:53:12.000Z",
"agent": {
"ephemeral_id": "76820ab1-9086-4fc7-975c-2e7cda1f601c",
"id": "3df1f948-9917-4dc4-a724-f2b5934a6652",
"name": "elastic-agent-71957",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"forensics": {
"attack_status": "Dormant",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "High",
"description": "To exclude the file: On the Harmony Endpoint Management add this sha1 exclusion: 62f0bd56-b0e1235b-99940b34-916c19ec-fac8e80c Attack status: Dormant.",
"detected_by": "Endpoint File Reputation",
"event_type": "Forensics Case Analysis",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {},
"packet_capture": "Packet Capture",
"packet_capture_unique_id": "0acd55a9-f241-4097-a699-6b7e41cd26af",
"policy": {
"date": "2024-09-02T06:23:25.0000000Z",
"name": "Default Forensics settings",
"number": 3
},
"product": {
"family": "Endpoint",
"name": "Forensics"
},
"protection_type": "File Reputation",
"remediated_files": "malz5.zip(Remediation disabled in policy)",
"sequencenum": 1,
"service_domain": "ep-demo",
"severity": "Critical",
"src": "10.35.38.102",
"suspicious_events": "System Shutdown / Reboot: ; ",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.forensics",
"namespace": "38429",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "3df1f948-9917-4dc4-a724-f2b5934a6652",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.forensics",
"id": "a4640108-91b1-0f19-66d6-ceb500000000",
"ingested": "2024-10-24T05:33:21Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "1468c1908845ef238f7f196809946288",
"sha1": "62f0bd56b0e1235b99940b34916c19ecfac8e80c"
},
"name": "malz5.zip",
"path": "c:\\users\\admin\\downloads\\malz5.zip",
"size": 12707198,
"type": "zip"
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hash": [
"1468c1908845ef238f7f196809946288",
"62f0bd56b0e1235b99940b34916c19ecfac8e80c"
],
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "Gen.Rep.zip"
},
"tags": [
"forwarded"
],
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.forensics.action_details |
恶意软件操作详细信息 |
keyword |
checkpoint_harmony_endpoint.forensics.attack_status |
攻击状态 |
keyword |
checkpoint_harmony_endpoint.forensics.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.forensics.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.forensics.confidence_level |
置信度 |
keyword |
checkpoint_harmony_endpoint.forensics.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.forensics.detected_by |
检测到事件的组件 |
keyword |
checkpoint_harmony_endpoint.forensics.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.forensics.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.forensics.malware.action |
恶意软件操作 |
keyword |
checkpoint_harmony_endpoint.forensics.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.forensics.packet_capture_unique_id |
EFR 报告的 ID |
keyword |
checkpoint_harmony_endpoint.forensics.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.forensics.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.forensics.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.forensics.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.forensics.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.forensics.protection_type |
检测来源 - 手动配置时可以是 IOC,也可以是 URL/IP/CMI 信誉 |
keyword |
checkpoint_harmony_endpoint.forensics.remediated_files |
已修复的文件 |
keyword |
checkpoint_harmony_endpoint.forensics.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.forensics.service_domain |
服务域名 |
keyword |
checkpoint_harmony_endpoint.forensics.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.forensics.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.forensics.suspicious_events |
导致触发的事件 |
text |
checkpoint_harmony_endpoint.forensics.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.forensics.type |
日志类型 |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出一系列 ECS 字段。它们在 ECS 文档中有描述。(https://elastic.ac.cn/guide/en/ecs/current/ecs-field-reference.html)
威胁模拟
编辑这是 Threat Emulation 数据集。
示例
以下是一个 threatemulation 的示例事件:
{
"@timestamp": "2024-09-02T09:04:54.000Z",
"agent": {
"ephemeral_id": "8723e6bf-0b1a-4a95-95b6-d5e11a0380a7",
"id": "9f7d3384-0b1f-462c-9d71-0e0580545765",
"name": "elastic-agent-95748",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"threatemulation": {
"advanced_info": "\"exclusions\":[{\"exclusion_engine_type\":\"Threat Emulation, Extraction and Zero Phishing Exclusions\",\"exclusion_type\":\"SHA1\",\"exclusion_value\":{\"default_value\":\"9d3395d94c6bbba52abf0e6afcbf4ca312597c21\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]",
"analyzed_on": "Check Point Threat Emulation Cloud",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "High",
"description": "Endpoint TE detected malicious file (681573a2-414a-4f7d-9683-177df4f8ca7f.tmp) . To exclude the file: On the Harmony Endpoint Management add this sha1 exclusion: 9d3395d9-4c6bbba5-2abf0e6a-fcbf4ca3-12597c21",
"event_type": "TE Event",
"incident_uid": "74a33ecb-1b91-4c25-a136-1989eb175638",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {
"action": "Adware\",\"Solimba\",\"Trojan\",\"behavior"
},
"packet_capture": "Packet Capture",
"packet_capture_unique_id": "5e3302e5-3f73-4b77-beec-2849003e9d47",
"policy": {
"date": "2024-08-29T13:12:50.0000000Z",
"name": "Default Threat Extraction, Emulation and Anti-Exploit settings for the entire organization",
"number": 3
},
"product": {
"family": "Endpoint",
"name": "Threat Emulation"
},
"protection_type": "File System Emulation",
"sequencenum": 16777215,
"severity": "Critical",
"src": "10.35.38.102",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log",
"verdict": "Malicious"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.threatemulation",
"namespace": "43839",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9f7d3384-0b1f-462c-9d71-0e0580545765",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.threatemulation",
"id": "a4640108-91b1-0f19-66d5-803100000012",
"ingested": "2024-10-24T05:34:17Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": "ebe8b633d231bbfee9543d744a2ab59d",
"sha1": "9d3395d94c6bbba52abf0e6afcbf4ca312597c21"
},
"name": "681573a2-414a-4f7d-9683-177df4f8ca7f.tmp",
"path": "C:\\Users\\admin\\Downloads\\681573a2-414a-4f7d-9683-177df4f8ca7f.tmp",
"size": 139648,
"type": "zip"
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hash": [
"ebe8b633d231bbfee9543d744a2ab59d",
"9d3395d94c6bbba52abf0e6afcbf4ca312597c21"
],
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "Gen.SB.zip"
},
"tags": [
"forwarded"
],
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.threatemulation.advanced_info |
用于配置排除的内部字段 |
text |
checkpoint_harmony_endpoint.threatemulation.analyzed_on |
用于模拟的资产 - 可以是“Check Point 威胁模拟云”、“Check Point 设备”或“Harmony 本地缓存” |
keyword |
checkpoint_harmony_endpoint.threatemulation.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.threatemulation.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.threatemulation.confidence_level |
可以是低/中/高/不适用 |
keyword |
checkpoint_harmony_endpoint.threatemulation.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.threatemulation.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.threatemulation.incident_uid |
EFR 报告的 ID(如果相关/存在) |
keyword |
checkpoint_harmony_endpoint.threatemulation.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.threatemulation.malware.action |
关于导致检测的恶意软件类别或操作的其他信息 |
keyword |
checkpoint_harmony_endpoint.threatemulation.orig |
ip |
|
checkpoint_harmony_endpoint.threatemulation.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.threatemulation.packet_capture_unique_id |
EFR 报告的 ID(如果相关/存在) |
keyword |
checkpoint_harmony_endpoint.threatemulation.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.threatemulation.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.threatemulation.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.threatemulation.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.threatemulation.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.threatemulation.protection_type |
检测类型 |
keyword |
checkpoint_harmony_endpoint.threatemulation.reason |
有关发生的错误的信息 |
keyword |
checkpoint_harmony_endpoint.threatemulation.resource |
HTTP 请求中的资源 |
keyword |
checkpoint_harmony_endpoint.threatemulation.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.threatemulation.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.threatemulation.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.threatemulation.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.threatemulation.type |
日志类型 |
keyword |
checkpoint_harmony_endpoint.threatemulation.verdict |
可以是恶意/良性 |
keyword |
checkpoint_harmony_endpoint.threatemulation.web_client_type |
如果相关,则为浏览器的名称(Chrome、Edge 等) |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出一系列 ECS 字段。它们在 ECS 文档中有描述。(https://elastic.ac.cn/guide/en/ecs/current/ecs-field-reference.html)
威胁提取
编辑这是 Threat Extraction 数据集。
示例
以下是一个 threatextraction 的示例事件:
{
"@timestamp": "2024-09-02T09:21:42.000Z",
"agent": {
"ephemeral_id": "b2ca27d2-5544-4cc2-9491-f91097060c1c",
"id": "82b03ad0-7025-436d-9e81-8a39705e0152",
"name": "elastic-agent-30042",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"threatextraction": {
"advanced_info": " \"disable_exclusion\": true ",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "High",
"description": "File is not supported for extraction",
"event_type": "TEX Event",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {
"action": "Not Supported"
},
"policy": {
"date": "2024-08-29T13:12:50.0000000Z",
"name": "Default Threat Extraction, Emulation and Anti-Exploit settings for the entire organization",
"number": 3
},
"product": {
"family": "Endpoint",
"name": "Threat Extraction"
},
"protection_type": "Content Removal",
"sequencenum": 1,
"severity": "Informational",
"src": "10.35.38.102",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log",
"web_client_type": "Chrome"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.threatextraction",
"namespace": "81720",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "82b03ad0-7025-436d-9e81-8a39705e0152",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Extract",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.threatextraction",
"id": "a4640108-91b1-0f19-66d5-83f100000019",
"ingested": "2024-10-24T05:35:11Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"file": {
"hash": {
"sha1": "no-sha1"
},
"name": "mirai.sh4",
"path": "blob:https://github.com/6bd30ea7-29a8-4dd2-9056-f5077632e110",
"size": 0,
"type": "sh4"
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hash": [
"no-sha1"
],
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "Extract potentially malicious content"
},
"tags": [
"forwarded"
],
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.threatextraction.advanced_info |
用于配置排除的内部字段 |
text |
checkpoint_harmony_endpoint.threatextraction.analyzed_on |
描述分析威胁的位置。 |
keyword |
checkpoint_harmony_endpoint.threatextraction.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.threatextraction.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.threatextraction.confidence_level |
可以是低/中/高/不适用 |
keyword |
checkpoint_harmony_endpoint.threatextraction.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.threatextraction.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.threatextraction.incident_uid |
EFR 报告的 ID(如果相关/存在) |
keyword |
checkpoint_harmony_endpoint.threatextraction.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.threatextraction.malware.action |
关于提取的其他信息 - 可以是已提取、已验证、超大、不支持、损坏文件 |
keyword |
checkpoint_harmony_endpoint.threatextraction.orig |
ip |
|
checkpoint_harmony_endpoint.threatextraction.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.threatextraction.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.threatextraction.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.threatextraction.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.threatextraction.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.threatextraction.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.threatextraction.protection_type |
检测类型 |
keyword |
checkpoint_harmony_endpoint.threatextraction.resource |
HTTP 请求中的资源 |
keyword |
checkpoint_harmony_endpoint.threatextraction.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.threatextraction.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.threatextraction.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.threatextraction.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.threatextraction.type |
日志类型 |
keyword |
checkpoint_harmony_endpoint.threatextraction.web_client_type |
如果相关,则为浏览器的名称(Chrome、Edge 等) |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出一系列 ECS 字段。它们在 ECS 文档中有描述。(https://elastic.ac.cn/guide/en/ecs/current/ecs-field-reference.html)
URL 过滤
编辑这是 URL Filtering 数据集。
示例
以下是一个 urlfiltering 的示例事件:
{
"@timestamp": "2024-09-06T10:07:43.000Z",
"agent": {
"ephemeral_id": "95fc55ec-9d54-4116-87cc-a4fe3767eba0",
"id": "3c23eeec-fde0-4811-91a1-6bc5b403c95e",
"name": "elastic-agent-18777",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"urlfiltering": {
"advanced_info": "\"exclusions\":[{\"exclusion_engine_type\":\"URL Filtering exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"secure.indeed.com\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]",
"app": {
"id": "0",
"properties": "Job Search / Careers, Business / Economy"
},
"appi_name": "secure.indeed.com",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"description": "URLF Info Event",
"event_type": "URLF Info Event",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"matched_category": "Job Search / Careers",
"policy": {
"date": "2024-09-06T09:57:28.0000000Z",
"name": "Default Anti-Bot settings",
"number": 4
},
"process_exe_path": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"product": {
"family": "Endpoint",
"name": "URL Filtering"
},
"protection_type": "URL Filtering",
"sequencenum": 16777215,
"severity": "Informational",
"src": "10.35.38.102",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log",
"usercheck_incident_uid": "b04d8940",
"web_client_type": "Chrome"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.urlfiltering",
"namespace": "69408",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "3c23eeec-fde0-4811-91a1-6bc5b403c95e",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.urlfiltering",
"id": "a4640108-91b1-0f19-66da-d62100000013",
"ingested": "2024-10-24T05:36:11Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "gen.urlf"
},
"tags": [
"forwarded"
],
"url": {
"domain": "secure.indeed.com",
"original": "https://secure.indeed.com/auth?branding=save-profile-modal&tmpl=inline&from=act_zeroauth_profile_tst&iframe_tk=9a019527-a6f1-4b3d-b803-2b25bb46b1db&hl=en_IN&co=IN",
"path": "/auth",
"query": "branding=save-profile-modal&tmpl=inline&from=act_zeroauth_profile_tst&iframe_tk=9a019527-a6f1-4b3d-b803-2b25bb46b1db&hl=en_IN&co=IN",
"scheme": "https"
},
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.urlfiltering.advanced_info |
用于配置排除的内部字段 |
text |
checkpoint_harmony_endpoint.urlfiltering.analyzed_on |
描述分析威胁的位置。 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.app.id |
应用程序 ID |
keyword |
checkpoint_harmony_endpoint.urlfiltering.app.properties |
应用程序所属的所有类别 |
text |
checkpoint_harmony_endpoint.urlfiltering.app_properties |
应用程序类别 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.appi_name |
请求的网站(仅域名,不含路径) |
text |
checkpoint_harmony_endpoint.urlfiltering.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.urlfiltering.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.urlfiltering.confidence_level |
可以是低/中/高/不适用 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.urlfiltering.dst |
目标 IP 地址 |
ip |
checkpoint_harmony_endpoint.urlfiltering.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.matched_category |
匹配的类别 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.orig |
ip |
|
checkpoint_harmony_endpoint.urlfiltering.packet_capture |
指向记录的恶意连接的 PCAP 流量捕获文件的链接。 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.urlfiltering.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.urlfiltering.process_exe_path |
进程可执行文件的路径 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.urlfiltering.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.protection_type |
检测类型 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.resource |
HTTP 请求中的资源 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.urlfiltering.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.urlfiltering.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.urlfiltering.type |
日志类型 |
keyword |
checkpoint_harmony_endpoint.urlfiltering.usercheck_incident_uid |
用户确认的内部 ID |
keyword |
checkpoint_harmony_endpoint.urlfiltering.web_client_type |
如果相关,则为浏览器的名称(Chrome、Edge 等) |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出一系列 ECS 字段。它们在 ECS 文档中有描述。(https://elastic.ac.cn/guide/en/ecs/current/ecs-field-reference.html)
零钓鱼
编辑这是 Zero-Phishing 数据集。
示例
以下是一个 zerophishing 的示例事件:
{
"@timestamp": "2024-09-02T08:51:08.000Z",
"agent": {
"ephemeral_id": "9fc6c363-e390-492c-bfdf-684e4d20aff8",
"id": "64f03e47-f005-4ecd-8d91-e63af37617a3",
"name": "elastic-agent-34074",
"type": "filebeat",
"version": "8.15.1"
},
"checkpoint_harmony_endpoint": {
"zerophishing": {
"advanced_info": "\"exclusions\":[{\"exclusion_engine_type\":\"Threat Emulation, Extraction and Zero Phishing Exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"main.sbm-demo.xyz\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]",
"client": {
"name": "Check Point Endpoint Security Client",
"version": "88.50.0213"
},
"confidence_level": "High",
"description": "Deceptive site (https://main.sbm-demo.xyz/zero-phishing) was detected.",
"event_type": "Phishing Event",
"extension_version": "Check Point Endpoint Security Client",
"installed_products": "Full Disk Encryption; Media Encryption & Port Protection; Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation",
"malware": {},
"policy": {
"date": "2024-08-29T13:12:50.0000000Z",
"name": "Default Threat Extraction, Emulation and Anti-Exploit settings for the entire organization",
"number": 3
},
"product": {
"family": "Endpoint",
"name": "Zero Phishing"
},
"protection_type": "Phishing",
"sequencenum": 16777215,
"severity": "High",
"src": "10.35.38.102",
"tenant_id": "3e15ed24-89ff-4986-a204-c425cee4ba48",
"type": "Log",
"web_client_type": "Chrome"
}
},
"data_stream": {
"dataset": "checkpoint_harmony_endpoint.zerophishing",
"namespace": "39288",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "64f03e47-f005-4ecd-8d91-e63af37617a3",
"snapshot": false,
"version": "8.15.1"
},
"event": {
"action": "Detect",
"agent_id_status": "verified",
"category": [
"malware"
],
"dataset": "checkpoint_harmony_endpoint.zerophishing",
"id": "a4640108-91b1-0f19-66d5-7d6100000004",
"ingested": "2024-10-24T05:37:11Z",
"kind": "alert",
"module": "checkpoint_harmony_endpoint",
"type": [
"info"
]
},
"host": {
"hostname": "DESKTOP-E2P4OL0",
"ip": [
"10.35.38.102"
],
"name": "DESKTOP-E2P4OL0",
"os": {
"name": "Microsoft Windows 10 Pro",
"version": "10.0-19045-SP0.0-SMP"
},
"type": [
"Desktop"
]
},
"input": {
"type": "cel"
},
"related": {
"hosts": [
"DESKTOP-E2P4OL0"
],
"ip": [
"10.35.38.102"
],
"user": [
"admin"
]
},
"rule": {
"name": "gen.ba.phishing"
},
"tags": [
"forwarded"
],
"url": {
"domain": "main.sbm-demo.xyz",
"original": "https://main.sbm-demo.xyz/zero-phishing",
"path": "/zero-phishing",
"scheme": "https"
},
"user": {
"domain": "SMC User",
"id": "S-1-5-21-3766288932-3295778425-2939962592-1001",
"name": [
"admin"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
date |
checkpoint_harmony_endpoint.zerophishing.advanced_info |
用于配置排除的内部字段 |
text |
checkpoint_harmony_endpoint.zerophishing.client.name |
可以是 Check Point Endpoint Security Client 或 Check Point Capsule Docs Client |
keyword |
checkpoint_harmony_endpoint.zerophishing.client.version |
安装在计算机上的 Harmony Endpoint 客户端的构建版本 |
version |
checkpoint_harmony_endpoint.zerophishing.confidence_level |
可以是低/中/高/不适用 |
keyword |
checkpoint_harmony_endpoint.zerophishing.description |
事件的详细信息 |
text |
checkpoint_harmony_endpoint.zerophishing.event_type |
事件的名称 |
keyword |
checkpoint_harmony_endpoint.zerophishing.extension_version |
浏览器扩展版本 |
keyword |
checkpoint_harmony_endpoint.zerophishing.installed_products |
安装的端点软件刀片列表 |
keyword |
checkpoint_harmony_endpoint.zerophishing.malware.action |
关于检测的其他信息,例如“用户重用了公司凭据” |
keyword |
checkpoint_harmony_endpoint.zerophishing.orig |
ip |
|
checkpoint_harmony_endpoint.zerophishing.policy.date |
策略日期 |
date |
checkpoint_harmony_endpoint.zerophishing.policy.name |
策略名称 |
keyword |
checkpoint_harmony_endpoint.zerophishing.policy.number |
策略的版本号 |
integer |
checkpoint_harmony_endpoint.zerophishing.product.family |
刀片/产品所属的产品系列,可能的值(0 - 网络、1 - 端点、2 - 访问、3 - 威胁、4 - 移动) |
keyword |
checkpoint_harmony_endpoint.zerophishing.product.name |
产品名称 |
keyword |
checkpoint_harmony_endpoint.zerophishing.protection_type |
检测类型 |
keyword |
checkpoint_harmony_endpoint.zerophishing.resource |
HTTP 请求中的资源 |
keyword |
checkpoint_harmony_endpoint.zerophishing.sequencenum |
添加到具有相同 Linux 时间戳和来源(生成这些日志的安全网关)的订单日志的编号 |
integer |
checkpoint_harmony_endpoint.zerophishing.severity |
事件严重性 |
keyword |
checkpoint_harmony_endpoint.zerophishing.src |
客户端源 IP 地址 |
ip |
checkpoint_harmony_endpoint.zerophishing.tenant_id |
租户 ID |
keyword |
checkpoint_harmony_endpoint.zerophishing.type |
日志类型 |
keyword |
checkpoint_harmony_endpoint.zerophishing.web_client_type |
如果相关,则为浏览器的名称(Chrome、Edge 等) |
keyword |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
input.type |
输入类型 |
keyword |
还导出一系列 ECS 字段。它们在 ECS 文档中有描述。(https://elastic.ac.cn/guide/en/ecs/current/ecs-field-reference.html)