Cybereason
编辑Cybereason
编辑概述
编辑Cybereason 是一家网络安全公司,专门提供端点检测和响应 (EDR) 解决方案,以帮助组织检测和响应网络威胁。Cybereason 的目标是提供全面的网络安全解决方案,帮助组织防御各种网络威胁,包括恶意软件、勒索软件和高级持续性威胁 (APT)。
使用 Cybereason 集成来收集和解析来自 REST API 的数据。然后在 Kibana 中可视化该数据。
兼容性
编辑此模块已针对最新的 Cybereason 本地版本 23.2 进行了测试。
数据流
编辑Cybereason 集成收集六种类型的日志:登录会话、恶意操作连接、恶意操作进程、恶意软件、轮询恶意操作和可疑进程。
- 登录会话 - 此数据流帮助安全团队监控和分析其网络中的登录会话,识别潜在威胁并采取适当措施来降低风险。
- 恶意操作连接 - 此数据流提供有关端点检测和响应 (EDR) 系统观察到的网络连接的详细信息。
- 恶意操作进程 - 此数据流提供有关其环境中检测到的恶意进程的详细信息,有助于检测和缓解安全威胁。
- 恶意软件 - 此数据流提供有关恶意软件检测事件的详细信息,包括检测到的文件、其类型、检测方法以及用于分析和响应的其他元数据。
- 轮询恶意操作 - 此数据流提供有关 Cybereason 的 EDR 系统检测到的恶意操作的全面信息,使安全团队能够有效分析和响应潜在威胁。
- [可疑进程] - 此数据流提供有关端点检测和响应 (EDR) 系统中被怀疑或被视为恶意的进程的详细信息。
可疑进程与前三个数据流具有相同的端点,我们添加了一个过滤器 - hasSuspicions : true 和一些自定义字段来获取与可疑相关的日志。
要求
编辑- 必须安装 Elastic Agent。有关更多详细信息和安装说明,请参阅Elastic Agent 安装指南。
- 每个主机只能安装一个 Elastic Agent。
- 需要 Elastic Agent 通过 REST API 流式传输数据并将数据发送到 Elastic,然后这些事件将通过集成的提取管道进行处理。
安装和管理 Elastic Agent
编辑有几种安装和管理 Elastic Agent 的选项
安装由 Fleet 管理的 Elastic Agent(推荐)
编辑使用此方法,您可以安装 Elastic Agent 并使用 Kibana 中的 Fleet 在中心位置定义、配置和管理您的代理。我们建议使用 Fleet 管理,因为它使代理的管理和升级变得相当容易。
在独立模式下安装 Elastic Agent(高级用户)
编辑使用此方法,您可以安装 Elastic Agent 并在安装它的系统本地手动配置代理。您负责管理和升级代理。此方法仅保留给高级用户使用。
在容器化环境中安装 Elastic Agent
编辑您可以在容器内运行 Elastic Agent,无论是有 Fleet Server 还是独立运行。所有版本的 Elastic Agent 的 Docker 映像都可从 Elastic Docker 注册表获得,并且我们提供了在 Kubernetes 上运行的部署清单。
请注意,运行 Elastic Agent 有最低要求。有关更多信息,请参阅Elastic Agent 最低要求。
设置
编辑要通过 REST API 收集日志,请按照以下步骤操作
编辑- 访问此页面以在您的环境中部署 Cybereason 实例。
- 部署后,您将获得诸如主机、端口、用户名和密码之类的参数,用于在您的 Elasticsearch 环境中配置 Cybereason 集成。
在 Elastic 中启用集成
编辑- 在 Kibana 中,导航到“管理”>“集成”。
- 在顶部栏“搜索集成”中,搜索
Cybereason。 - 从搜索结果中选择“Cybereason”集成。
- 选择“添加 Cybereason 集成”以添加集成。
-
添加集成时,请输入以下详细信息以通过 REST API 收集日志
- 主机
- 端口
- 用户名
- 密码
- 初始间隔
- 间隔
- 批处理大小
日志参考
编辑登录会话
编辑这是 登录会话数据集。
示例
logon_session 的示例事件如下
{
"@timestamp": "2024-03-13T12:20:35.086Z",
"cybereason": {
"logon_session": {
"element_values": {
"owner_machine": {
"element_values": [
{
"element_type": "Machine",
"guid": "_MlzCxCi55eyTiwX",
"has_malops": false,
"has_suspicions": false,
"name": "desktop-f2nf4st",
"object": {
"ownermachine": "myd"
},
"simple_values": {
"machinesimple": "value"
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"processes": {
"element_values": [
{
"element_type": "MachineProcess",
"guid": "_MlzCxCi55eyTiwXYX",
"has_malops": true,
"has_suspicions": true,
"name": "desktop-f2nf4stgy",
"object": {
"process": "myd"
},
"simple_values": {
"processsimple": "value"
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 320
},
"remote_machine": {
"element_values": [
{
"element_type": "Remote",
"guid": "AAAAGKxw2bFBmcGUssss",
"has_malops": false,
"has_suspicions": true,
"name": "desktop-f2nf4stmjremote",
"object": {
"remote": "myd"
},
"simple_values": {
"remotesimple": "value"
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"user": {
"element_values": [
{
"element_type": "User",
"guid": "AAAAGKxw2bFBmcGU",
"has_malops": false,
"has_suspicions": false,
"name": "desktop-f2nf4st\\eden",
"object": {
"user": "myd"
},
"simple_values": {
"usersimple": "value"
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
}
},
"evidence_map": {
"evidence": "map"
},
"filter_data": {
"group_by_value": "{guid=AAAAGKxw2bFBmcGU, __typename=User, elementDisplayName=desktop-f2nf4st\\eden, group=7af5074f-ab26-43b3-b0f1-acc962920615, hasSuspicions=false, hasMalops=false}",
"sort_in_group_value": "hyefilter"
},
"guid_string": "_MlzC6rnLebZ2aBh",
"is_malicious": false,
"labels_ids": "l1",
"malicious": false,
"malop_priority": "HIGH",
"simple_values": {
"creation_time": {
"total_values": 1,
"values": [
"2024-03-13T12:20:35.086Z"
]
},
"element_display_name": {
"total_values": 1,
"values": [
"Unknown host > desktop-f2nf4st"
]
},
"group": {
"total_values": 1,
"values": [
"00000000-0000-0000-0000-000000000000"
]
},
"logon_type": {
"total_values": 1,
"values": [
"SLT_RemoteInteractive"
]
}
},
"suspect": false,
"suspicion_count": 0,
"suspicions": {
"xyz": "dhyg"
},
"suspicions_map": {
"suspicions": "map"
}
}
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"malware"
],
"id": "_MlzC6rnLebZ2aBh",
"kind": "alert",
"original": "[{\"simpleValues\":{\"logonType\":{\"totalValues\":1,\"values\":[\"SLT_RemoteInteractive\"]},\"creationTime\":{\"totalValues\":1,\"values\":[\"1710332435086\"]},\"group\":{\"totalValues\":1,\"values\":[\"00000000-0000-0000-0000-000000000000\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"Unknown host > desktop-f2nf4st\"]}},\"elementValues\":{\"user\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"User\",\"guid\":\"AAAAGKxw2bFBmcGU\",\"name\":\"desktop-f2nf4st\\\\\eden\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"user\":\"myd\"},\"simpleValues\":{\"usersimple\":\"value\"}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"remoteMachine\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Remote\",\"guid\":\"AAAAGKxw2bFBmcGUssss\",\"name\":\"desktop-f2nf4stmjremote\",\"hasSuspicions\":true,\"hasMalops\":false,\"elementValues\":{\"remote\":\"myd\"},\"simpleValues\":{\"remotesimple\":\"value\"}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"ownerMachine\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Machine\",\"guid\":\"_MlzCxCi55eyTiwX\",\"name\":\"desktop-f2nf4st\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"ownermachine\":\"myd\"},\"simpleValues\":{\"machinesimple\":\"value\"}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"processes\":{\"totalValues\":320,\"elementValues\":[{\"elementType\":\"MachineProcess\",\"guid\":\"_MlzCxCi55eyTiwXYX\",\"name\":\"desktop-f2nf4stgy\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{\"process\":\"myd\"},\"simpleValues\":{\"processsimple\":\"value\"}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"suspicions\":{\"xyz\":\"dhyg\"},\"filterData\":{\"sortInGroupValue\":\"hyefilter\",\"groupByValue\":\"{guid=AAAAGKxw2bFBmcGU, __typename=User, elementDisplayName=desktop-f2nf4st\\\\\eden, group=7af5074f-ab26-43b3-b0f1-acc962920615, hasSuspicions=false, hasMalops=false}\"},\"isMalicious\":false,\"suspicionCount\":0,\"guidString\":\"_MlzC6rnLebZ2aBh\",\"labelsIds\":\"l1\",\"malopPriority\":\"HIGH\",\"suspect\":false,\"malicious\":false}, {\"suspicions\":\"map\"}, {\"evidence\":\"map\"}]",
"type": [
"info"
]
},
"related": {
"user": [
"AAAAGKxw2bFBmcGU",
"desktop-f2nf4st\\eden"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"user": {
"id": [
"AAAAGKxw2bFBmcGU"
],
"name": [
"desktop-f2nf4st\\eden"
]
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.logon_session.element_values.owner_machine.element_values.element_type |
关键字 |
|
cybereason.logon_session.element_values.owner_machine.element_values.guid |
关键字 |
|
cybereason.logon_session.element_values.owner_machine.element_values.has_malops |
布尔值 |
|
cybereason.logon_session.element_values.owner_machine.element_values.has_suspicions |
布尔值 |
|
cybereason.logon_session.element_values.owner_machine.element_values.name |
关键字 |
|
cybereason.logon_session.element_values.owner_machine.element_values.object |
扁平化 |
|
cybereason.logon_session.element_values.owner_machine.element_values.simple_values |
扁平化 |
|
cybereason.logon_session.element_values.owner_machine.guessed_total |
长整型 |
|
cybereason.logon_session.element_values.owner_machine.total_malicious |
长整型 |
|
cybereason.logon_session.element_values.owner_machine.total_suspicious |
长整型 |
|
cybereason.logon_session.element_values.owner_machine.total_values |
长整型 |
|
cybereason.logon_session.element_values.processes.element_values.element_type |
关键字 |
|
cybereason.logon_session.element_values.processes.element_values.guid |
关键字 |
|
cybereason.logon_session.element_values.processes.element_values.has_malops |
布尔值 |
|
cybereason.logon_session.element_values.processes.element_values.has_suspicions |
布尔值 |
|
cybereason.logon_session.element_values.processes.element_values.name |
关键字 |
|
cybereason.logon_session.element_values.processes.element_values.object |
扁平化 |
|
cybereason.logon_session.element_values.processes.element_values.simple_values |
扁平化 |
|
cybereason.logon_session.element_values.processes.guessed_total |
长整型 |
|
cybereason.logon_session.element_values.processes.total_malicious |
长整型 |
|
cybereason.logon_session.element_values.processes.total_suspicious |
长整型 |
|
cybereason.logon_session.element_values.processes.total_values |
长整型 |
|
cybereason.logon_session.element_values.remote_machine.element_values.element_type |
关键字 |
|
cybereason.logon_session.element_values.remote_machine.element_values.guid |
关键字 |
|
cybereason.logon_session.element_values.remote_machine.element_values.has_malops |
布尔值 |
|
cybereason.logon_session.element_values.remote_machine.element_values.has_suspicions |
布尔值 |
|
cybereason.logon_session.element_values.remote_machine.element_values.name |
关键字 |
|
cybereason.logon_session.element_values.remote_machine.element_values.object |
扁平化 |
|
cybereason.logon_session.element_values.remote_machine.element_values.simple_values |
扁平化 |
|
cybereason.logon_session.element_values.remote_machine.guessed_total |
长整型 |
|
cybereason.logon_session.element_values.remote_machine.total_malicious |
长整型 |
|
cybereason.logon_session.element_values.remote_machine.total_suspicious |
长整型 |
|
cybereason.logon_session.element_values.remote_machine.total_values |
长整型 |
|
cybereason.logon_session.element_values.user.element_values.element_type |
关键字 |
|
cybereason.logon_session.element_values.user.element_values.guid |
关键字 |
|
cybereason.logon_session.element_values.user.element_values.has_malops |
布尔值 |
|
cybereason.logon_session.element_values.user.element_values.has_suspicions |
布尔值 |
|
cybereason.logon_session.element_values.user.element_values.name |
关键字 |
|
cybereason.logon_session.element_values.user.element_values.object |
扁平化 |
|
cybereason.logon_session.element_values.user.element_values.simple_values |
扁平化 |
|
cybereason.logon_session.element_values.user.guessed_total |
长整型 |
|
cybereason.logon_session.element_values.user.total_malicious |
长整型 |
|
cybereason.logon_session.element_values.user.total_suspicious |
长整型 |
|
cybereason.logon_session.element_values.user.total_values |
长整型 |
|
cybereason.logon_session.evidence_map |
扁平化 |
|
cybereason.logon_session.filter_data.group_by_value |
关键字 |
|
cybereason.logon_session.filter_data.sort_in_group_value |
关键字 |
|
cybereason.logon_session.guid_string |
关键字 |
|
cybereason.logon_session.is_malicious |
布尔值 |
|
cybereason.logon_session.labels_ids |
关键字 |
|
cybereason.logon_session.malicious |
布尔值 |
|
cybereason.logon_session.malop_priority |
关键字 |
|
cybereason.logon_session.simple_values.creation_time.total_values |
长整型 |
|
cybereason.logon_session.simple_values.creation_time.values |
日期 |
|
cybereason.logon_session.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.logon_session.simple_values.element_display_name.values |
关键字 |
|
cybereason.logon_session.simple_values.group.total_values |
长整型 |
|
cybereason.logon_session.simple_values.group.values |
关键字 |
|
cybereason.logon_session.simple_values.logon_type.total_values |
长整型 |
|
cybereason.logon_session.simple_values.logon_type.values |
关键字 |
|
cybereason.logon_session.suspect |
布尔值 |
|
cybereason.logon_session.suspicion_count |
长整型 |
|
cybereason.logon_session.suspicions |
扁平化 |
|
cybereason.logon_session.suspicions_map |
扁平化 |
|
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
恶意操作连接
编辑这是 恶意操作连接数据集。
示例
malop_connection 的示例事件如下
{
"@timestamp": "2024-03-13T11:54:39.973Z",
"cybereason": {
"malop_connection": {
"element_values": {
"dns_query": {
"element_values": [
{
"element_type": "Machine",
"guid": "7vCmFBCi55eyTiwX",
"has_malops": false,
"has_suspicions": false,
"name": "dim-win10"
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"owner_machine": {
"element_values": [
{
"element_type": "Machine",
"guid": "7vCmFBCi55eyTiwX",
"has_malops": false,
"has_suspicions": false,
"name": "dim-win10",
"object": {
"pole": "bye"
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"owner_process": {
"element_values": [
{
"element_type": "Process",
"guid": "7vCmFPstj36nuaBO",
"has_malops": false,
"has_suspicions": false,
"name": "backgroundtaskhost.exe",
"object": {
"user": {
"elementValues": [
{
"elementType": "User",
"guid": "AAAAGGZ3xLXVm27e",
"hasMalops": false,
"hasSuspicions": false,
"name": "cy\\cymulator",
"simpleValues": {
"ok": "lope"
}
}
],
"guessedTotal": 0,
"totalMalicious": 0,
"totalSuspicious": 0,
"totalValues": 1
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"owner_process_user": {
"element_values": [
{
"element_type": "User",
"guid": "AAAAGGZ3xLXVm27e",
"has_malops": false,
"has_suspicions": false,
"name": "cy\\cymulator"
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
}
},
"evidence_map": {
"evidence": "map"
},
"filter_data": {
"group_by_value": "81.2.69.192:50394 > 81.2.69.142:443",
"sort_in_group_value": "filter"
},
"guid_string": "7vCmFD3khy-bwG9X",
"is_malicious": false,
"labels_ids": "labelids",
"malicious": false,
"malop_priority": "MEDIUM",
"simple_values": {
"accessed_by_malware_evidence": {
"total_values": 1,
"values": [
false
]
},
"aggregated_received_bytes_count": {
"total_values": 1,
"values": [
6811
]
},
"aggregated_transmitted_bytes_count": {
"total_values": 1,
"values": [
4098
]
},
"calculated_creation_time": {
"total_values": 1,
"values": [
"2024-03-13T11:54:39.973Z"
]
},
"direction": {
"total_values": 1,
"values": [
"OUTGOING"
]
},
"element_display_name": {
"total_values": 1,
"values": [
"81.2.69.192:50394 > 81.2.69.142:443"
]
},
"end_time": {
"total_values": 1,
"values": [
"2024-03-13T11:55:40.803Z"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"local_port": {
"total_values": 1,
"values": [
50394
]
},
"port_type": {
"total_values": 1,
"values": [
"SERVICE_HTTP"
]
},
"remote_address_country_name": {
"total_values": 1,
"values": [
"United States"
]
},
"remote_port": {
"total_values": 1,
"values": [
443
]
},
"server_address": {
"total_values": 1,
"values": [
"0.0.0.0"
]
},
"server_port": {
"total_values": 1,
"values": [
443
]
},
"state": {
"total_values": 1,
"values": [
"CONNECTION_OPEN"
]
},
"transport_protocol": {
"total_values": 1,
"values": [
"TCP"
]
}
},
"suspect": false,
"suspicion_count": 0,
"suspicions": {
"malop": "connection"
},
"suspicions_map": {
"suspicions": "map"
}
}
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"end": "2024-03-13T11:55:40.803Z",
"id": "7vCmFD3khy-bwG9X",
"kind": "alert",
"original": "[{\"simpleValues\":{\"remoteAddressCountryName\":{\"totalValues\":1,\"values\":[\"United States\"]},\"aggregatedReceivedBytesCount\":{\"totalValues\":1,\"values\":[\"6811\"]},\"endTime\":{\"totalValues\":1,\"values\":[\"1710330940803\"]},\"state\":{\"totalValues\":1,\"values\":[\"CONNECTION_OPEN\"]},\"portType\":{\"totalValues\":1,\"values\":[\"SERVICE_HTTP\"]},\"transportProtocol\":{\"totalValues\":1,\"values\":[\"TCP\"]},\"accessedByMalwareEvidence\":{\"totalValues\":1,\"values\":[\"false\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"81.2.69.192:50394 > 81.2.69.142:443\"]},\"aggregatedTransmittedBytesCount\":{\"totalValues\":1,\"values\":[\"4098\"]},\"localPort\":{\"totalValues\":1,\"values\":[\"50394\"]},\"serverAddress\":{\"totalValues\":1,\"values\":[\"0.0.0.0\"]},\"serverPort\":{\"totalValues\":1,\"values\":[\"443\"]},\"calculatedCreationTime\":{\"totalValues\":1,\"values\":[\"1710330879973\"]},\"remotePort\":{\"totalValues\":1,\"values\":[\"443\"]},\"direction\":{\"totalValues\":1,\"values\":[\"OUTGOING\"]}},\"elementValues\":{\"ownerMachine\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Machine\",\"guid\":\"7vCmFBCi55eyTiwX\",\"name\":\"dim-win10\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"pole\":\"bye\"},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"dnsQuery\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Machine\",\"guid\":\"7vCmFBCi55eyTiwX\",\"name\":\"dim-win10\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"ownerProcess\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Process\",\"guid\":\"7vCmFPstj36nuaBO\",\"name\":\"backgroundtaskhost.exe\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"user\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"User\",\"guid\":\"AAAAGGZ3xLXVm27e\",\"name\":\"cy\\\\\cymulator\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"ok\":\"lope\"}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"ownerProcess.user\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"User\",\"guid\":\"AAAAGGZ3xLXVm27e\",\"name\":\"cy\\\\\cymulator\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"suspicions\":{\"malop\":\"connection\"},\"filterData\":{\"sortInGroupValue\":\"filter\",\"groupByValue\":\"81.2.69.192:50394 > 81.2.69.142:443\"},\"isMalicious\":false,\"suspicionCount\":0,\"guidString\":\"7vCmFD3khy-bwG9X\",\"labelsIds\":\"labelids\",\"malopPriority\":\"MEDIUM\",\"suspect\":false,\"malicious\":false}, {\"suspicions\":\"map\"}, {\"evidence\":\"map\"}]",
"type": [
"connection"
]
},
"network": {
"transport": "TCP"
},
"process": {
"real_user": {
"id": [
"7vCmFBCi55eyTiwX"
],
"name": [
"dim-win10"
]
}
},
"related": {
"ip": [
"0.0.0.0"
],
"user": [
"7vCmFBCi55eyTiwX",
"dim-win10"
]
},
"server": {
"address": [
"0.0.0.0"
],
"ip": "0.0.0.0",
"port": 443
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.malop_connection.element_values.dns_query.element_values.element_type |
关键字 |
|
cybereason.malop_connection.element_values.dns_query.element_values.guid |
关键字 |
|
cybereason.malop_connection.element_values.dns_query.element_values.has_malops |
指示连接是否与任何恶意操作相关联。 |
布尔值 |
cybereason.malop_connection.element_values.dns_query.element_values.has_suspicions |
指示连接是否与任何可疑情况相关联。 |
布尔值 |
cybereason.malop_connection.element_values.dns_query.element_values.name |
关键字 |
|
cybereason.malop_connection.element_values.dns_query.element_values.object |
扁平化 |
|
cybereason.malop_connection.element_values.dns_query.element_values.simple_values |
扁平化 |
|
cybereason.malop_connection.element_values.dns_query.guessed_total |
长整型 |
|
cybereason.malop_connection.element_values.dns_query.total_malicious |
长整型 |
|
cybereason.malop_connection.element_values.dns_query.total_suspicious |
长整型 |
|
cybereason.malop_connection.element_values.dns_query.total_values |
长整型 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.element_type |
关键字 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.guid |
关键字 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.has_malops |
布尔值 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.name |
关键字 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.object |
扁平化 |
|
cybereason.malop_connection.element_values.owner_machine.element_values.simple_values |
扁平化 |
|
cybereason.malop_connection.element_values.owner_machine.guessed_total |
长整型 |
|
cybereason.malop_connection.element_values.owner_machine.total_malicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_machine.total_suspicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_machine.total_values |
长整型 |
|
cybereason.malop_connection.element_values.owner_process.element_values.element_type |
关键字 |
|
cybereason.malop_connection.element_values.owner_process.element_values.guid |
关键字 |
|
cybereason.malop_connection.element_values.owner_process.element_values.has_malops |
布尔值 |
|
cybereason.malop_connection.element_values.owner_process.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_connection.element_values.owner_process.element_values.name |
关键字 |
|
cybereason.malop_connection.element_values.owner_process.element_values.object |
扁平化 |
|
cybereason.malop_connection.element_values.owner_process.element_values.simple_values |
扁平化 |
|
cybereason.malop_connection.element_values.owner_process.guessed_total |
长整型 |
|
cybereason.malop_connection.element_values.owner_process.total_malicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_process.total_suspicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_process.total_values |
长整型 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.element_type |
关键字 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.guid |
关键字 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.has_malops |
布尔值 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.name |
关键字 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.object |
扁平化 |
|
cybereason.malop_connection.element_values.owner_process_user.element_values.simple_values |
扁平化 |
|
cybereason.malop_connection.element_values.owner_process_user.guessed_total |
长整型 |
|
cybereason.malop_connection.element_values.owner_process_user.total_malicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_process_user.total_suspicious |
长整型 |
|
cybereason.malop_connection.element_values.owner_process_user.total_values |
长整型 |
|
cybereason.malop_connection.evidence_map |
扁平化 |
|
cybereason.malop_connection.filter_data.group_by_value |
结果排序所依据的值。 |
关键字 |
cybereason.malop_connection.filter_data.sort_in_group_value |
Cybereason 分配给结果组的唯一数值。 |
关键字 |
cybereason.malop_connection.guid_string |
关键字 |
|
cybereason.malop_connection.is_malicious |
布尔值 |
|
cybereason.malop_connection.labels_ids |
关键字 |
|
cybereason.malop_connection.malicious |
布尔值 |
|
cybereason.malop_connection.malop_priority |
关键字 |
|
cybereason.malop_connection.simple_values.accessed_by_malware_evidence.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.accessed_by_malware_evidence.values |
布尔值 |
|
cybereason.malop_connection.simple_values.aggregated_received_bytes_count.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.aggregated_received_bytes_count.values |
长整型 |
|
cybereason.malop_connection.simple_values.aggregated_transmitted_bytes_count.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.aggregated_transmitted_bytes_count.values |
长整型 |
|
cybereason.malop_connection.simple_values.calculated_creation_time.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.calculated_creation_time.values |
日期 |
|
cybereason.malop_connection.simple_values.direction.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.direction.values |
关键字 |
|
cybereason.malop_connection.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_connection.simple_values.end_time.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.end_time.values |
要搜索的时间段的结束时间(以纪元表示)。 |
日期 |
cybereason.malop_connection.simple_values.group.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.group.values |
关键字 |
|
cybereason.malop_connection.simple_values.local_port.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.local_port.values |
长整型 |
|
cybereason.malop_connection.simple_values.port_type.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.port_type.values |
关键字 |
|
cybereason.malop_connection.simple_values.remote_address_country_name.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.remote_address_country_name.values |
关键字 |
|
cybereason.malop_connection.simple_values.remote_port.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.remote_port.values |
长整型 |
|
cybereason.malop_connection.simple_values.server_address.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.server_address.values |
ip |
|
cybereason.malop_connection.simple_values.server_port.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.server_port.values |
长整型 |
|
cybereason.malop_connection.simple_values.state.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.state.values |
关键字 |
|
cybereason.malop_connection.simple_values.transport_protocol.total_values |
长整型 |
|
cybereason.malop_connection.simple_values.transport_protocol.values |
关键字 |
|
cybereason.malop_connection.suspect |
布尔值 |
|
cybereason.malop_connection.suspicion_count |
长整型 |
|
cybereason.malop_connection.suspicions |
扁平化 |
|
cybereason.malop_connection.suspicions_map |
扁平化 |
|
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
恶意软件活动进程
编辑这是 恶意软件活动进程 数据集。
示例
malop_process 的一个示例事件如下所示
{
"@timestamp": "2023-12-28T19:03:51.785Z",
"cybereason": {
"malop_process": {
"element_values": {
"affected_machines": {
"element_values": [
{
"element_type": "Machine",
"guid": "zpP73xCi55eyTiwX",
"has_malops": false,
"has_suspicions": false,
"name": "cybereason",
"object": {
"element": "values"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"cybereason"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73xCi55eyTiwX"
]
},
"has_malops": {
"total_values": 1,
"values": [
false
]
},
"has_suspicions": {
"total_values": 1,
"values": [
false
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"affected_users": {
"element_values": [
{
"element_type": "User",
"guid": "AAAAGAJYAICT5xYW",
"has_malops": false,
"has_suspicions": false,
"name": "cybereason\\theavengers",
"object": {
"values": "element"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"cybereason\\theavengers"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"AAAAGAJYAICT5xYW"
]
},
"has_malops": {
"total_values": 1,
"values": [
false
]
},
"has_suspicions": {
"total_values": 1,
"values": [
false
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"files_to_remediate": {
"element_values": [
{
"element_type": "File",
"guid": "zpP7358Lbsf7z787",
"has_malops": false,
"has_suspicions": true,
"name": "x64cymulateprocesshider.exe",
"object": {
"files": "remediate"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"x64cymulateprocesshider.exe"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP7358Lbsf7z787"
]
},
"has_malops": {
"total_values": 1,
"values": [
false
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 1,
"total_values": 1
},
"primary_root_cause_elements": {
"element_values": [
{
"element_type": "Process",
"guid": "zpP73wfcKRFKvnZa",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wfcKRFKvnZa"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73yUewMOXCNBN",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"object": {
"values": "primaryroot"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73yUewMOXCNBN"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73wdciiw3CcZ9",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wdciiw3CcZ9"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73zALshBfA7mQ",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73zALshBfA7mQ"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP736Yq9t-ujawF",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP736Yq9t-ujawF"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP736adtvfQP86p",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP736adtvfQP86p"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73yUHiaZd-JI6",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73yUHiaZd-JI6"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP733Hfwc2Ol2KV",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP733Hfwc2Ol2KV"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73zlRSCV3N9Si",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73zlRSCV3N9Si"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73-Mvct_YhLo2",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73-Mvct_YhLo2"
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 10
},
"root_cause_elements": {
"element_values": [
{
"element_type": "Process",
"guid": "zpP735vQl83mbAFk",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"object": {
"element": "root"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP735vQl83mbAFk"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP733MJZQ5ua9PD",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP733MJZQ5ua9PD"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73wfcKRFKvnZa",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wfcKRFKvnZa"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73yUewMOXCNBN",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73yUewMOXCNBN"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73wdciiw3CcZ9",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wdciiw3CcZ9"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73-slLQbqr1eb",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73-slLQbqr1eb"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73xTlNawf6qox",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73xTlNawf6qox"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP736adtvfQP86p",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP736adtvfQP86p"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP732Q23xdwLJhh",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP732Q23xdwLJhh"
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73zlRSCV3N9Si",
"has_malops": false,
"has_suspicions": false,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73zlRSCV3N9Si"
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 10
},
"suspects": {
"element_values": [
{
"element_type": "Process",
"guid": "zpP735vQl83mbAFk",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"object": {
"type": "suspects"
},
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP735vQl83mbAFk"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP733MJZQ5ua9PD",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP733MJZQ5ua9PD"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73wfcKRFKvnZa",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wfcKRFKvnZa"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73yUewMOXCNBN",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73yUewMOXCNBN"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73wdciiw3CcZ9",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73wdciiw3CcZ9"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73-slLQbqr1eb",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73-slLQbqr1eb"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73xTlNawf6qox",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73xTlNawf6qox"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP736adtvfQP86p",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP736adtvfQP86p"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP732Q23xdwLJhh",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP732Q23xdwLJhh"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
},
{
"element_type": "Process",
"guid": "zpP73zlRSCV3N9Si",
"has_malops": true,
"has_suspicions": true,
"name": "injected (chain of injections)",
"simple_values": {
"element_display_name": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"guid": {
"total_values": 1,
"values": [
"zpP73zlRSCV3N9Si"
]
},
"has_malops": {
"total_values": 1,
"values": [
true
]
},
"has_suspicions": {
"total_values": 1,
"values": [
true
]
}
}
}
],
"guessedTotal": 0,
"total_malicious": 10,
"total_suspicious": 10,
"total_values": 10
}
},
"evidence_map": {
"evidence": "map"
},
"filter_data": {
"group_by_value": "NONE_MALOP_ACTIVITY_TYPE",
"sort_in_group_value": "hello"
},
"guid_string": "AAAA0xquIk3X9oQ_",
"is_malicious": false,
"labels_ids": "lbl2",
"malicious": false,
"malop_priority": "LOW",
"simple_values": {
"all_ransomware_processes_suspended": {
"total_values": 1,
"values": [
false
]
},
"creation_time": {
"total_values": 1,
"values": [
"2023-12-28T19:01:46.501Z"
]
},
"decision_feature": {
"total_values": 1,
"values": [
"Process.maliciousByCodeInjection(Malop decision)"
]
},
"decision_feature_set": {
"total_values": 1,
"values": [
"Process.maliciousByCodeInjection(Malop decision)"
]
},
"detection_type": {
"total_values": 1,
"values": [
"PROCESS_INJECTION"
]
},
"has_ransomware_suspended_processes": {
"total_values": 1,
"values": [
false
]
},
"icon_base64": {
"total_values": 1,
"values": [
"base"
]
},
"is_blocked": {
"total_values": 1,
"values": [
false
]
},
"malop": {
"activity_types": {
"total_values": 2,
"values": [
"NONE_MALOP_ACTIVITY_TYPE",
"MALICIOUS_INFECTION"
]
},
"last_update_time": {
"total_values": 1,
"values": [
"2023-12-28T19:03:51.785Z"
]
},
"start_time": {
"total_values": 1,
"values": [
"2023-12-28T18:59:35.356Z"
]
}
},
"root_cause_element": {
"company_product": {
"total_values": 1,
"values": [
"product"
]
},
"hashes": {
"total_values": 1,
"values": [
"nbvgyui765tghnxxx"
]
},
"names": {
"total_values": 1,
"values": [
"injected (chain of injections)"
]
},
"types": {
"total_values": 1,
"values": [
"Process"
]
}
},
"total": {
"number_of": {
"incoming_connections": {
"total_values": 1,
"values": [
768
]
},
"outgoing_connections": {
"total_values": 1,
"values": [
23
]
}
},
"received_bytes": {
"total_values": 1,
"values": [
76
]
},
"transmitted_bytes": {
"total_values": 1,
"values": [
90
]
}
}
},
"suspect": false,
"suspicion_count": 0,
"suspicions": {
"connectingToBlackListAddressSuspicion": 1710261170916
},
"suspicions_map": {
"suspicions": "map"
}
}
},
"destination": {
"bytes": 76
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"malware"
],
"created": "2023-12-28T19:01:46.501Z",
"id": "AAAA0xquIk3X9oQ_",
"kind": "alert",
"original": "[{\"simpleValues\":{\"hasRansomwareSuspendedProcesses\":{\"totalValues\":1,\"values\":[\"false\"]},\"decisionFeatureSet\":{\"totalValues\":1,\"values\":[\"Process.maliciousByCodeInjection(Malop decision)\"]},\"decisionFeature\":{\"totalValues\":1,\"values\":[\"Process.maliciousByCodeInjection(Malop decision)\"]},\"detectionType\":{\"totalValues\":1,\"values\":[\"PROCESS_INJECTION\"]},\"malopActivityTypes\":{\"totalValues\":2,\"values\":[\"NONE_MALOP_ACTIVITY_TYPE\",\"MALICIOUS_INFECTION\"]},\"creationTime\":{\"totalValues\":1,\"values\":[\"1703790106501\"]},\"isBlocked\":{\"totalValues\":1,\"values\":[\"false\"]},\"rootCauseElementTypes\":{\"totalValues\":1,\"values\":[\"Process\"]},\"rootCauseElementCompanyProduct\":{\"totalValues\":1,\"values\":[\"product\"]},\"rootCauseElementHashes\":{\"totalValues\":1,\"values\":[\"nbvgyui765tghnxxx\"]},\"iconBase64\":{\"totalValues\":1,\"values\":[\"base\"]},\"malopStartTime\":{\"totalValues\":1,\"values\":[\"1703789975356\"]},\"rootCauseElementNames\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]},\"totalNumberOfIncomingConnections\":{\"totalValues\":1,\"values\":[768]},\"totalNumberOfOutgoingConnections\":{\"totalValues\":1,\"values\":[23]},\"totalReceivedBytes\":{\"totalValues\":1,\"values\":[76]},\"totalTransmittedBytes\":{\"totalValues\":1,\"values\":[90]},\"malopLastUpdateTime\":{\"totalValues\":1,\"values\":[\"1703790231785\"]},\"allRansomwareProcessesSuspended\":{\"totalValues\":1,\"values\":[\"false\"]}},\"elementValues\":{\"suspects\":{\"totalValues\":10,\"elementValues\":[{\"elementType\":\"Process\",\"guid\":\"zpP735vQl83mbAFk\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{\"type\":\"suspects\"},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP735vQl83mbAFk\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP733MJZQ5ua9PD\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP733MJZQ5ua9PD\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73wfcKRFKvnZa\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wfcKRFKvnZa\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73yUewMOXCNBN\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73yUewMOXCNBN\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73wdciiw3CcZ9\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wdciiw3CcZ9\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73-slLQbqr1eb\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73-slLQbqr1eb\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73xTlNawf6qox\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73xTlNawf6qox\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP736adtvfQP86p\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP736adtvfQP86p\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP732Q23xdwLJhh\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP732Q23xdwLJhh\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73zlRSCV3N9Si\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":true,\"hasMalops\":true,\"elementValues\":{},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"true\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73zlRSCV3N9Si\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}}],\"totalSuspicious\":10,\"totalMalicious\":10,\"guessedTotal\":0},\"filesToRemediate\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"File\",\"guid\":\"zpP7358Lbsf7z787\",\"name\":\"x64cymulateprocesshider.exe\",\"hasSuspicions\":true,\"hasMalops\":false,\"elementValues\":{\"files\":\"remediate\"},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"false\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP7358Lbsf7z787\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"true\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"x64cymulateprocesshider.exe\"]}}}],\"totalSuspicious\":1,\"totalMalicious\":0,\"guessedTotal\":0},\"primaryRootCauseElements\":{\"totalValues\":10,\"elementValues\":[{\"elementType\":\"Process\",\"guid\":\"zpP73wfcKRFKvnZa\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wfcKRFKvnZa\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73yUewMOXCNBN\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"values\":\"primaryroot\"},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73yUewMOXCNBN\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73wdciiw3CcZ9\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wdciiw3CcZ9\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73zALshBfA7mQ\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73zALshBfA7mQ\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP736Yq9t-ujawF\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP736Yq9t-ujawF\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP736adtvfQP86p\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP736adtvfQP86p\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73yUHiaZd-JI6\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73yUHiaZd-JI6\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP733Hfwc2Ol2KV\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP733Hfwc2Ol2KV\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73zlRSCV3N9Si\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73zlRSCV3N9Si\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73-Mvct_YhLo2\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73-Mvct_YhLo2\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"affectedUsers\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"User\",\"guid\":\"AAAAGAJYAICT5xYW\",\"name\":\"cybereason\\\\\theavengers\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"values\":\"element\"},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"false\"]},\"guid\":{\"totalValues\":1,\"values\":[\"AAAAGAJYAICT5xYW\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"false\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"cybereason\\\\\theavengers\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"rootCauseElements\":{\"totalValues\":10,\"elementValues\":[{\"elementType\":\"Process\",\"guid\":\"zpP735vQl83mbAFk\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"element\":\"root\"},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP735vQl83mbAFk\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP733MJZQ5ua9PD\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP733MJZQ5ua9PD\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73wfcKRFKvnZa\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wfcKRFKvnZa\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73yUewMOXCNBN\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73yUewMOXCNBN\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73wdciiw3CcZ9\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73wdciiw3CcZ9\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73-slLQbqr1eb\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73-slLQbqr1eb\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73xTlNawf6qox\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73xTlNawf6qox\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP736adtvfQP86p\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP736adtvfQP86p\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP732Q23xdwLJhh\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP732Q23xdwLJhh\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}},{\"elementType\":\"Process\",\"guid\":\"zpP73zlRSCV3N9Si\",\"name\":\"injected (chain of injections)\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"guid\":{\"totalValues\":1,\"values\":[\"zpP73zlRSCV3N9Si\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"injected (chain of injections)\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"affectedMachines\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Machine\",\"guid\":\"zpP73xCi55eyTiwX\",\"name\":\"cybereason\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"element\":\"values\"},\"simpleValues\":{\"hasMalops\":{\"totalValues\":1,\"values\":[\"false\"]},\"guid\":{\"totalValues\":1,\"values\":[\"zpP73xCi55eyTiwX\"]},\"hasSuspicions\":{\"totalValues\":1,\"values\":[\"false\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"cybereason\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"suspicions\":{\"connectingToBlackListAddressSuspicion\":1710261170916},\"filterData\":{\"sortInGroupValue\":\"hello\",\"groupByValue\":\"NONE_MALOP_ACTIVITY_TYPE\"},\"isMalicious\":false,\"suspicionCount\":0,\"guidString\":\"AAAA0xquIk3X9oQ_\",\"labelsIds\":\"lbl2\",\"malopPriority\":\"LOW\",\"suspect\":false,\"malicious\":false}, {\"suspicions\":\"map\"}, {\"evidence\":\"map\"}]",
"type": [
"info"
]
},
"related": {
"hash": [
"nbvgyui765tghnxxx"
]
},
"source": {
"bytes": 90
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.malop_process.element_values.affected_machines.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.affected_machines.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.affected_machines.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.has_malops.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.has_malops.values |
布尔值 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.has_suspicions.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.element_values.simple_values.has_suspicions.values |
布尔值 |
|
cybereason.malop_process.element_values.affected_machines.guessed_total |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.affected_machines.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.affected_users.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.affected_users.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.has_malops.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.has_malops.values |
布尔值 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.has_suspicions.total_values |
长整型 |
|
cybereason.malop_process.element_values.affected_users.element_values.simple_values.has_suspicions.values |
布尔值 |
|
cybereason.malop_process.element_values.affected_users.guessed_total |
长整型 |
|
cybereason.malop_process.element_values.affected_users.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.affected_users.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.affected_users.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.has_malops.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.has_malops.values |
布尔值 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.has_suspicions.total_values |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.element_values.simple_values.has_suspicions.values |
布尔值 |
|
cybereason.malop_process.element_values.files_to_remediate.guessed_total |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.files_to_remediate.total_values |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.guessed_total |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.primary_root_cause_elements.total_values |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.root_cause_elements.guessed_total |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.root_cause_elements.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.element_type |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.guid |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.has_malops |
布尔值 |
|
cybereason.malop_process.element_values.suspects.element_values.has_suspicions |
布尔值 |
|
cybereason.malop_process.element_values.suspects.element_values.name |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.object |
扁平化 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.element_display_name.values |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.group.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.group.values |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.guid.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.guid.values |
关键字 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.has_malops.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.has_malops.values |
布尔值 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.has_suspicions.total_values |
长整型 |
|
cybereason.malop_process.element_values.suspects.element_values.simple_values.has_suspicions.values |
布尔值 |
|
cybereason.malop_process.element_values.suspects.guessedTotal |
长整型 |
|
cybereason.malop_process.element_values.suspects.total_malicious |
长整型 |
|
cybereason.malop_process.element_values.suspects.total_suspicious |
长整型 |
|
cybereason.malop_process.element_values.suspects.total_values |
长整型 |
|
cybereason.malop_process.evidence_map |
扁平化 |
|
cybereason.malop_process.filter_data.group_by_value |
关键字 |
|
cybereason.malop_process.filter_data.sort_in_group_value |
关键字 |
|
cybereason.malop_process.guid_string |
关键字 |
|
cybereason.malop_process.is_malicious |
布尔值 |
|
cybereason.malop_process.labels_ids |
关键字 |
|
cybereason.malop_process.malicious |
布尔值 |
|
cybereason.malop_process.malop_priority |
关键字 |
|
cybereason.malop_process.simple_values.all_ransomware_processes_suspended.total_values |
长整型 |
|
cybereason.malop_process.simple_values.all_ransomware_processes_suspended.values |
指示恶意软件活动是否具有已挂起的恶意进程。 |
布尔值 |
cybereason.malop_process.simple_values.creation_time.total_values |
长整型 |
|
cybereason.malop_process.simple_values.creation_time.values |
日期 |
|
cybereason.malop_process.simple_values.decision_feature.total_values |
长整型 |
|
cybereason.malop_process.simple_values.decision_feature.values |
关键字 |
|
cybereason.malop_process.simple_values.decision_feature_set.total_values |
长整型 |
|
cybereason.malop_process.simple_values.decision_feature_set.values |
关键字 |
|
cybereason.malop_process.simple_values.detection_type.total_values |
长整型 |
|
cybereason.malop_process.simple_values.detection_type.values |
恶意软件活动的根本原因。 |
关键字 |
cybereason.malop_process.simple_values.has_ransomware_suspended_processes.total_values |
长整型 |
|
cybereason.malop_process.simple_values.has_ransomware_suspended_processes.values |
指示是否由于勒索软件活动,当前挂起了恶意软件活动的任何可疑进程。 |
布尔值 |
cybereason.malop_process.simple_values.icon_base64.total_values |
长整型 |
|
cybereason.malop_process.simple_values.icon_base64.values |
关键字 |
|
cybereason.malop_process.simple_values.is_blocked.total_values |
长整型 |
|
cybereason.malop_process.simple_values.is_blocked.values |
指示 Malop 是否有被标记为阻止的恶意进程。 |
布尔值 |
cybereason.malop_process.simple_values.malop.activity_types.total_values |
长整型 |
|
cybereason.malop_process.simple_values.malop.activity_types.values |
检测到的活动类型。 |
关键字 |
cybereason.malop_process.simple_values.malop.last_update_time.total_values |
长整型 |
|
cybereason.malop_process.simple_values.malop.last_update_time.values |
日期 |
|
cybereason.malop_process.simple_values.malop.start_time.total_values |
长整型 |
|
cybereason.malop_process.simple_values.malop.start_time.values |
日期 |
|
cybereason.malop_process.simple_values.root_cause_element.company_product.total_values |
长整型 |
|
cybereason.malop_process.simple_values.root_cause_element.company_product.values |
触发 Malop 的元素相关的公司和产品,表示为 company:product。 |
关键字 |
cybereason.malop_process.simple_values.root_cause_element.hashes.total_values |
长整型 |
|
cybereason.malop_process.simple_values.root_cause_element.hashes.values |
触发 Malop 的元素的哈希值。 |
关键字 |
cybereason.malop_process.simple_values.root_cause_element.names.total_values |
长整型 |
|
cybereason.malop_process.simple_values.root_cause_element.names.values |
触发 Malop 的元素的名称。 |
关键字 |
cybereason.malop_process.simple_values.root_cause_element.types.total_values |
长整型 |
|
cybereason.malop_process.simple_values.root_cause_element.types.values |
触发 Malop 的元素的类型。 |
关键字 |
cybereason.malop_process.simple_values.total.number_of.incoming_connections.total_values |
长整型 |
|
cybereason.malop_process.simple_values.total.number_of.incoming_connections.values |
与恶意进程相关的传入连接总数。 |
长整型 |
cybereason.malop_process.simple_values.total.number_of.outgoing_connections.total_values |
长整型 |
|
cybereason.malop_process.simple_values.total.number_of.outgoing_connections.values |
与恶意进程相关的传出连接总数。 |
长整型 |
cybereason.malop_process.simple_values.total.received_bytes.total_values |
长整型 |
|
cybereason.malop_process.simple_values.total.received_bytes.values |
恶意进程接收的总字节数。 |
长整型 |
cybereason.malop_process.simple_values.total.transmitted_bytes.total_values |
长整型 |
|
cybereason.malop_process.simple_values.total.transmitted_bytes.values |
恶意进程传输的总字节数。 |
长整型 |
cybereason.malop_process.suspect |
布尔值 |
|
cybereason.malop_process.suspicion_count |
长整型 |
|
cybereason.malop_process.suspicions |
扁平化 |
|
cybereason.malop_process.suspicions_map |
扁平化 |
|
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
恶意软件
编辑这是 Malware 数据集。
示例
malware 的示例事件如下所示
{
"@timestamp": "2024-03-11T08:56:57.000Z",
"cybereason": {
"malware": {
"data_model": {
"class": ".BaseFileMalwareDataModel",
"description": "EXECUTE_MALICIOUS_ACTIVITY",
"detection": {
"name": "IL:Trojan.MSILZilla.30425",
"rule": "Formatting (1106)"
},
"file_path": "c:\\programdata\\cymulate\\hopper\\boot64_1da739212534cbd666bc903c25b812e0\\cymulatelm64.exe",
"module": "Formatting (1106)",
"process_name": "remotefxvgpudisablement.exe",
"type": "UnknownMalware",
"url": "https://malware_data_model"
},
"detection": {
"engine": "StaticAnalysis",
"value": {
"original": "62b9e0dfd0ef2cd88fdcd412523c7d9f",
"type": "DVT_FILE"
}
},
"element_type": "File",
"guid": "-286218732.7910817006083139531",
"id": {
"element_type": "File",
"guid": "-286218732.7910817006083139531",
"malware_type": "UnknownMalware",
"timestamp": "2024-03-11T08:56:57.000Z"
},
"machine_name": "dim-win10",
"name": "cymulatelm64.exe",
"needs_attention": false,
"reference": {
"element_type": "File",
"guid": "-286218732.7910817006083139531"
},
"scheduler_scan": false,
"score": 0.7721870783056456,
"status": "Detected",
"timestamp": "2024-03-11T08:56:57.000Z",
"type": "UnknownMalware"
}
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"malware"
],
"kind": "alert",
"original": "{ \"guid\": \"-286218732.7910817006083139531\", \"timestamp\": 1710147417000, \"name\": \"cymulatelm64.exe\", \"type\": \"UnknownMalware\", \"elementType\": \"File\", \"machineName\": \"dim-win10\", \"status\": \"Detected\", \"needsAttention\": false, \"referenceGuid\": \"-286218732.7910817006083139531\", \"referenceElementType\": \"File\", \"score\": 0.7721870783056456, \"detectionValue\": \"62b9e0dfd0ef2cd88fdcd412523c7d9f\", \"detectionValueType\": \"DVT_FILE\", \"detectionEngine\": \"StaticAnalysis\", \"malwareDataModel\": { \"@class\": \".BaseFileMalwareDataModel\", \"type\": \"UnknownMalware\", \"detectionName\": \"IL:Trojan.MSILZilla.30425\", \"filePath\": \"c:\\\\\programdata\\\\\cymulate\\\\\hopper\\\\\boot64_1da739212534cbd666bc903c25b812e0\\\\\cymulatelm64.exe\" , \"processName\": \"remotefxvgpudisablement.exe\", \"url\": \"https://malware_data_model\", \"detectionRule\": \"Formatting (1106)\", \"module\": \"Formatting (1106)\", \"description\": \"EXECUTE_MALICIOUS_ACTIVITY\"}, \"id\": { \"guid\": \"-286218732.7910817006083139531\", \"timestamp\": 1710147417000, \"malwareType\": \"UnknownMalware\", \"elementType\": \"File\" }, \"schedulerScan\": false }",
"type": [
"info"
]
},
"host": {
"hostname": "dim-win10"
},
"related": {
"hosts": [
"dim-win10"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.malware.data_model.class |
关键字 |
|
cybereason.malware.data_model.description |
关键字 |
|
cybereason.malware.data_model.detection.name |
关键字 |
|
cybereason.malware.data_model.detection.rule |
关键字 |
|
cybereason.malware.data_model.file_path |
恶意软件的文件路径。 |
关键字 |
cybereason.malware.data_model.module |
关键字 |
|
cybereason.malware.data_model.process_name |
关键字 |
|
cybereason.malware.data_model.type |
关键字 |
|
cybereason.malware.data_model.url |
关键字 |
|
cybereason.malware.detection.engine |
关键字 |
|
cybereason.malware.detection.value.original |
关键字 |
|
cybereason.malware.detection.value.type |
关键字 |
|
cybereason.malware.element_type |
关键字 |
|
cybereason.malware.guid |
Cybereason 平台用于此特定恶意软件实例的唯一 GUID。 |
关键字 |
cybereason.malware.id.element_type |
关键字 |
|
cybereason.malware.id.guid |
关键字 |
|
cybereason.malware.id.malware_type |
关键字 |
|
cybereason.malware.id.timestamp |
日期 |
|
cybereason.malware.machine_name |
Cybereason 平台发现恶意软件的计算机名称。 |
关键字 |
cybereason.malware.name |
运行恶意软件的进程名称。 |
关键字 |
cybereason.malware.needs_attention |
布尔值 |
|
cybereason.malware.reference.element_type |
关键字 |
|
cybereason.malware.reference.guid |
关键字 |
|
cybereason.malware.scheduler_scan |
布尔值 |
|
cybereason.malware.score |
双精度浮点数 |
|
cybereason.malware.status |
恶意软件的检测状态。这应与您为 Cybereason 平台指定的反恶意软件设置相匹配。 |
关键字 |
cybereason.malware.timestamp |
Cybereason 平台检测到此恶意软件的时间(以 epoch 格式)。 |
日期 |
cybereason.malware.type |
Cybereason 平台分类的恶意软件类型。 |
关键字 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
轮询 Malop
编辑这是 Poll Malop 数据集。
示例
poll_malop 的示例事件如下所示
{
"@timestamp": "2024-03-04T19:12:56.110Z",
"cybereason": {
"poll_malop": {
"class": ".MalopInboxModel",
"closed": false,
"closer_name": "Closer Name",
"containers": [
"Testing"
],
"creation_time": "2023-09-15T23:52:35.604Z",
"data": {
"close_time": "2023-11-23T06:45:15.015Z",
"detection_type": "CUSTOM_RULE",
"priority": "LOW",
"severity": "High",
"status": "Active",
"type": "CUSTOM_RULE"
},
"decision_statuses": [
"Testing"
],
"detection": {
"engines": [
"EDR"
],
"types": [
"calc_Custom_Rule"
]
},
"display_name": "register-cimprovider.exe",
"edr": true,
"empty": true,
"escalated": false,
"group": "72a61eac-6f79-4670-8607-a1334ddd2ff0",
"guid": "AAAA05JzW7vmNhCD",
"icon_base64": "muhk",
"labels": [
"IT-Pending",
"Testing"
],
"last_update_time": "2024-03-04T19:12:56.110Z",
"machines": [
{
"class": ".MachineInboxModel",
"connected": false,
"display_name": "d3dock-poc",
"empty": true,
"guid": "lbnnvBCi55eyTiwX",
"isolated": false,
"last_connected": "2024-01-07T06:23:30.725Z",
"os_type": "WINDOWS"
},
{
"class": ".MachineInboxModel",
"connected": true,
"display_name": "cybereason",
"empty": true,
"guid": "zpP73xCi55eyTiwX",
"isolated": true,
"last_connected": "2024-03-18T08:30:50.941Z",
"os_type": "linux"
},
{
"class": ".MachineInboxModel",
"connected": false,
"display_name": "dim-win10",
"empty": true,
"guid": "7vCmFBCi55eyTiwX",
"isolated": false,
"last_connected": "2024-03-17T16:21:34.714Z",
"os_type": "xyz"
}
],
"primary_root_cause_name": "register-cimprovider.exe",
"priority": "HIGH",
"root_cause_element": {
"hashes": "f7b32703e444fdc75c09840afa3dcda8286f3b24",
"names_count": 1,
"type": "Process"
},
"severity": "High",
"status": "Active",
"users": [
{
"admin": false,
"display_name": "d3dock-poc\\administrator",
"domain_user": false,
"guid": "AAAAGGHyKbMGbI4y",
"local_system": false
},
{
"admin": false,
"display_name": "cybereason\\system",
"domain_user": false,
"guid": "AAAAGK97gKTvmLc3",
"local_system": true
},
{
"admin": false,
"display_name": "cy\\cymulator",
"domain_user": false,
"guid": "AAAAGGZ3xLXVm27e",
"local_system": false
}
]
}
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"malware"
],
"created": "2023-09-15T23:52:35.604Z",
"id": "AAAA05JzW7vmNhCD",
"kind": "alert",
"original": "{\"@class\":\".MalopInboxModel\",\"guid\":\"AAAA05JzW7vmNhCD\",\"closerName\":\"Closer Name\",\"displayName\":\"register-cimprovider.exe\",\"rootCauseElementType\":\"Process\",\"primaryRootCauseName\":\"register-cimprovider.exe\",\"rootCauseElementNamesCount\":1,\"detectionEngines\":[\"EDR\"],\"detectionTypes\":[\"calc_Custom_Rule\"],\"malopDetectionType\":\"CUSTOM_RULE\",\"creationTime\":1694821955604,\"lastUpdateTime\":1709579576110,\"iconBase64\":\"muhk\",\"priority\":\"HIGH\",\"group\":\"72a61eac-6f79-4670-8607-a1334ddd2ff0\",\"rootCauseElementHashes\": \"f7b32703e444fdc75c09840afa3dcda8286f3b24\",\"status\":\"Active\",\"severity\":\"High\",\"machines\":[{\"@class\":\".MachineInboxModel\",\"guid\":\"lbnnvBCi55eyTiwX\",\"displayName\":\"d3dock-poc\",\"osType\":\"WINDOWS\",\"connected\":false,\"isolated\":false,\"lastConnected\":1704608610725,\"empty\":true},{\"@class\":\".MachineInboxModel\",\"guid\":\"zpP73xCi55eyTiwX\",\"displayName\":\"cybereason\",\"osType\":\"linux\",\"connected\":true,\"isolated\":true,\"lastConnected\":1710750650941,\"empty\":true},{\"@class\":\".MachineInboxModel\",\"guid\":\"7vCmFBCi55eyTiwX\",\"displayName\":\"dim-win10\",\"osType\":\"xyz\",\"connected\":false,\"isolated\":false,\"lastConnected\":1710692494714,\"empty\":true}],\"users\":[{\"guid\":\"AAAAGGHyKbMGbI4y\",\"displayName\":\"d3dock-poc\\\\\administrator\",\"admin\":false,\"localSystem\":false,\"domainUser\":false},{\"guid\":\"AAAAGK97gKTvmLc3\",\"displayName\":\"cybereason\\\\\system\",\"admin\":false,\"localSystem\":true,\"domainUser\":false},{\"guid\":\"AAAAGGZ3xLXVm27e\",\"displayName\":\"cy\\\\\cymulator\",\"admin\":false,\"localSystem\":false,\"domainUser\":false}],\"containers\":[\"Testing\"],\"labels\":[\"IT-Pending\", \"Testing\"],\"decisionStatuses\":[\"Testing\"],\"malopCloseTime\":1700721915015,\"escalated\":false,\"malopStatus\":\"Active\",\"malopSeverity\":\"High\",\"edr\":true,\"malopType\":\"CUSTOM_RULE\",\"malopPriority\":\"LOW\",\"closed\":false,\"empty\":true}",
"type": [
"info"
]
},
"group": {
"id": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"host": {
"id": [
"lbnnvBCi55eyTiwX",
"zpP73xCi55eyTiwX",
"7vCmFBCi55eyTiwX"
],
"name": [
"d3dock-poc",
"cybereason",
"dim-win10"
],
"os": {
"type": [
"windows",
"linux"
]
}
},
"related": {
"hash": [
"f7b32703e444fdc75c09840afa3dcda8286f3b24"
],
"hosts": [
"d3dock-poc",
"cybereason",
"dim-win10",
"lbnnvBCi55eyTiwX",
"zpP73xCi55eyTiwX",
"7vCmFBCi55eyTiwX",
"WINDOWS",
"linux",
"xyz"
],
"user": [
"d3dock-poc\\administrator",
"cybereason\\system",
"cy\\cymulator",
"AAAAGGHyKbMGbI4y",
"AAAAGK97gKTvmLc3",
"AAAAGGZ3xLXVm27e"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.poll_malop.class |
关键字 |
|
cybereason.poll_malop.closed |
布尔值 |
|
cybereason.poll_malop.closer_name |
关键字 |
|
cybereason.poll_malop.containers |
关键字 |
|
cybereason.poll_malop.creation_time |
生成 Malop 的时间(以 epoch 格式)。 |
日期 |
cybereason.poll_malop.data.close_time |
日期 |
|
cybereason.poll_malop.data.detection_type |
根本原因的检测类型。 |
关键字 |
cybereason.poll_malop.data.priority |
关键字 |
|
cybereason.poll_malop.data.severity |
关键字 |
|
cybereason.poll_malop.data.status |
关键字 |
|
cybereason.poll_malop.data.type |
关键字 |
|
cybereason.poll_malop.decision_statuses |
Cybereason 平台为此 Malop 使用的预防措施。 |
关键字 |
cybereason.poll_malop.detection.engines |
检测 Malop 的方法。 |
关键字 |
cybereason.poll_malop.detection.types |
根本原因的检测类型。 |
关键字 |
cybereason.poll_malop.display_name |
项的显示名称。 |
关键字 |
cybereason.poll_malop.edr |
指示 Malop 是自动搜索 Malop 还是端点保护 Malop。 |
布尔值 |
cybereason.poll_malop.empty |
布尔值 |
|
cybereason.poll_malop.escalated |
指示是否有人将 Malop 标记为已升级。 |
布尔值 |
cybereason.poll_malop.files |
包含与 MalOp 关联的文件详细信息的对象。 |
扁平化 |
cybereason.poll_malop.group |
受影响传感器的组 ID。 |
关键字 |
cybereason.poll_malop.guid |
Cybereason 平台用于 MalOp 的唯一 GUID。 |
关键字 |
cybereason.poll_malop.icon_base64 |
作为 Malop 根本原因的项的 base64 值。 |
关键字 |
cybereason.poll_malop.labels |
包含标签详细信息的对象,例如标签名称和添加标签的时间。 |
关键字 |
cybereason.poll_malop.last_update_time |
上次更新 Malop 的时间(以 epoch 格式)。 |
日期 |
cybereason.poll_malop.machines.class |
关键字 |
|
cybereason.poll_malop.machines.connected |
指示计算机当前是否连接到 Cybereason 服务器。 |
布尔值 |
cybereason.poll_malop.machines.display_name |
关键字 |
|
cybereason.poll_malop.machines.empty |
布尔值 |
|
cybereason.poll_malop.machines.guid |
关键字 |
|
cybereason.poll_malop.machines.isolated |
指示计算机当前是否被隔离。 |
布尔值 |
cybereason.poll_malop.machines.last_connected |
计算机上次连接到 Cybereason 服务器的时间(以 epoch 格式)。 |
日期 |
cybereason.poll_malop.machines.os_type |
受影响计算机的操作系统类型。 |
关键字 |
cybereason.poll_malop.primary_root_cause_name |
关键字 |
|
cybereason.poll_malop.priority |
分配给 MalOp 的优先级。 |
关键字 |
cybereason.poll_malop.processes |
包含与 MalOp 关联的进程详细信息的对象。 |
扁平化 |
cybereason.poll_malop.root_cause_element.hashes |
关键字 |
|
cybereason.poll_malop.root_cause_element.names_count |
作为 Malop 的一个或多个根本原因的项的计数。 |
长整型 |
cybereason.poll_malop.root_cause_element.type |
作为 Malop 根本原因的元素。 |
关键字 |
cybereason.poll_malop.severity |
Malop 严重级别。 |
关键字 |
cybereason.poll_malop.status |
Malop 的状态。 |
关键字 |
cybereason.poll_malop.users.admin |
指示指定用户是否在计算机上具有管理员权限。 |
布尔值 |
cybereason.poll_malop.users.display_name |
关键字 |
|
cybereason.poll_malop.users.domain_user |
指示指定用户是否为域用户。 |
布尔值 |
cybereason.poll_malop.users.guid |
关键字 |
|
cybereason.poll_malop.users.local_system |
指示指定用户是否在计算机上具有本地系统权限。 |
布尔值 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
可疑进程
编辑这是 Suspicions Process 数据集。
示例
suspicions_process 的示例事件如下所示
{
"@timestamp": "2024-03-12T15:13:27.872Z",
"cybereason": {
"suspicions_process": {
"element_values": {
"calculated_user": {
"element_values": [
{
"element_type": "User",
"guid": "AAAAGGZ3xLXVm27e",
"has_malops": false,
"has_suspicions": false,
"name": "cy\\cymulator"
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"children": {
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 0
},
"image_file": {
"element_values": [
{
"element_type": "File",
"guid": "7vCmFKxNAQXpBIkL",
"has_malops": false,
"has_suspicions": false,
"name": "msedge.exe",
"object": {
"fileHash": {
"elementValues": [
{
"elementType": "FileHash",
"guid": "AAAAHuaPtU7zGEJc",
"hasMalops": false,
"hasSuspicions": false,
"name": "a3c06b947549921d60d59917575df5ee5dfc472a",
"simpleValues": {
"iconBase64": {
"totalValues": 1,
"values": [
"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn/phoINdfNS9oudy/TVgitH/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+/PGRvgzj/MJAFo99fcU/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X/sx/hRRu9mP+bQHMZ/5F/ZCC2Wt/l177afUsoJNCtU+DR/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl/FqbhWmV2qGAWbLVZhbJ4e/6hIWt/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a/OF+PDY9iJRQ+A8xBMD0M/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV/EMs0pBHcUQ2TMQUxvBuJubMYH/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3/AJ8FefgX/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt/j0RjQDdv/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc/+nS3NW9YeUk/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+//Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6/gmsr88Fpa9cPXU86PecseXjze/wGADjhbeB2rcwAAAABJRU5ErkJggg=="
]
}
}
}
],
"guessedTotal": 0,
"totalMalicious": 0,
"totalSuspicious": 0,
"totalValues": 1
}
},
"simple_values": {
"companyName": {
"totalValues": 1,
"values": [
"Microsoft Corporation"
]
},
"maliciousClassificationType": {
"totalValues": 1,
"values": [
"indifferent"
]
},
"md5String": {
"totalValues": 1,
"values": [
"5ac5ddc4c27ecc203b2ed62bbe8fb8b9"
]
},
"productName": {
"totalValues": 1,
"values": [
"Microsoft Edge"
]
},
"sha1String": {
"totalValues": 1,
"values": [
"a3c06b947549921d60d59917575df5ee5dfc472a"
]
}
}
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"owner_machine": {
"element_values": [
{
"element_type": "Machine",
"guid": "7vCmFBCi55eyTiwX",
"has_malops": false,
"has_suspicions": false,
"name": "dim-win10"
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
},
"parent_process": {
"element_values": [
{
"element_type": "Process",
"guid": "7vCmFMsvYy739EW5",
"has_malops": false,
"has_suspicions": false,
"name": "msedge.exe"
}
],
"guessed_total": 0,
"total_malicious": 0,
"total_suspicious": 0,
"total_values": 1
}
},
"evidence_map": {
"evidence": "map"
},
"filter_data": {
"group_by_value": "msedge.exe"
},
"guid_string": "7vCmFCPB0XpbELrD",
"is_malicious": true,
"malicious": true,
"simple_values": {
"command_line": {
"total_values": 1,
"values": [
"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2744 --field-trial-handle=2328,i,5521555393418764293,4286640738456912470,262144 --variations-seed-version /prefetch:3"
]
},
"creation_time": {
"total_values": 1,
"values": [
"2024-03-12T08:40:35.122Z"
]
},
"element_display_name": {
"total_values": 1,
"values": [
"msedge.exe"
]
},
"end_time": {
"total_values": 1,
"values": [
"2024-03-12T15:13:27.872Z"
]
},
"execution_prevented": {
"total_values": 1,
"values": [
false
]
},
"group": {
"total_values": 1,
"values": [
"72a61eac-6f79-4670-8607-a1334ddd2ff0"
]
},
"icon_base64": {
"total_values": 1,
"values": [
"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn/phoINdfNS9oudy/TVgitH/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+/PGRvgzj/MJAFo99fcU/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X/sx/hRRu9mP+bQHMZ/5F/ZCC2Wt/l177afUsoJNCtU+DR/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl/FqbhWmV2qGAWbLVZhbJ4e/6hIWt/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a/OF+PDY9iJRQ+A8xBMD0M/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV/EMs0pBHcUQ2TMQUxvBuJubMYH/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3/AJ8FefgX/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt/j0RjQDdv/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc/+nS3NW9YeUk/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+//Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6/gmsr88Fpa9cPXU86PecseXjze/wGADjhbeB2rcwAAAABJRU5ErkJggg=="
]
},
"image_file_company_name": {
"total_values": 1,
"values": [
"Microsoft Corporation"
]
},
"image_file_hash_icon_base64": {
"total_values": 1,
"values": [
"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn/phoINdfNS9oudy/TVgitH/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+/PGRvgzj/MJAFo99fcU/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X/sx/hRRu9mP+bQHMZ/5F/ZCC2Wt/l177afUsoJNCtU+DR/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl/FqbhWmV2qGAWbLVZhbJ4e/6hIWt/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a/OF+PDY9iJRQ+A8xBMD0M/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV/EMs0pBHcUQ2TMQUxvBuJubMYH/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3/AJ8FefgX/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt/j0RjQDdv/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc/+nS3NW9YeUk/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+//Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6/gmsr88Fpa9cPXU86PecseXjze/wGADjhbeB2rcwAAAABJRU5ErkJggg=="
]
},
"image_file_malicious_classification_type": {
"total_values": 1,
"values": [
"indifferent"
]
},
"image_file_md5_string": {
"total_values": 1,
"values": [
"5ac5ddc4c27ecc203b2ed62bbe8fb8b9"
]
},
"image_file_product_name": {
"total_values": 1,
"values": [
"Microsoft Edge"
]
},
"image_file_sha1_string": {
"total_values": 1,
"values": [
"a3c06b947549921d60d59917575df5ee5dfc472a"
]
},
"is_image_file_signed_and_verified": {
"total_values": 1,
"values": [
true
]
},
"is_white_list_classification": {
"total_values": 1,
"values": [
false
]
},
"product_type": {
"total_values": 1,
"values": [
"BROWSER"
]
},
"ransomware_auto_remediation_suspended": {
"total_values": 1,
"values": [
false
]
}
},
"suspect": true,
"suspicion_count": 1,
"suspicions": {
"connectingToBlackListAddressSuspicion": 1710232863248
},
"suspicions_map": {
"connectingToBlackListAddressSuspicion": {
"firstTimestamp": 1710232863248,
"potentialEvidence": [
"hasBlackListConnectionEvidence"
],
"totalSuspicions": 4
}
}
}
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"malware"
],
"created": [
"2024-03-12T08:40:35.122Z"
],
"id": "7vCmFCPB0XpbELrD",
"kind": "alert",
"original": "[{\"simpleValues\":{\"commandLine\":{\"totalValues\":1,\"values\":[\"\\\"C:\\\\\Program Files (x86)\\\\\Microsoft\\\\\Edge\\\\\Application\\\\\msedge.exe\\\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2744 --field-trial-handle=2328,i,5521555393418764293,4286640738456912470,262144 --variations-seed-version \\\/prefetch:3\"]},\"group\":{\"totalValues\":1,\"values\":[\"72a61eac-6f79-4670-8607-a1334ddd2ff0\"]},\"imageFile.maliciousClassificationType\":{\"totalValues\":1,\"values\":[\"indifferent\"]},\"ransomwareAutoRemediationSuspended\":{\"totalValues\":1,\"values\":[\"false\"]},\"imageFile.fileHash.iconBase64\":{\"totalValues\":1,\"values\":[\"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0\\\/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe\\\/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd\\\/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn\\\/phoINdfNS9oudy\\\/TVgitH\\\/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm\\\/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y\\\/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+\\\/PGRvgzj\\\/MJAFo99fcU\\\/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X\\\/sx\\\/hRRu9mP+bQHMZ\\\/5F\\\/ZCC2Wt\\\/l177afUsoJNCtU+DR\\\/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY\\\/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3\\\/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E\\\/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl\\\/FqbhWmV2qGAWbLVZhbJ4e\\\/6hIWt\\\/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a\\\/OF+PDY9iJRQ+A8xBMD0M\\\/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV\\\/EMs0pBHcUQ2TMQUxvBuJubMYH\\\/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR\\\/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3\\\/AJ8FefgX\\\/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u\\\/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+\\\/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB\\\/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt\\\/j0RjQDdv\\\/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc\\\/+nS3NW9YeUk\\\/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz\\\/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n\\\/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0\\\/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2\\\/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB\\\/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+\\\/\\\/Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6\\\/gmsr88Fpa9cPXU86PecseXjze\\\/wGADjhbeB2rcwAAAABJRU5ErkJggg==\"]},\"executionPrevented\":{\"totalValues\":1,\"values\":[\"false\"]},\"isWhiteListClassification\":{\"totalValues\":1,\"values\":[\"false\"]},\"imageFile.md5String\":{\"totalValues\":1,\"values\":[\"5ac5ddc4c27ecc203b2ed62bbe8fb8b9\"]},\"creationTime\":{\"totalValues\":1,\"values\":[\"1710232835122\"]},\"endTime\":{\"totalValues\":1,\"values\":[\"1710256407872\"]},\"imageFile.sha1String\":{\"totalValues\":1,\"values\":[\"a3c06b947549921d60d59917575df5ee5dfc472a\"]},\"isImageFileSignedAndVerified\":{\"totalValues\":1,\"values\":[\"true\"]},\"iconBase64\":{\"totalValues\":1,\"values\":[\"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0\\\/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe\\\/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd\\\/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn\\\/phoINdfNS9oudy\\\/TVgitH\\\/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm\\\/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y\\\/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+\\\/PGRvgzj\\\/MJAFo99fcU\\\/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X\\\/sx\\\/hRRu9mP+bQHMZ\\\/5F\\\/ZCC2Wt\\\/l177afUsoJNCtU+DR\\\/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY\\\/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3\\\/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E\\\/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl\\\/FqbhWmV2qGAWbLVZhbJ4e\\\/6hIWt\\\/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a\\\/OF+PDY9iJRQ+A8xBMD0M\\\/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV\\\/EMs0pBHcUQ2TMQUxvBuJubMYH\\\/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR\\\/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3\\\/AJ8FefgX\\\/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u\\\/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+\\\/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB\\\/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt\\\/j0RjQDdv\\\/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc\\\/+nS3NW9YeUk\\\/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz\\\/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n\\\/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0\\\/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2\\\/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB\\\/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+\\\/\\\/Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6\\\/gmsr88Fpa9cPXU86PecseXjze\\\/wGADjhbeB2rcwAAAABJRU5ErkJggg==\"]},\"imageFile.productName\":{\"totalValues\":1,\"values\":[\"Microsoft Edge\"]},\"elementDisplayName\":{\"totalValues\":1,\"values\":[\"msedge.exe\"]},\"imageFile.companyName\":{\"totalValues\":1,\"values\":[\"Microsoft Corporation\"]},\"productType\":{\"totalValues\":1,\"values\":[\"BROWSER\"]}},\"elementValues\":{\"children\":{\"totalValues\":0,\"elementValues\":[],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"calculatedUser\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"User\",\"guid\":\"AAAAGGZ3xLXVm27e\",\"name\":\"cy\\\\\cymulator\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"ownerMachine\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Machine\",\"guid\":\"7vCmFBCi55eyTiwX\",\"name\":\"dim-win10\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"parentProcess\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"Process\",\"guid\":\"7vCmFMsvYy739EW5\",\"name\":\"msedge.exe\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0},\"imageFile\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"File\",\"guid\":\"7vCmFKxNAQXpBIkL\",\"name\":\"msedge.exe\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{\"fileHash\":{\"totalValues\":1,\"elementValues\":[{\"elementType\":\"FileHash\",\"guid\":\"AAAAHuaPtU7zGEJc\",\"name\":\"a3c06b947549921d60d59917575df5ee5dfc472a\",\"hasSuspicions\":false,\"hasMalops\":false,\"elementValues\":{},\"simpleValues\":{\"iconBase64\":{\"totalValues\":1,\"values\":[\"iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAh4SURBVFhHpdd7UFNnGgbwWBURCAQVtu0\\\/OzudcXVFVEBATdWKLVvkIuEmWAoUtOttqsICIiqKiEQBoV4xut1O1d11lW4RvFTSQ0ggECABkhAIIF4QpXZTt1Pcdbt59j050QoBq+07804YhuT5fe\\\/58p0D70XLi3kQM69mgJlb02+aU9OHObIeeMqMmCM3YI5Ci3n1Gmr1kE+jsptaskhd\\\/WvrW39Z+TDfSnwY05BXzQNQOPVtsIDZsm7qLnjWdsBTrsWculYCNMOnQQn\\\/phoINdfNS9oudy\\\/TVgitH\\\/Vy5cs8Evoy35t8mIfwrvkGXjWDFH6Hwm\\\/Cs+YGZtewgA54yPSYLW+Dp6IVc+ub4KVUYUEzC7iGpW0VWK67iKCuM+qwXsmLT8SPeZTvywyZLeHMP+HFDGJezT0C3OVWT+EelnAO4FHbRgg1AVTwbqiHb5MMC1qqLYDAjnN413AGK3tPDMX158dYI8YuP+Y\\\/Elo55jPfgQXQ+C2rn0fh7AQsq6fRz2KDLa2jn1lAK02hGfOUjfBVsRO4agWcRVh3GQsAAcyr+\\\/PGRvgzj\\\/MJAFo99fcU\\\/i1N4AEB7lsAnjLu2nvIDJbVs8GzZO34nawVs2pZQAvtBRXtAxmE6itY1n4RgfrPCHAC0TcLQeFIGNhhTh5Mt90X\\\/sx\\\/hRRu9mP+bQHMZ\\\/5F\\\/ZCC2Wt\\\/l177afUsoJNCtU+DR\\\/ZseTMhGmgjfonFmgoEaM8juOsEIm4UIe52LpLuZ2HN16lD1tgfy495bKKm8EdWwHfwkpow84tbmFnRS92DGZe6CGCkcP2o4Wx7yFtoLyixsPkKAf6BgHYWUIaIXjFib+UhaSAVawY3YaMpRWKNtqxewoY\\\/Wf30c31w230NLqnlEGRWwjXrCqZkVVFfwtSMcryaX4U3\\\/t48BoD9KjLwbZRiUUsllmvPIMhQhugbuYi9mY3E\\\/i1IubceGx7Em63xFsAQXX94fP4NBFnXwM+4BudsBi67FBDk1sM1rwFT8pSYmleHabkyTNstxbSdl\\\/FqbhWmV2qGAWbLVZhbJ4e\\\/6hIWt\\\/wNAa2fYEVHCUI7xVjVtw0JdzYh+e5a\\\/OF+PDY9iJRQ+A8xBMD0M\\\/1wSL0Kp+214Oc0wnmvBi772yEQ6+B6UIcp1FMLdXArbIPbgRa47a+HW64UbtkVeOMCNw2P2hY6lBQEUGB+fRUWNV\\\/EMs0pBHcUQ2TMQUxvBuJubMYH\\\/Wvx4b14rB+MHuAtqn6kmXn+a0xOk8IhWwnH3Wrw83RwLjDARdwJQWEXXIuMmHLIiKnU00qoDxngXqyD+4EmuOfJ4LajEr+tUtKpKMdcuRReisvwbziPN5s+xTL1MQTr8hBu2I5o4xa835eCpNuJSOmPxYd3ReB5Vzz8H39nI+yzVXDY3QbHvA445XeCX2CE8wEjXA52Q1DUDdfiHkL0YGpJDyE68XppR\\\/evSg0F7kXqdPd9CuVrBdfhwbCA6wSoxALlZ3hTdQpvNR9BiC4XIkMWAbZide9aJN5MRPKtKA4w4y+DmLS9Gfa72jA5Vw+HvE447qPe3zUcUcghBNl1+M2Wz0us2+dpuefVJk4vr4a3\\\/AJ8FefgX\\\/dnLFaVIaBJjOC2TIRqMxFp2Ij3ehKR0LfaAlhzJxw8t+Iu2GW3YlKOHva5Bkzea7AgHKwIpwKCiDmESzoDxyCx0pppUzM+ufrYW3aWAGexsP4kFisPYplKjCBNBkLb0yDSb0CsIQ7x3VFIuiFCys1Q8FwPGjFxpw52u\\\/SYtNsA+z0cYvJIRKaCwgvgFFaabs2zKZ+\\\/Xm33ln0Kv9ojWKQoxJIGMd5pzECgKg0hmnUIb09GlC4e7xkj8b4xBCl9gWbehGwtJhBg4q4O2OV0EKLDgrB\\\/FrFXD8fQIgovAV90PNWaZ1PejCTfR3aKAIcJcABL6vYgoD6NABsQ0pIIUXsCYvTRNAUR4jt\\\/j0RjQDdv\\\/HYC7NATQm+LYC8Ji9hQBccQAoiOgR95ssCaZ1M+X5UMzK85goW1+6n34S1FKpYrUxHYuA4rGhMQpo6HSBOFWH0IYnXvIt4QIOS9sl2H8dm6URGTrAiHiKNwWnmYDQc\\\/+nS3NW9YeUk\\\/FnpLi+k0FcOfyYWwdieWyrciQLEegfUJHKBJBFFLKCI1QYjTBzKWN76SpTONhbBjJ5HVDIeQQlr9cfCjTrEAMz\\\/qtM3DhXe1uNxbWghf6R4sZHZCyGzF0tqNCJAn4526BAQ1rEKoKhwidQgL4MLZGrdNxxACTxDjR04inQ6n0ENwiihjw6n\\\/RJDTA9a3Dyvf6hy1nzTHvECaToBUAqwjwAd4Wx6HoPpwBDeEm8JUoZutf87VuG3aGELABkE9kb4Z9usq4RhWah0\\\/hXMAdhrl1o+wKaF002Yh85FkCZPMBMhWM2\\\/XrpIEyiPGfjYkxBCLGPcsIptD2KXVw3Hlx6MB4Bx5ctT98PKVqc0nBCw9AjExXUUTKIHT6AA4R5QNOYtODB\\\/rc8p1RWGMa9DBUR5QM7Um3ggEB6EzIPww7YETFP50DzwLAAGojw+5hB8rd1l51OaZTxByKEYQXCwRBBeZCAACjDK5TK2Q2jwaYlLKF3AKP0qhEg4xOgAEAAGoj8Al7DAEoaXUJSAACEBdBAKYCTDGfqBLQY2RiPEZLXCMOEaXgb4J7FfxlwHyrWljVKZWYoOgtlt3jaZwhNuMkSziZwF+fA58bnGTMLOQZxH2SRe4S8GeCZESAlD4iwHMBPiJlY8sbk+YRiIsk6AAuilROBvMhTvTfWIMgIkAP+\\\/\\\/Q0tx06BzgoVwiPHpLZicdBF8uj8400ScKZR95YKp6fcEGCLAS676eZXJnphahhCmJ6fmhKw22P2xge6WX8Lxo6\\\/gmsr88Fpa9cPXU86PecseXjze\\\/wGADjhbeB2rcwAAAABJRU5ErkJggg==\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"simpleValues\":{\"sha1String\":{\"totalValues\":1,\"values\":[\"a3c06b947549921d60d59917575df5ee5dfc472a\"]},\"maliciousClassificationType\":{\"totalValues\":1,\"values\":[\"indifferent\"]},\"md5String\":{\"totalValues\":1,\"values\":[\"5ac5ddc4c27ecc203b2ed62bbe8fb8b9\"]},\"productName\":{\"totalValues\":1,\"values\":[\"Microsoft Edge\"]},\"companyName\":{\"totalValues\":1,\"values\":[\"Microsoft Corporation\"]}}}],\"totalSuspicious\":0,\"totalMalicious\":0,\"guessedTotal\":0}},\"suspicions\":{\"connectingToBlackListAddressSuspicion\":1710232863248},\"filterData\":{\"sortInGroupValue\":\"\",\"groupByValue\":\"msedge.exe\"},\"isMalicious\":true,\"suspicionCount\":1,\"guidString\":\"7vCmFCPB0XpbELrD\",\"labelsIds\":null,\"malopPriority\":null,\"suspect\":true,\"malicious\":true}, {\"connectingToBlackListAddressSuspicion\":{\"potentialEvidence\":[\"hasBlackListConnectionEvidence\"],\"firstTimestamp\":1710232863248,\"totalSuspicions\":4}}, {\"evidence\":\"map\"}]",
"type": [
"info"
]
},
"file": {
"hash": {
"md5": [
"5ac5ddc4c27ecc203b2ed62bbe8fb8b9"
],
"sha1": [
"a3c06b947549921d60d59917575df5ee5dfc472a"
]
},
"name": [
"msedge.exe"
],
"uid": [
"7vCmFKxNAQXpBIkL"
]
},
"process": {
"command_line": [
"\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2744 --field-trial-handle=2328,i,5521555393418764293,4286640738456912470,262144 --variations-seed-version /prefetch:3"
],
"parent": {
"entity_id": [
"7vCmFMsvYy739EW5"
],
"name": [
"msedge.exe"
]
},
"real_user": {
"id": [
"7vCmFBCi55eyTiwX"
],
"name": [
"dim-win10"
]
}
},
"related": {
"hash": [
"5ac5ddc4c27ecc203b2ed62bbe8fb8b9",
"a3c06b947549921d60d59917575df5ee5dfc472a"
],
"user": [
"7vCmFBCi55eyTiwX",
"dim-win10"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
cybereason.suspicions_process.element_values.calculated_user.element_values.element_type |
关键字 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.guid |
关键字 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.has_malops |
布尔值 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.has_suspicions |
布尔值 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.name |
关键字 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.object |
扁平化 |
|
cybereason.suspicions_process.element_values.calculated_user.element_values.simple_values |
扁平化 |
|
cybereason.suspicions_process.element_values.calculated_user.guessed_total |
长整型 |
|
cybereason.suspicions_process.element_values.calculated_user.total_malicious |
长整型 |
|
cybereason.suspicions_process.element_values.calculated_user.total_suspicious |
长整型 |
|
cybereason.suspicions_process.element_values.calculated_user.total_values |
长整型 |
|
cybereason.suspicions_process.element_values.children.element_values.element_type |
关键字 |
|
cybereason.suspicions_process.element_values.children.element_values.guid |
关键字 |
|
cybereason.suspicions_process.element_values.children.element_values.has_malops |
布尔值 |
|
cybereason.suspicions_process.element_values.children.element_values.has_suspicions |
布尔值 |
|
cybereason.suspicions_process.element_values.children.element_values.name |
关键字 |
|
cybereason.suspicions_process.element_values.children.element_values.object |
扁平化 |
|
cybereason.suspicions_process.element_values.children.element_values.simple_values |
扁平化 |
|
cybereason.suspicions_process.element_values.children.guessed_total |
长整型 |
|
cybereason.suspicions_process.element_values.children.total_malicious |
长整型 |
|
cybereason.suspicions_process.element_values.children.total_suspicious |
长整型 |
|
cybereason.suspicions_process.element_values.children.total_values |
长整型 |
|
cybereason.suspicions_process.element_values.image_file.element_values.element_type |
关键字 |
|
cybereason.suspicions_process.element_values.image_file.element_values.guid |
关键字 |
|
cybereason.suspicions_process.element_values.image_file.element_values.has_malops |
布尔值 |
|
cybereason.suspicions_process.element_values.image_file.element_values.has_suspicions |
布尔值 |
|
cybereason.suspicions_process.element_values.image_file.element_values.name |
关键字 |
|
cybereason.suspicions_process.element_values.image_file.element_values.object |
扁平化 |
|
cybereason.suspicions_process.element_values.image_file.element_values.simple_values |
扁平化 |
|
cybereason.suspicions_process.element_values.image_file.guessed_total |
长整型 |
|
cybereason.suspicions_process.element_values.image_file.total_malicious |
长整型 |
|
cybereason.suspicions_process.element_values.image_file.total_suspicious |
长整型 |
|
cybereason.suspicions_process.element_values.image_file.total_values |
长整型 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.element_type |
关键字 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.guid |
关键字 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.has_malops |
布尔值 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.has_suspicions |
布尔值 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.name |
关键字 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.object |
扁平化 |
|
cybereason.suspicions_process.element_values.owner_machine.element_values.simple_values |
扁平化 |
|
cybereason.suspicions_process.element_values.owner_machine.guessed_total |
长整型 |
|
cybereason.suspicions_process.element_values.owner_machine.total_malicious |
长整型 |
|
cybereason.suspicions_process.element_values.owner_machine.total_suspicious |
长整型 |
|
cybereason.suspicions_process.element_values.owner_machine.total_values |
长整型 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.element_type |
关键字 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.guid |
关键字 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.has_malops |
布尔值 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.has_suspicions |
布尔值 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.name |
关键字 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.object |
扁平化 |
|
cybereason.suspicions_process.element_values.parent_process.element_values.simple_values |
扁平化 |
|
cybereason.suspicions_process.element_values.parent_process.guessed_total |
长整型 |
|
cybereason.suspicions_process.element_values.parent_process.total_malicious |
长整型 |
|
cybereason.suspicions_process.element_values.parent_process.total_suspicious |
长整型 |
|
cybereason.suspicions_process.element_values.parent_process.total_values |
长整型 |
|
cybereason.suspicions_process.evidence_map |
扁平化 |
|
cybereason.suspicions_process.filter_data.group_by_value |
关键字 |
|
cybereason.suspicions_process.filter_data.sort_in_group_value |
关键字 |
|
cybereason.suspicions_process.guid_string |
关键字 |
|
cybereason.suspicions_process.is_malicious |
布尔值 |
|
cybereason.suspicions_process.labels_ids |
关键字 |
|
cybereason.suspicions_process.malicious |
布尔值 |
|
cybereason.suspicions_process.malop_priority |
关键字 |
|
cybereason.suspicions_process.simple_values.command_line.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.command_line.values |
关键字 |
|
cybereason.suspicions_process.simple_values.creation_time.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.creation_time.values |
日期 |
|
cybereason.suspicions_process.simple_values.element_display_name.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.element_display_name.values |
关键字 |
|
cybereason.suspicions_process.simple_values.end_time.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.end_time.values |
日期 |
|
cybereason.suspicions_process.simple_values.execution_prevented.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.execution_prevented.values |
布尔值 |
|
cybereason.suspicions_process.simple_values.group.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.group.values |
关键字 |
|
cybereason.suspicions_process.simple_values.icon_base64.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.icon_base64.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_company_name.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_company_name.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_hash_icon_base64.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_hash_icon_base64.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_malicious_classification_type.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_malicious_classification_type.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_md5_string.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_md5_string.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_product_name.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_product_name.values |
关键字 |
|
cybereason.suspicions_process.simple_values.image_file_sha1_string.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.image_file_sha1_string.values |
关键字 |
|
cybereason.suspicions_process.simple_values.is_image_file_signed_and_verified.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.is_image_file_signed_and_verified.values |
布尔值 |
|
cybereason.suspicions_process.simple_values.is_white_list_classification.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.is_white_list_classification.values |
布尔值 |
|
cybereason.suspicions_process.simple_values.product_type.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.product_type.values |
关键字 |
|
cybereason.suspicions_process.simple_values.ransomware_auto_remediation_suspended.total_values |
长整型 |
|
cybereason.suspicions_process.simple_values.ransomware_auto_remediation_suspended.values |
布尔值 |
|
cybereason.suspicions_process.suspect |
布尔值 |
|
cybereason.suspicions_process.suspicion_count |
长整型 |
|
cybereason.suspicions_process.suspicions |
扁平化 |
|
cybereason.suspicions_process.suspicions_map |
扁平化 |
|
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集。 |
constant_keyword |
event.module |
事件模块。 |
constant_keyword |
input.type |
Filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
Changelog
编辑Changelog
| 版本 | Details | Kibana version(s) |
|---|---|---|
1.1.0 |
Enhancement (View pull request) |
8.13.0 或更高版本 |
1.0.0 |
Enhancement (View pull request) |
8.13.0 或更高版本 |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |