Comments (1)
Here's an example of Windows "Process Create" sysmon event that came via QRadar. There is no network traffic being reported here, but the IP address of the event sender (presumably) is used as both source and destination. There shouldn't be any network-traffic
object here at all; I think it's OK to have an ipv4-addr
object with the IP address in it, which could be useful in determining on which host the process was created.
{
"_id": "94fd04a6489cb0e7cbcef95f4091f86c",
"_rev": "1-8b52f83bb208e0c24deabd0eb752b5a5",
"id": "observed-data--439c662d-5ddd-453f-afe4-1d00faf87531",
"type": "observed-data",
"created_by_ref": "identity--9e95844b-71bc-4ff6-832a-5a16aef3a713",
"created": "2019-10-16T17:19:31.981Z",
"modified": "2019-10-16T17:19:31.981Z",
"objects": {
"0": {
"type": "ipv4-addr",
"value": "192.168.0.90",
"resolves_to_refs": "2"
},
"1": {
"type": "network-traffic",
"src_ref": "0",
"src_port": 0,
"dst_ref": "3",
"dst_port": 0,
"protocols": [
"reserved"
]
},
"2": {
"type": "mac-addr",
"value": "00:00:00:00:00:00"
},
"3": {
"type": "ipv4-addr",
"value": "192.168.0.90",
"resolves_to_refs": "4"
},
"4": {
"type": "mac-addr",
"value": "00:00:00:00:00:00"
},
"5": {
"type": "user-account",
"user_id": "WinServer\\admin"
},
"6": {
"type": "artifact",
"payload_bin": "PDE4Mj5PY3QgMTQgMTk6NTc6NTkgMTkyLjE2OC4wLjkwIDwxMz5PY3QgMDMgMTQ6NTM6MzUgV2lu\nU2VydmVyIEFnZW50RGV2aWNlPVdpbmRvd3NMb2cJQWdlbnRMb2dGaWxlPU1pY3Jvc29mdC1XaW5k\nb3dzLVN5c21vbi9PcGVyYXRpb25hbAlQbHVnaW5WZXJzaW9uPTcuMi44LjE0NQlTb3VyY2U9TWlj\ncm9zb2Z0LVdpbmRvd3MtU3lzbW9uCUNvbXB1dGVyPVdpblNlcnZlcglPcmlnaW5hdGluZ0NvbXB1\ndGVyPVdpblNlcnZlcglVc2VyPVNZU1RFTQlEb21haW49TlQgQVVUSE9SSVRZCUV2ZW50SUQ9MQlF\ndmVudElEQ29kZT0xCUV2ZW50VHlwZT00CUV2ZW50Q2F0ZWdvcnk9MQlSZWNvcmROdW1iZXI9OTQy\nMTQJVGltZUdlbmVyYXRlZD0xNTcwMTEwODEzCVRpbWVXcml0dGVuPTE1NzAxMTA4MTMJTGV2ZWw9\nSW5mb3JtYXRpb25hbAlLZXl3b3Jkcz0weDgwMDAwMDAwMDAwMDAwMDAJVGFzaz1TeXNtb25UYXNr\nLVNZU01PTl9DUkVBVEVfUFJPQ0VTUwlPcGNvZGU9SW5mbwlNZXNzYWdlPVByb2Nlc3MgQ3JlYXRl\nOiBSdWxlTmFtZTogIFV0Y1RpbWU6IDIwMTktMTAtMDMgMTM6NTM6MzMuNTM4IFByb2Nlc3NHdWlk\nOiB7MUMyRDNGNTQtRkQ1RC01RDk1LTAwMDAtMDAxMEEwMkUwQzAwfSBQcm9jZXNzSWQ6IDc1NyBJ\nbWFnZTogQzpcUHJvZ3JhbSBGaWxlc1xBdGxhc3NpYW5cQ29uZmx1ZW5jZVxjNjQuZXhlIENvbW1h\nbmRMaW5lOiBjNjQuZXhlIGY2NC5kYXRhICI5ODM5RDdGMUEwIC1tIiBDdXJyZW50RGlyZWN0b3J5\nOiBDOlxXaW5kb3dzXCBVc2VyOiBXaW5TZXJ2ZXJcYWRtaW4gTG9nb25HdWlkOiB7MUMyRDNGNTQt\nRjczNS01RDk1LTAwMDAtMDAyMDk0NkQwNDAwfSBMb2dvbklkOiAweDQ2ZDk0IFRlcm1pbmFsU2Vz\nc2lvbklkOiAxIEludGVncml0eUxldmVsOiBIaWdoIEhhc2hlczogU0hBMT01YmY2Yzk4YTUyZTgw\nODI0ZDFhMjM0YmQ1ZTY3M2VkYjc1YzdkZGE5LE1ENT04NDZjZGI5MjE4NDFhYzY3MWM4NjM1MGQ0\nOTRhYmY5YyxTSEEyNTY9ZGM1MmJkZjVlM2Y3MWZiOWFiM2IxNzMwZDQ0NTI4N2QxNmQzYTNjOA=="
},
"7": {
"type": "file",
"hashes": {
"SHA-1": "5bf6c98a52e80824d1a234bd5e673edb75c7dda9",
"MD5": "846cdb921841ac671c86350d494abf9c",
"SHA-256": "dc52bdf5e3f71fb9ab3b1730d445287d16d3a3c8"
},
"name": "c64.exe",
"parent_directory_ref": "9"
},
"8": {
"type": "process",
"name": "c64.exe",
"binary_ref": "7",
"command_line": "c64.exe f64.data \"9839D7F1A0 -m\"",
"pid": 757
},
"9": {
"type": "directory",
"path": "C:\\Program Files\\Atlassian\\Confluence\\c64.exe"
}
},
"x_com_ibm_ariel": {
"devicetype": 12,
"qid_name": "Process Create",
"qid": 5001828,
"category_name": "Create Activity Succeeded ",
"category_id": 19012,
"log_source_id": 1912,
"log_source_name": "Sysmon @ 192.168.0.90",
"identity_ip": "0.0.0.0",
"utf8_payload": "<182>Oct 14 19:57:59 192.168.0.90 <13>Oct 03 14:53:35 WinServer AgentDevice=WindowsLog\tAgentLogFile=Microsoft-Windows-Sysmon/Operational\tPluginVersion=7.2.8.145\tSource=Microsoft-Windows-Sysmon\tComputer=WinServer\tOriginatingComputer=WinServer\tUser=SYSTEM\tDomain=NT AUTHORITY\tEventID=1\tEventIDCode=1\tEventType=4\tEventCategory=1\tRecordNumber=94214\tTimeGenerated=1570110813\tTimeWritten=1570110813\tLevel=Informational\tKeywords=0x8000000000000000\tTask=SysmonTask-SYSMON_CREATE_PROCESS\tOpcode=Info\tMessage=Process Create: RuleName: UtcTime: 2019-10-03 13:53:33.538 ProcessGuid: {1C2D3F54-FD5D-5D95-0000-0010A02E0C00} ProcessId: 757 Image: C:\\Program Files\\Atlassian\\Confluence\\c64.exe CommandLine: c64.exe f64.data \"9839D7F1A0 -m\" CurrentDirectory: C:\\Windows\\ User: WinServer\\admin LogonGuid: {1C2D3F54-F735-5D95-0000-0020946D0400} LogonId: 0x46d94 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=5bf6c98a52e80824d1a234bd5e673edb75c7dda9,MD5=846cdb921841ac671c86350d494abf9c,SHA256=dc52bdf5e3f71fb9ab3b1730d445287d16d3a3c8",
"magnitude": 2
},
"first_observed": "2019-10-14T23:58:00.151Z",
"last_observed": "2019-10-14T23:58:00.151Z",
"number_observed": 1
}
from stix-shifter.
Related Issues (20)
- Infoblox connector should handle wrong host error.
- v5 RestApiClientAsync much slower than v4 RestApiClient and cause connect_timeout HOT 4
- elastic_ecs from mapping has bogus email-addr mapping
- Connector produces empty string and list in json to stix translation
- Elastic-ecs mapping - Email Object HOT 5
- uuid==1.30 in requirements.txt causes syntax errors
- Validation of domain-name:value is extremely slow for certain invalid data HOT 2
- deprecated library on textio
- antlr4 version deprecation
- CrowdStrike connector error failing with a 400 code unless the search returns no records HOT 6
- CLI option stix_2.1 not interpreted HOT 2
- case insensitive support for regex in elastic_ecs
- Increase timeout values in Rest Client HOT 2
- Fix code scanning alert - Flask app is run in debug mode
- Fix code scanning alert - Inefficient regular expression
- case-insensitive bug for items in brackets for elastic_ecs
- Error: stix_shifter_utils.utils.error_response ERROR unsupplied connector name connector error occurred: list index out of range HOT 1
- SSL error in stix-bundle connector (v7) HOT 2
- gcp_chronicle module deletes search in ResultsConnector instead of DeleteConnector
- Improper "from_stix" mappings
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stix-shifter.