-
Notifications
You must be signed in to change notification settings - Fork 28
/
test_threat_02.json
92 lines (92 loc) · 3.69 KB
/
test_threat_02.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
{
"input": {
"message": "1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,\"login.esp\",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,",
"sekoiaio": {
"intake": {
"dialect": "Palo Alto NGFW",
"dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
}
}
},
"expected": {
"message": "1,2024/08/12 15:57:12,012345678910,THREAT,vulnerability,2561,2024/08/12 15:57:04,1.2.3.4,5.6.7.8,1.2.3.4,5.6.7.8,Access_Portal-GW_GP,,,web-browsing,vsys1,INTERNET,INTERNET,ethernet1/3.302,ethernet1/3.302,default,2024/08/12 15:57:04,113535,1,56731,443,56731,20077,0x81402000,tcp,reset-both,\"login.esp\",Palo Alto Networks GlobalProtect OS Command Injection Vulnerability(95187),business-and-economy,critical,client-to-server,7334683348721844974,0x8000000000000000,United States,France,,,1210223766892439373,,,1,,,,,,,,0,320,90,0,0,,site1-FW01,,,,,0,,0,,N/A,code-execution,AppThreat-8879-8900,0x0,0,4294967295,,,abcdefgh-1234-5678-abcd-01234567890,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-08-12T15:57:04.614+02:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,",
"event": {
"action": "reset-both",
"category": [
"vulnerability"
],
"code": "95187",
"dataset": "threat",
"outcome": "success",
"reason": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
"type": [
"info"
]
},
"@timestamp": "2024-08-12T13:57:04.614000Z",
"action": {
"name": "reset-both",
"outcome": "success",
"type": "vulnerability"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"ip": "5.6.7.8",
"port": 20077
},
"port": 443
},
"file": {
"name": "login.esp",
"path": "login.esp"
},
"log": {
"hostname": "site1-FW01",
"level": "critical",
"logger": "threat"
},
"network": {
"application": "web-browsing",
"transport": "tcp"
},
"observer": {
"name": "site1-FW01",
"product": "PAN-OS",
"serial_number": "012345678910"
},
"paloalto": {
"DGHierarchyLevel1": "320",
"DGHierarchyLevel2": "90",
"DGHierarchyLevel3": "0",
"DGHierarchyLevel4": "0",
"Threat_ContentType": "vulnerability",
"VirtualLocation": "vsys1",
"threat": {
"id": "95187",
"name": "Palo Alto Networks GlobalProtect OS Command Injection Vulnerability",
"type": "custom threat"
}
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "Access_Portal-GW_GP",
"uuid": "abcdefgh-1234-5678-abcd-01234567890"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "1.2.3.4",
"port": 56731
},
"port": 56731
}
}
}