Attivo¶
About¶
The Attivo Networks ThreatDefend® platform provides a customer-proven solution for preventing identity privilege escalation and attacker lateral movement detection.
Product Details¶
Vendor URL: Attivo
Product Type: SIEM
Product Tier: Tier I
Integration Method: Syslog
Parser Details¶
Log Format: CEF & JSON
Expected Normalization Rate: 95%
Data Label: ATTIVO
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
alertID | security_result.rule_id |
application | security_result.description |
assessmentId | security_result.threat_id |
attacker_ip | output.additional.fields |
cat | security_result.rule_type |
category | security_result.category_details |
dvc | observer.hostname |
mitreTechniqueId | output.additional.fields |
mitreTechniqueName | output.additional.fields |
msg | security_result.summary |
product | metadata.product_name |
product_event | metadata.product_event_type |
product_id | metadata.product_log_id |
service | extensions.auth.auth_details |
shostname | principal.hostname |
smac | principal.mac |
source_device_name | observer.ip |
src | principal.ip |
subscriberName | security_result.threat_feed_name |
suser | principal.user.userid |
vendor | metadata.vendor_name |
version | metadata.product_version |
Product Event Types¶
Event | UDM Event Classification |
---|---|
General | GENERIC_EVENT |
Log Sample¶
Mar 27 10:49:07 10.10.10.10 CEF:0|Attivo|BOTsink|5.5.1.66|1234567|Browser User Data Enumeration Detected|Medium|msg=Browser User Data Enumeration Detected ( Category\="Windows Credential Vault", Application\="Credential Vault files", Attacker IP\=10.140.0.0 ) mitreTechniqueName=Unsecured Credentials rt=1234567891234 mitreTacticName=Credential Access src=10.140.0.0 mitreTechniqueId=T1552 smac=mac source_device_name=10.140.0.00 dvc=10.140.0.00 suser=hostname/s; service=SYSTEM cat=Access subscriberName= shostname=hostname alertID=4581071216714363103 assessmentId=
Sample Parsing¶
additional.fields["attacker_ip"] = "10.140.0.00"
additional.fields["mitreTacticName"] = "Credential Access"
additional.fields["mitreTechniqueId"] = "T1552"
additional.fields["mitreTechniqueName"] = "Unsecured Credentials"
extensions.auth.auth_details = "SYSTEM"
metadata.description = "Browser User Data Enumeration Detected"
metadata.event_timestamp.seconds = 1686677985
metadata.event_timestamp.nanos = 610023000
metadata.log_type = "ATTIVO"
metadata.product_log_id = "1234567"
metadata.product_name = "BOTsink"
metadata.product_version = "5.5.1.95"
metadata.vendor_name = "Attivo"
observer.hostname = "10.10.10.10"
observer.ip = "10.10.10.10"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.140.0.0"
principal.asset.mac = "mac"
principal.asset.network_domain = "hostname"
principal.asset.type = "SERVER"
principal.hostname = "hostname"
principal.ip = "10.140.0.0"
principal.mac = "mac"
principal.user.userid = "hostname/s"
security_result.category_details = "Windows Credential Vault"
security_result.rule_type = "Access"
security_result.severity_details = "Credential Vault files"
security_result.summary = "Browser User Data Enumeration Detected"