Skip to content

Attivo

Attivo

About

The Attivo Networks ThreatDefend® platform provides a customer-proven solution for preventing identity privilege escalation and attacker lateral movement detection.

Product Details

Vendor URL: Attivo

Product Type: SIEM

Product Tier: Tier I

Integration Method: Syslog

Parser Details

Log Format: CEF & JSON

Expected Normalization Rate: 95%

Data Label: ATTIVO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
alertID security_result.rule_id
application security_result.description
assessmentId security_result.threat_id
attacker_ip output.additional.fields
cat security_result.rule_type
category security_result.category_details
dvc observer.hostname
mitreTechniqueId output.additional.fields
mitreTechniqueName output.additional.fields
msg security_result.summary
product metadata.product_name
product_event metadata.product_event_type
product_id metadata.product_log_id
service extensions.auth.auth_details
shostname principal.hostname
smac principal.mac
source_device_name observer.ip
src principal.ip
subscriberName security_result.threat_feed_name
suser principal.user.userid
vendor metadata.vendor_name
version metadata.product_version

Product Event Types

Event UDM Event Classification
General GENERIC_EVENT

Log Sample

Mar 27 10:49:07 10.10.10.10  CEF:0|Attivo|BOTsink|5.5.1.66|1234567|Browser User Data Enumeration Detected|Medium|msg=Browser User Data Enumeration Detected ( Category\="Windows Credential Vault", Application\="Credential Vault files", Attacker IP\=10.140.0.0 ) mitreTechniqueName=Unsecured Credentials rt=1234567891234 mitreTacticName=Credential Access src=10.140.0.0 mitreTechniqueId=T1552 smac=mac source_device_name=10.140.0.00 dvc=10.140.0.00 suser=hostname/s; service=SYSTEM cat=Access subscriberName= shostname=hostname alertID=4581071216714363103 assessmentId=

Sample Parsing

additional.fields["attacker_ip"] = "10.140.0.00"
additional.fields["mitreTacticName"] = "Credential Access"
additional.fields["mitreTechniqueId"] = "T1552"
additional.fields["mitreTechniqueName"] = "Unsecured Credentials"
extensions.auth.auth_details = "SYSTEM"
metadata.description = "Browser User Data Enumeration Detected"
metadata.event_timestamp.seconds = 1686677985
metadata.event_timestamp.nanos = 610023000
metadata.log_type = "ATTIVO"
metadata.product_log_id = "1234567"
metadata.product_name = "BOTsink"
metadata.product_version = "5.5.1.95"
metadata.vendor_name = "Attivo"
observer.hostname = "10.10.10.10"
observer.ip = "10.10.10.10"
principal.asset.hostname = "hostname"
principal.asset.ip = "10.140.0.0"
principal.asset.mac = "mac"
principal.asset.network_domain = "hostname"
principal.asset.type = "SERVER"
principal.hostname = "hostname"
principal.ip = "10.140.0.0"
principal.mac = "mac"
principal.user.userid = "hostname/s"
security_result.category_details = "Windows Credential Vault"
security_result.rule_type = "Access"
security_result.severity_details = "Credential Vault files"
security_result.summary = "Browser User Data Enumeration Detected"