Cisco Secure Workload¶
About¶
Today’s networks include applications running in a hybrid multicloud environment that uses bare-metal, virtualized, cloud-based and container-based workloads. A key challenge is how to better secure applications and data without compromising agility. Cisco Secure Workload (formerly known as Cisco Tetration) is designed to address this security challenge by providing comprehensive workload protection by bringing security closer to applications and tailoring the security posture based on the application behavior. Secure Workload achieves this by using advanced machine learning and behavior analysis techniques.
Product Details¶
Vendor URL: Cisco Secure Workload
Product Type: Application Security
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Cisco Secure Workload
Log Guide: Cisco Secure Workload
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 99%
Data Label: CISCO_SECURE_WORKLOAD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Cisco | metadata.vendor_name |
| Secure Workload | metadata.product_name |
| GENERIC_EVENT | metadata.event_type |
| keyId | metadata.product_log_id |
| type | metadata.product_event_type |
| rule.name | metadata.description |
| observer | intermediary.hostname |
| details.HostName | principal.hostname |
| details.HostName | principal.asset.hostname |
| details.IP | principal.ip |
| forensic.Follow Process - Parent Command Line | principal.process.parent_process.command_line |
| forensic.Process Info - Command String | principal.process.command_line |
| forensic.Follow Process - Username | principal.user.userid |
| details.Platform | principal.platform_version |
| severity | security_result.severity |
| alertText | security_result.description |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| All Events | GENERIC_EVENT |
Log Sample¶
<3>2022-10-25T20:46:25Z computername Tetration Alert[18]: [ERR] {"keyId":"3717502e9a1c5ce71e7cd2aac33f67f66dc57578:5fd121ea497d4f089251ec60:5fd121ee497d4f1a154c6bc5:1592:FOLLOW_PROCESS", "eventTime": "1666730615930", "alertTime": "1666730740505", "alertText": "T1003 - Credential Dumping - Registry on HOSTNAME", "severity": "HIGH", "tenantId": "7003","type": "FORENSICS","alertDetails": "{"Sensor Id":"3717502e9a1c5ce71e7cd2aac33f67f66dc57578","Hostname":"HOSTNAME","Process Id":1592,"scope_id":"5fd121ea497d4f089251ec60","forensic":{"Process Info - Command String":"C:\Windows\system32\reg.exe export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "C:\Program Files (x86)\UEMS_Agent\logs\uninstall.reg"","Process Info - Exec Path":"C:\Windows\System32\reg.exe","Follow Process":"true","Follow Process - Parent Username":"DOMAIN\HOSTNAME$","Follow Process - Parent Command Line":"C:\Windows\system32\cmd.exe /C C:\Windows\system32\reg.exe export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "C:\Program Files (x86)\UEMS_Agent\logs\uninstall.reg"","Follow Process - Parent Exec Path":"C:\Windows\System32\cmd.exe","Follow Process - Username":"DOMAIN\HOSTNAME$","Follow Process - Process Start Time Since Last File Changed (microseconds)":"129735050698057"},"profile":{"id":"5fd121ee497d4f1a154c6bcf","name":"MITRE ATTu0026CK Profile","created_at":1607541230,"updated_at":1607541230,"root_app_scope_id":"5fd121ea497d4f089251ec60"},"rule":{"id":"5fd121ee497d4f1a154c6bc5","name":"T1003 - Credential Dumping - Registry","clause_chips":"[{"type":"filter","facet":{"field":"event_type","title":"Event type","type":"STRING"},"operator":{"label":"u003d","type":"eq"},"displayValue":"Follow Process","value":"Follow Process"},{"type":"operator","value":"and"},{"type":"filter","facet":{"field":"forensic_event__process_info__exec_path","title":"Process Info - Exec Path","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"reg.exe","value":"reg.exe"},{"type":"operator","value":"and"},{"type":"(","value":"("},{"type":"(","value":"("},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"save","value":"save"},{"type":"operator","value":"or"},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"export","value":"export"},{"type":")","value":")"},{"type":"operator","value":"and"},{"type":"(","value":"("},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"hklm","value":"hklm"},{"type":"operator","value":"or"},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"hkey_local_machine","value":"hkey_local_machine"},{"type":")","value":")"},{"type":"operator","value":"and"},{"type":"(","value":"("},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"sam","value":"sam"},{"type":"operator","value":"or"},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"security","value":"security"},{"type":"operator","value":"or"},{"type":"filter","facet":{"field":"forensic_event__process_info__command_string","title":"Process Info - Command String","type":"STRING"},"operator":{"label":"contains","type":"contains"},"displayValue":"system","value":"system"},{"type":")","value":")"},{"type":")","value":")"}]","created_at":1607541230,"updated_at":1607541230,"root_app_scope_id":"5fd121ea497d4f089251ec60"}}","rootScopeId": "5fd121ea497d4f089251ec60"}
Sample Parsing¶
metadata.product_log_id = "3717502e9a1c5ce71e7cd2aac33f67f66dc57578:5fd121ea497d4f089251ec60:5fd121ee497d4f1a154c6bc5:1592:FOLLOW_PROCESS"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Secure Workload"
metadata.description = "T1003 - Credential Dumping - Registry"
principal.hostname = "HOSTNAME"
principal.user.userid = "DOMAIN\HOSTNAME$"
principal.process.command_line = "C:\Windows\system32\reg.exe export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "C:\Program Files (x86)\UEMS_Agent\logs\uninstall.reg""
principal.process.parent_process.command_line = "C:\Windows\system32\cmd.exe /C C:\Windows\system32\reg.exe export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall "C:\Program Files (x86)\UEMS_Agent\logs\uninstall.reg""
principal.asset.hostname = "HOSTNAME"
intermediary.hostname = "computername"
security_result.description = "T1003 - Credential Dumping - Registry on HOSTNAME"
security_result.severity = "HIGH"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon