CryptoSpike¶
About¶
Cleafy helps banks and payment providers deliver the smoothest and safest online experience to their customers. With our technology and industry-leading threat intelligence, you can stay ahead of any threat and focus on what matters most. Our technology keeps all your digital services secure from the most ingenious cyber-threats. From social engineering on your customers’ accounts to automated attacks at API level.
Product Details¶
Vendor URL: Cleafy
Product Type: Security
Product Tier: Tier III
Integration Method: Webhook
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: CLEAFY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| application_hostname | target.application |
| browser_id | intermediary.asset.labels |
| configured_application_point_id | target.asset.labels |
| dangerous_events_ids | security_result.detection_fields |
| device_info.device_type | principal.resource.type |
| device_info.os_name | principal.asset.software.name |
| device_info.os_version | principal.asset.software.version |
| http.hostname | target.hostname |
| http.http_code | network.http.response_code |
| http.http_method | network.http.method |
| http.http_referer | network.http.referral_url |
| http.remote_address | src.ip |
| http.ua_string | network.http.user_agent |
| http.ua.browser.name | src.asset.labels |
| http.ua.device.category | src.resource.type |
| http.ua.device.name | src.resource.name |
| http.ua.os.name | src.asset.software |
| http.uri | src.url |
| id | metadata.product_log_id |
| instant_session_score | security_result.detection_fields |
| last_geolocation.description | security_result.about.location.name |
| last_geolocation.latitude | security_result.about.location.region_latitude |
| last_geolocation.longitude | security_result.about.location.region_longitude |
| mods.clustering.status | security_result.detection_fields |
| mods.dom_integrity.snippet_results.id | target.resource.attribute.labels |
| mods.dom_integrity.snippet_results.label | target.resource.attribute.labels |
| mods.dom_integrity.snippet_results.occurrences | target.resource.attribute.labels |
| mods.dom_integrity.snippet_results.rarity | target.resource.attribute.labels |
| mods.dom_integrity.snippet_results.reason | target.resource.attribute.labels |
| mods.dom_integrity.status | security_result.detection_fields |
| mods.event_linking.status | security_result.detection_fields |
| mods.geolocation.city.name | target.location.city |
| mods.geolocation.country.name | target.location.country_or_region |
| mods.geolocation.location.location.lat | target.location.region_latitude |
| mods.geolocation.location.location.lon | target.location.region_longitude |
| mods.geolocation.status | security_result.detection_fields |
| mods.geolocation.traits.ip_address | src.ip |
| mods.risk_propagation.status | security_result.detection_fields |
| mods.user_behavior.status | security_result.detection_fields |
| mods.xhr_integrity.status | security_result.detection_fields |
| session_id | intermediary.asset.labels |
| status | security_result.action_details |
| threat_flag | security_result.detection_fields |
| threat_id | security_result.threat_id |
| threat_labels | security_result.detection_fields |
| type | metadata.product_event_type |
| user_countries | security_result.about.location.country_or_region |
| user_id | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
| PRESENTATION | USER_RESOURCE_ACCESS |
| User Other | USER_UNCATEGORIZED |
Log Sample¶
{"version":"4.28.0-7555-release_4.28.0-62bfe75e0","id":"123456789abcdefg123456","application_hostname":"portalemployee.example.com","@timestamp":"2024-05-24T14:26:59.000Z","creation_timestamp":"2024-05-24T14:26:59.000Z","last_modified_timestamp":"2024-05-24T14:27:00.847Z","parent_id":null,"session_id":"abc123abc123abc123","browser_id":"7832yrhbbfcsfkejnfwrw","device_id":null,"user_id":"72311424","app_session_id":"","app_device_id":"","configured_application_point_id":"bae38f7693db5e8f86b24646a2076063","threat_id":null,"type":"PRESENTATION","instant_session_score":100.0,"channel":"WEB","status":"PROCESSED","tags":["USER_LOGGED_IN","HOSTNAME_DIFF","AGENT_REGULAR","DOM_OK"],"renamed_tags":[],"tag_history":[],"log":[{"timestamp":"2024-05-24T14:27:00.015Z","message":"[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=flag message_sub_type=2"},{"timestamp":"2024-05-24T14:27:00.847Z","message":"probe@1"},{"timestamp":"2024-05-24T14:27:00.850Z","message":"[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=probe message_sub_type=1"},{"timestamp":"2024-05-24T14:27:00.840Z","message":"[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=flag message_sub_type=3"},{"timestamp":"2024-05-24T14:27:00.014Z","message":"flag@2"},{"timestamp":"2024-05-24T14:27:00.839Z","message":"flag@3"},{"timestamp":"2024-05-24T14:26:59.000Z","message":"log@2"}],"http":{"hostname":"portalemployee.example.com","remote_address":"10.0.0.0","http_code":"200","http_method":"POST","http_referer":"https://portalemployee.example.com/example/Pyme/FrontOffice/ConsultasyExtractos/CYS/example.aspx","content_type":"text/html; charset=utf-8","ua_string":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","ua":{"device":{"category":"Personal computer","icon":"desktop.png","info_url":"/list-of-ua/device-detail?device=Personal computer","name":"Personal computer"},"os":{"family":"Windows","family_name":"Windows","icon":"windows10.png","name":"Windows 10","producer":"Microsoft Corporation.","producer_url":"https://www.microsoft.com/about/","url":"https://en.wikipedia.org/wiki/Windows_10","version_number":{"major":"10","minor":"0","bugfix":"","extension":""}},"browser":{"family":"Chrome","icon":"chrome.png","name":"Chrome","producer":"Google Inc.","producer_url":"https://about.google/","ua_type":"Browser","type_name":"Browser","url":"http://www.google.com/chrome/","version_number":{"major":"125","minor":"0","bugfix":"0","extension":""}}},"uri":"/example/Pyme/FrontOffice/ConsultasyExtractos/CYS/example.aspx","args":"","logger_type":"2","original_dom_length":116095,"has_raw_request_payload":false,"raw_request_payload":null,"has_raw_request_headers":false,"raw_request_headers":null,"has_raw_response_payload":false,"raw_response_payload":null,"has_raw_response_headers":false,"raw_response_headers":null,"header_host":"portalemployee.example.com"},"payment":{},"encryption_key":{},"mods":{"user_behavior":{"module":"user_behavior","performance":31250,"status":"PROCESSED"},"dom_integrity":{"module":"dom_integrity","performance":10001949,"status":"PROCESSED","decode_time":38440,"statistics_time":1319940,"clustering_time":100030,"normalization_time":6747689,"rendered_dom_length":116160,"diff_time":1821540,"page_view":281651,"snippet_results":[]},"risk_propagation":{"module":"risk_propagation","performance":10340,"status":"PROCESSED"},"clustering":{"module":"clustering","performance":3050,"status":"PROCESSED","configuration_updated":false},"geolocation":{"module":"geolocation","performance":72090,"status":"PROCESSED","continent":{"geoname_id":6255150,"iso_code":"SA","name":"South America","confidence":0},"country":{"geoname_id":3686110,"iso_code":"CO","name":"Colombia"},"registered_country":{"geoname_id":3686110,"iso_code":"CO","name":"Colombia"},"represented_country":{},"subdivisions":[{"geoname_id":3689436,"iso_code":"ATL","name":"Atl�ntico"}],"city":{"geoname_id":3689147,"iso_code":"","name":"Barranquilla"},"location":{"location":{"lon":-74.8092,"lat":11.0071},"accuracy_radius":5,"time_zone":"America/Bogota","geohash":"d3fy9ev9521m"},"traits":{"ip_address":"10.0.0.0","is_anonymous_proxy":false,"is_satellite_provider":false},"postal_code":{"code":"080001"}}},"threat_flag":null,"threat_labels":[],"webhook_response_body":null}
Sample Parsing¶
intermediary.asset.labels.key = "session_id"
intermediary.asset.labels.value = "abc123abc123abc123"
intermediary.asset.labels.key = "browser_id"
intermediary.asset.labels.value = "7832yrhbbfcsfkejnfwrw"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.log_type = "CLEAFY"
metadata.product_event_type = "PRESENTATION"
metadata.product_log_id = "d45c60362ab9a1e5419da748d6a4e23d"
metadata.product_version = "4.28.0-7555-release_4.28.0-62bfe75e0"
metadata.vendor_name = "Cleafy S.P.A"
network.http.method = "POST"
network.http.referral_url = "https://portalemployee.example.com/example/Pyme/FrontOffice/ConsultasyExtractos/CYS/example.aspx"
network.http.response_code = 200
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
principal.user.userid = "72311424"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=flag message_sub_type=2"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "probe@1"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=probe message_sub_type=1"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "[DIFFERENT_HOSTNAME] log_hostname=portalemployee.example.com this_message_hostname=portalemployee.example.com message_type=flag message_sub_type=3"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "flag@2"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "flag@3"
security_result.about.labels.key = "Log Message"
security_result.about.labels.value = "log@2"
security_result.action_details = "PROCESSED"
security_result.category_details = "USER_LOGGED_IN"
security_result.category_details = "HOSTNAME_DIFF"
security_result.category_details = "AGENT_REGULAR"
security_result.category_details = "DOM_OK"
security_result.detection_fields.key = "instant_session_score"
security_result.detection_fields.value = "100"
security_result.detection_fields.key = "User Behavior Status"
security_result.detection_fields.value = "PROCESSED"
security_result.detection_fields.key = "Dom Integrity Status"
security_result.detection_fields.value = "PROCESSED"
security_result.detection_fields.key = "Risk Propagation Status"
security_result.detection_fields.value = "PROCESSED"
security_result.detection_fields.key = "Clustering Status"
security_result.detection_fields.value = "PROCESSED"
security_result.detection_fields.key = "Geolocation Status"
security_result.detection_fields.value = "PROCESSED"
src.asset.labels.key = "Browser Name"
src.asset.labels.value = "Chrome"
src.asset.software.name = "Windows 10"
src.ip = "10.0.0.0"
src.resource.name = "Personal computer"
src.resource.type = "Personal computer"
src.url = "/example/Pyme/FrontOffice/ConsultasyExtractos/CYS/example.aspx"
target.application = "portalemployee.example.com"
target.asset.labels.key = "configured_application_point_id"
target.asset.labels.value = "bae38f7693db5e8f86b24646a2076063"
target.hostname = "portalemployee.example.com"
target.location.city = "Barranquilla"
target.location.country_or_region = "Colombia"
target.location.region_latitude = 11.0071
target.location.region_longitude = -74.8092