CryptoSpike¶
About¶
Based on full access transparency, CryptoSpike detects unusual activities in your file system and blocks attacks in real time. In the event of a ransomware attack, the granular restore function makes it possible to restore affected files immediately.
Product Details¶
Vendor URL: CryptoSpike
Product Type: SaaS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Cryptospike Integration guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: CRYPTOSPIKE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| agent | principal.hostname |
| context.addedEntries | security_result.detection_fields |
| context.additionalInformation.blocklistHits | security_result.detection_fields |
| context.additionalInformation.files.0.displayFilePath | target.file.full_path |
| context.blockUnblockInfo.blockRuleMatches.0 | security_result.rule_name |
| context.blockUnblockInfo.comment | security_result.summary |
| context.blockUnblockInfo.csInstanceIp | observer.ip |
| context.blockUnblockInfo.csInstanceName | observer.hostname |
| context.changelogLink | additional.fields |
| context.distinguishedName | target.user.group_identifiers |
| context.downloadLink | target.url |
| context.downloadLinkSigned | additional.fields |
| context.emailAddress | target.email |
| context.environmentInformation.clusterName | target.resource.name |
| context.md5 | target.file.md5 |
| context.name | target.user.user_display_name |
| context.product | target.application |
| context.resolvedState | security_result.threat_status |
| context.sha512 | security_result.detection_fields |
| context.userGUID | target.user.attribute.labels |
| context.userId | target.user.userid |
| context.userIp | target.ip |
| context.userName | target.hostname |
| context.userPrincipalName | target.user.email_addresses |
| context.version | target.asset.software.version |
| details | security_result.description |
| entityAction.0.action | security_result.action_details |
| entityAction.0.entity | additional.fields |
| entityAction.0.entityKey | additional.fields |
| key | metadata.product_event_type |
| message | metadata.description |
| service | principal.application |
| service | target.resource.name |
| severity | security_result.severity_details |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| application-update-available | STATUS_UPDATE |
| blocked-user | USER_UNCATEGORIZED |
| blocklist-update | SETTING_MODIFICATION |
| Generic | GENERIC_EVENT |
| user-login-successful | USER_LOGIN |
Log Sample¶
<134>Feb 1 00:47:02 10.100.0.46 {"key":"blocked-user","agent":"ABC123","service":"event-analyzer","timestamp":"2024-02-01T00:47:02.758136203Z","entityAction":[{"entity":"TENANT","entityKey":"1","action":""}],"severity":"INFO","context":{"changedTimestamp":"2024-01-28T13:04:11Z","distinguishedName":"CN=Vlog Admin,OU=Admin Users,OU=ABCD,DC=example,DC=local","emailAddress":null,"name":"Vlog Admin","resolvedState":"RESOLVED","samAccountName":"EXAMPLE","tenantId":1,"userGUID":"a12b3c4d-123abc-abcd1234-1234","userId":"S-1-5-21-12345678-12345678-12345678-1234","userIdType":"WINDOWS","userIp":"10.0.0.0","userName":"EXAMPLE","userPrincipalName":"EXAMPLE@example.de","blockUnblockInfo":{"timestamp":"2024-02-01T00:47:02.741988017Z","csUserName":null,"storageUserName":null,"comment":"Triggered blocklist hit rule.","blockRuleMatches":["pdb"],"blockedFiles":["\\\\example\\VLOG\\file\\example\\240131_2023.14_master\\master\\MHP.Carrier.HVS.pdb"],"csInstanceIp":"10.0.0.0","csInstanceName":"cryptospikeagent-2-shared-network.internal"},"environmentInformation":{"clusterName":"examplecloudnetapp","serverName":"svm_examplecloudnetapp","volumeName":"VLOG","shareName":"VLOG"},"additionalInformation":{"eventMode":"ACTIVE","instanceId":null,"blocklistHitsDurationInSeconds":5,"files":[{"filePath":"/example/example/x.14_master/master/MHP.Carrier.HVS.pdb","displayFilePath":"\\\\\\\\example\\VLOG\\file\\example\\x.14_master\\master\\MHP.Carrier.HVS.pdb","renameToPath":null,"configurationItemId":3402,"externalConfigurationItemId":null,"blockListItem":"pdb","clusterName":"examplecloudnetapp","serverName":"svm_examplecloudnetapp","volumeName":"VLOG","shareName":"VLOG"}],"adjustedBlocklistHitsLimit":false,"blocklistHits":5}},"message":"User blocked","details":"User was blocked"}
Sample Parsing¶
metadata.event_type = "USER_UNCATEGORIZED"
metadata.vendor_name = "ProLion"
metadata.product_name = "CryptoSpike"
metadata.product_version = "3.2.2"
metadata.product_event_type = "blocked-user"
metadata.description = "User blocked"
additional.fields["entity"] = "TENANT"
additional.fields["entityKey"] = "1"
principal.hostname = "ABC123"
principal.ip = "10.100.0.46"
principal.application = "event-analyzer"
target.hostname = "EXAMPLE"
target.user.userid = "a12b3c4d-123abc-abcd1234-1234"
target.user.user_display_name = "Vlog Admin"
target.user.attribute.labels["userGUID"] = "a12b3c4d-123abc-abcd1234-1234"
target.user.group_identifiers = "CN=Vlog Admin,OU=Admin Users,OU=ABCD,DC=example,DC=local"
target.user.email_addresses = "EXAMPLE@example.de"
target.ip = "10.0.0.0"
target.file.full_path = "\\\\\\\\example\\VLOG\\file\\example\\240131_2023.14_master\\master\\MHP.Carrier.HVS.pdb"
target.resource.name = "examplecloudnetapp"
observer.hostname = "cryptospikeagent-2-shared-network.internal"
observer.ip = "10.0.0.0"
security_result.rule_name = "pdb"
security_result.detection_fields.key = "blocklistHits"
security_result.detection_fields.value = "5"
security_result.summary = "Triggered blocklist hit rule."
security_result.description = "User was blocked"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "INFO"
security_result.threat_status = "CLEARED"