Deepfence ThreatStryker¶
About¶
Deepfence ThreatStryker discovers all running containers, processes, and online hosts, and presents a live and interactive color-coded view of the topology. It audits containers and hosts to detect vulnerable components, and interrogates configuration to identify file system, process, and network related misconfigurations. ThreatStryker assesses compliance using industry and community standard benchmarks.
Product Details¶
Vendor URL: Deepfence ThreatStryker
Product Type: Network Monitoring
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Deepfence
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: DEEPFENCE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | metadata.description |
| app_proto | network.application_protocol |
| classtype | security_result.rule_type |
| cloud_metadata.cloud_provider | extensions.vulns.vulnerabilities.about.cloud.environment |
| cloud_metadata.name | extensions.vulns.vulnerabilities.about.cloud.project.name |
| cloud_metadata.os_type | extensions.vulns.vulnerabilities.about.asset.platform_software.platform |
| cloud_metadata.private_ip | extensions.vulns.vulnerabilities.about.asset.ip |
| cloud_metadata.public_ip | extensions.vulns.vulnerabilities.about.nat_ip |
| cloud_metadata.region | extensions.vulns.vulnerabilities.about.cloud.availability_zone |
| cloud_metadata.resource_group_name | extensions.vulns.vulnerabilities.about.group.attribute.cloud.project.name |
| cloud_metadata.vm_id | extensions.vulns.vulnerabilities.about.asset.product_object_id |
| container_id | extensions.vulns.vulnerabilities.about.resource.product_object_id |
| container_name | principal.resource.name |
| cve_attack_vector | extensions.vulns.vulnerabilities.cvss_vector |
| cve_caused_by_package | principal.application |
| cve_caused_by_package_path | security_result.about.file.full_path |
| cve_container_image_id | principal.resource.product_object_id |
| cve_container_layer | additional.fields.value.string_value |
| cve_container_name | security_result.about.resource.name |
| cve_cvss_score | extensions.vulns.vulnerabilities.cvss_base_score |
| cve_description | extensions.vulns.vulnerabilities.cve_description |
| cve_fixed_in | security_result.priority_details |
| cve_id | extensions.vulns.vulnerabilities.cve_id |
| cve_link | extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id |
| cve_nvd_severity | security_result.severity |
| cve_nvd_severity | security_result.severity_details |
| cve_overall_score | security_result.about.investigation.severity_score |
| cve_severity | extensions.vulns.vulnerabilities.severity_details |
| cve_severity | extensions.vulns.vulnerabilities.severity |
| cve_type | extensions.vulns.vulnerabilities.cvss_version |
| description | metadata.description |
| destination_ip | target.ip |
| destination_port | target.port |
| direction | network.direction |
| doc_id | metadata.product_log_id |
| event | metadata.product_event_type |
| event_type | metadata.product_event_type |
| host | extensions.vulns.vulnerabilities.about.asset.hostname |
| host_name | principal.hostname |
| http.hostname | target.hostname |
| http.http_method | network.http.method |
| http.http_user_agent | network.http.user_agent |
| http.status | network.http.response_code |
| http.url | network.http.referral_url |
| id | metadata.product_log_id |
| integration.api_url | target.url |
| integration.integration_type | target.resource.resource_subtype |
| intent | security_result.category_details |
| ip_reputation | extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id |
| kubernetes_cluster_name | principal.resource.name |
| masked | additional.fields.value.string_value |
| node_id_list | principal.hostname |
| node_type | principal.resource.resource_subtype |
| patch | principal.platform_patch_level |
| payload_printable | security_result.about.process.command_line |
| podname | security_result.about.resource.name |
| proto | network.ip_protocol |
| resource_type | principal.resource.resource_subtype |
| severity | security_result.severity_details |
| severity | security_result.severity |
| severity_score | extensions.vulns.vulnerabilities.cvss_base_score |
| source_ip | principal.ip |
| source_port | principal.port |
| summary | security_result.summary |
| type | security_result.description |
| user_email | principal.user.userid |
| user_role | principal.user.attribute.roles.description |
| version | metadata.product_version |
| vm_size | additional.fields.value.string_value |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all other events | SCAN_VULN_HOST |
| cve_scan_start | STATUS_STARTUP |
| scan events missing principal host | GENERIC_EVENT |
Log Sample¶
{"@timestamp":"2021-11-12T17:29:50.049Z","cve_caused_by_package":"redactedpackage","masked":"false","cve_container_layer":"redactedcontainer","cve_link":"redactedurl","cve_type":"base","cve_cvss_score":7.5,"cve_id_cve_severity_cve_container_image":"imagename","host_name":"host","@version":"1","cve_container_image_id":"host","cve_overall_score":0.3,"cve_severity":"medium","host":"host","cve_caused_by_package_path":"","cve_description":"redacteddesc","cve_fixed_in":"Unknown","type":"cve","cve_container_name":"","node_type":"host","scan_id":"host_2021-11-12T17:29:04.000","doc_id":"redacteddocid","kubernetes_cluster_name":"","cve_attack_vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","cve_container_image":"host","cve_id":"redactedcve","cve_nvd_severity":"medium"}
Sample Parsing¶
metadata.event_type = "SCAN_VULN_HOST"
metadata.vendor_name = "Deepfence"
metadata.product_name = "ThreatStryker"
metadata.product_version = "1"
additional.cve_container_image_id = "host"
additional.cve_container_layer = "redactedcontainer"
additional.masked = "false"
principal.hostname = "host"
principal.application = "redactedpackage"
principal.resource.resource_subtype = "host"
security_result.about.hostname = "host"
security_result.severity = "MEDIUM"
security_result.severity_details = "medium"
security_result.priority_details = "Unknown"
extensions.vulns.vulnerabilities.severity = "MEDIUM"
extensions.vulns.vulnerabilities.severity_details = "medium"
extensions.vulns.vulnerabilities.cvss_base_score = "7.5"
extensions.vulns.vulnerabilities.cvss_vector = "AV:N/AC:L/Au:N/C:P/I:P/A:P"
extensions.vulns.vulnerabilities.cvss_version = "base"
extensions.vulns.vulnerabilities.cve_id = "redactedcve"
extensions.vulns.vulnerabilities.cve_description = "redacteddesc"
extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id = "redactedurl"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon