eStar Software Solution¶

About¶

Provides business software through a single solution that helps companies get better return on investment.

Product Details¶

Vendor URL: Unknown

Product Type: ERP

Product Tier: Unknown

Integration Method: Chronicle/CEF

Integration URL: Unknown

Log Guide: n/a

Parser Details¶

Log Format: CEF

Expected Normalization Rate: near 100%

Data Label: ESTAR

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
Hard-coded: AUTHTYPE_UNSPECIFIED	extensions.auth.type
udm_description, full_details, kv_out.duser, kv_out.cs5kv_data	metadata.description
GENERIC_EVENT as catchall, STATUS_UPDATE, USER_CHANGE_PERMISSIONS, USER_CREATION, USER_DELETION, USER_LOGIN, USER_LOGOUT,USER_RESOURCE_ACCESS	metadata.event_type
Hard-coded: eStar Software Solution	metadata.product_name
log_product_version	metadata.product_version
Hard-coded: eStar Software Solution	metadata.vendor_name
hostname	principal.hostname
kv_out.Source_address	principal.ip
kv_out.spt	principal.port
kv_out.User_role	principal.user.groupid
kv_out.duser	principal.user.userid
sec_result	security_result
kv_out.shost	src.url
kv_out.dhost	target.hostname
kv_out.dvc	target.ip
kv_out.dpt	target.port
kv_out.cs5	target.url
kv_out.User_name	target.user.userid

Log Sample¶

2022-01-03 01:26:24 servername CEF: 0|estar|estar|3.1.153.2028|estar:audit|Audit|5|msg=john.doe@domain.com unsuccessfully attempted to log in {User role \= ; Source address \= 10.10.10.9}  dvc=10.10.10.252 rt=1641173183498 src=10.10.10.9 duser=john.doe@domain.com cat=eStar:info outcome=SUCCESS

Sample Parsing¶

metadata.event_timestamp = "2022-01-03T01:26:24Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "eStar Software Solution"
metadata.product_name = "eStar Software Solution"
metadata.product_version = "3.1.153.2028"
metadata.description = "john.doe@domain.com unsuccessfully attempted to log in"
principal.hostname = "servername"
principal.user.userid = "john.doe@domain.com"
principal.ip = "10.10.10.9"
principal.namespace = "companyname"
principal.asset.ip = "10.10.10.9"
target.user.userid = "john.doe@domain.com"
target.ip = "10.10.10.252"
target.namespace = "companyname"
target.asset.ip = "10.10.10.252"
security_result.action = "BLOCK"

Parser Alerting¶

This product currently does not have any Parser-based Alerting

Rules¶

Coming Soon