Zimperium¶
About¶
Zimperium, Inc. is a global leader in mobile device and app security, offering real-time, on-device protection against both known and unknown threats on Android, iOS and Chromebook endpoints.
Product Details¶
Vendor URL: Zimperium
Product Type: Mobile security
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: Zimperium
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| threat.general.gateway_ip | intermediary.ip |
| hostname | observer.hostname |
| threat.story | metadata.description |
| threat.name | metadata.product_event_type |
| event_id | metadata.product_log_id |
| "MTD" | metadata.product_name |
| "Zimperium" | metadata.vendor_name |
| user_info.user_role | principal.asset.attribute.roles |
| device_info.os_version | principal.asset.platform_software.platform_version |
| device_info.app_version | principal.asset.software |
| threat.general.external_ip | principal.ip |
| user_info.user_email | principal.user.email_addresses |
| user_info.user_group | principal.user.group_identifiers |
| user_info.employee_name | principal.user.user_display_name |
| user_info.user_id | principal.user.userid |
| threat.general.network | target.cloud.vpc.name |
| threat.general.device_ip | target.ip |
| threat.general.network_bssid | target.mac |
| device_info.jailbroken | additional.fields |
| device_info.usb_debugging_enabled | additional.fields |
| device_info.developer_options_on | additional.fields |
| device_info.disk_not_encrypted | additional.fields |
| device_info.lock_screen_unprotected | additional.fields |
| device_info.stagefright_vulnerable | additional.fields |
| threat.story | security_result.description |
| record.file_name | security_result.about.file.names |
| threat.name | security_result.summary |
| threat.general.threat_type | security_result.threat_name |
| severity | security_result.severity |
| severity | security_result.severity_details |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | GENERIC_EVENT |
Log Sample¶
<14>1 09 21 2022 15:34:42 UTC hostname {"system_token": "token", "severity": 1, "event_id": "id", "forensics": {"os": 1, "_id": {"$oid": ""}, "type": 100, "zdid": "", "general": [{"val": "09 21 2022 15:34:41 UTC", "name": "Device Time"}, {"val": "", "name": "Action Triggered"}, {"val": "Inactive Device", "name": "Threat Type"}], "event_id": "eventID", "severity": "LOW", "attack_time": {"$date": 1663774481000}, "threat_uuid": "uuid"}, "mitigated": false, "location": null, "eventtimestamp": "09 21 2022 15:34:42 UTC", "user_info": {"user_id": "userid", "user_group": "MTD-Devices", "user_role": "End User", "user_email": "jane.doe@work.com", "employee_name": "Jane Doe"}, "device_info": {"zdid": "id", "zapp_instance_id": "id", "device_time": "09 21 2022 15:34:42 UTC", "tag1": "", "tag2": "", "imei": "", "device_id": "id", "mdm_id": "", "mam_id": null, "type": "iPhone11,8", "app": "MobileIron", "jailbroken": false, "os_version": "15.6.1", "operator": "Verizon", "model": "iPhone", "app_version": "12.11.71", "os": "iOS", "usb_debugging_enabled": false, "developer_options_on": false, "disk_not_encrypted": false, "lock_screen_unprotected": false, "stagefright_vulnerable": false}, "threat": {"story": "Device is dormant. It is recommended to contact the user to reactivate the app.", "name": "Inactive App", "category": ["Singular"], "mitre_tactics": [], "threat_uuid": "uuid", "child_threat_uuids": [], "general": {"device_time": "09 21 2022 15:34:41 UTC", "action_triggered": "", "threat_type": "Inactive Device"}}}
Sample Parsing¶
metadata.product_log_id = "id"
metadata.event_timestamp = 1663862136
metadata.event_type = GENERIC_EVENT
metadata.vendor_name = "Zimperium
metadata.product_name = "MTD"
metadata.product_event_type = "Inactive App"
metadata.description = "Device is dormant. It is recommended to contact the user to reactivate the app."
additional.fields.key = "Developer Options On"
additional.fields.value = "false"
additional.fields.key = "Disk Not Encrypted"
additional.fields.value = "false"
additional.fields.key = "Jailbroken"
additional.fields.value = "false"
additional.fields.key = "Lock Screen Unprotected"
additional.fields.value = "false"
additional.fields.key = "Stagefright Vulnerable"
additional.fields.value = "false"
additional.fields.key = "USB Debugging Enabled"
additional.fields.value = "false"
principal.user.userid = "userid"
principal.user.user_display_name = "Jane Doe"
principal.user.group_identifiers = "MTD-Devices"
principal.user.email_addresses = "jane.doe@work.com"
principal.asset.platform_software.platform_version = "15.6.1"
principal.asset.software.name = "MobileIron"
principal.asset.software.version = "12.11.71"
principal.asset.attribute.roles.name = "End User"
observer.hostname = "hostname"
security_result.threat_name: "Inactive Device"
security_result.summary: "Inactive App"
security_result.description: "Device is dormant. It is recommended to contact the user to reactivate the app."
security_result.severity: LOW
security_result.severity_details: "1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon