Table of Contents | ||||
---|---|---|---|---|
|
...
Valid tags and data tables
The full tag must have n levels. The first two are fixed as ids.attivo. The third level identifies the type of events sent.
Technology | Brand | Type |
---|---|---|
ids | attivo |
|
...
Tag | Data table |
---|---|
ids.attivo.botsink | ids.attivo.botsink |
Log samples
The following are sample logs sent to each of the ids.attivo data tables. Also, find how the information will be parsed in your data table under each sample log.
Note | ||
---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
ids.attivo.botsink
Code Block |
---|
<12>2021-01-01 01:00:30.000 localhost=127.0.0.1 ids.attivo.botsink: <9> BOTsink: Severity:[Medium] Attacker IP:[1.2.3.4] Target Host:[myHost] Target IP:[5.6.7.8] Target OS:[Windows 2008] Description:[Network Monitoring - Inbound RDP] Details:[Process [System] has incoming tcp connection from [1.2.3.4:63267] at [myHost:3389].] Phase:[Information] Service:[RDP] VLANID:[] Forwarder:[eth3] Attacker IP Domain:[mydomain.com] Target IP Domain:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] TargetIP List:[] Target Ports:[] Target IP Ports:[] Forwarder IP:[] Dest UserName:[] subscriberName:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] Attivo AlertID:[1234567890ABCDEF] MITRE Technique ID:[T1021] MITRE Technique Name:[Remote Services] MITRE Tactic Name:[Lateral Movement] VTSummaryResult:[] WebRootReputation:[] |
...
Field | Value | Type | Extra fields |
---|---|---|---|
hostchain |
|
| |
tag |
|
| |
Severity |
|
| |
Attacker_IP |
|
| |
Target_Host |
|
| |
Target_IP |
|
| |
Target_OS |
|
| |
Description |
|
| |
Details |
|
| |
Phase |
|
| |
Service |
|
| |
VLANID |
|
| |
Forwarder |
|
| |
Attacker_IP_Domain |
|
| |
Target_IP_Domain |
|
| |
Attacker_HostName |
|
| |
Attacker_UserNames |
|
| |
TargetIP_List |
|
| |
Target_Ports |
|
| |
Target_IP_Ports |
|
| |
Forwarder_IP |
|
| |
Dest_UserNames |
|
| |
suscriberName |
|
| |
Attacker_MAC |
|
| |
Attivo_AlertID |
|
| |
MITRE_Technique_ID |
|
| |
MITRE_Technique_Name |
|
| |
MITRE_Tactic_Name |
|
| |
VTSummaryResult |
|
| |
WebRootReputation |
|
| |
rawMessage |
|
| ✓ |