Document toolboxDocument toolbox

ids.attivo

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
2 min read

Introduction

The tags beginning with ids.attivo identify events generated by Company.

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as ids.attivo. The third level identifies the type of events sent.

Technology

Brand

Type

ids

attivo

  • botsink

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

ids.attivo.botsink

ids.attivo.botsink

Log samples

The following are sample logs sent to each of the ids.attivo data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

ids.attivo.botsink

<12>2021-01-01 01:00:30.000 localhost=127.0.0.1 ids.attivo.botsink: <9> BOTsink: Severity:[Medium] Attacker IP:[1.2.3.4] Target Host:[myHost] Target IP:[5.6.7.8] Target OS:[Windows 2008] Description:[Network Monitoring - Inbound RDP] Details:[Process [System] has incoming tcp connection from [1.2.3.4:63267] at [myHost:3389].] Phase:[Information] Service:[RDP] VLANID:[] Forwarder:[eth3] Attacker IP Domain:[mydomain.com] Target IP Domain:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] TargetIP List:[] Target Ports:[] Target IP Ports:[] Forwarder IP:[] Dest UserName:[] subscriberName:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] Attivo AlertID:[1234567890ABCDEF] MITRE Technique ID:[T1021] MITRE Technique Name:[Remote Services] MITRE Tactic Name:[Lateral Movement] VTSummaryResult:[] WebRootReputation:[]

And this is how the log would be parsed:

Field

Value

Type

Extra fields

hostchain

localhost=127.0.0.1

str


tag

ids.attivo.botsink

str


Severity

Medium

str


Attacker_IP

1.2.3.4

ip4


Target_Host

myHost

str


Target_IP

5.6.7.8

ip4


Target_OS

Windows 2008

str


Description

Network Monitoring - Inbound RDP

str


Details

Process [System] has incoming tcp connection from [1.2.3.4:63267] at [myHost:3389].

str


Phase

Information

str


Service

RDP

str


VLANID

null

str


Forwarder

eth3

str


Attacker_IP_Domain

myDomain.com

str


Target_IP_Domain

null

str


Attacker_HostName

null

str


Attacker_UserNames

null

str


TargetIP_List

null

str


Target_Ports

null

str


Target_IP_Ports

null

str


Forwarder_IP

null

ip4


Dest_UserNames

null

str


suscriberName

null

str


Attacker_MAC

null

str


Attivo_AlertID

1234567890ABCDEF

str


MITRE_Technique_ID

T1021

str


MITRE_Technique_Name

Remote Service

str


MITRE_Tactic_Name

Lateral Movement

str


VTSummaryResult

null

str


WebRootReputation

null

str


rawMessage

<9> BOTsink: Severity:[Medium] Attacker IP:[1.2.3.4] Target Host:[myHost] Target IP:[5.6.7.8] Target OS:[Windows 2008] Description:[Network Monitoring - Inbound RDP] Details:[Process [System] has incoming tcp connection from [1.2.3.4:63267] at [myHost:3389].] Phase:[Information] Service:[RDP] VLANID:[] Forwarder:[eth3] Attacker IP Domain:[mydomain.com] Target IP Domain:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] TargetIP List:[] Target Ports:[] Target IP Ports:[] Forwarder IP:[] Dest UserName:[] subscriberName:[] Attacker HostName:[] Attacker MAC:[] Attacker UserNames:[] Attivo AlertID:[1234567890ABCDEF] MITRE Technique ID:[T1021] MITRE Technique Name:[Remote Services] MITRE Tactic Name:[Lateral Movement] VTSummaryResult:[] WebRootReputation:[]

str

✓