Logz.io

Overview


Fetch & remediate security incidents identified by Logz.io Cloud SIEM This integration was integrated and tested with Logz.io platform.

Logz.io Playbook


Logz.Io Handle Alert: used to handle alerts retrieved from Logz.io. The playbook will retrieve the related events that generated the alert using the logzio-get-logs-by-event-id command

Use Cases


Integrate with Logz.io Cloud SIEM to automatically remediate security incidents identified by Logz.io and increase observability into incident details. The integration allows Cortex XSOAR users to automatically remediate incidents identified by Logz.io Cloud SIEM using Cortex XSOAR Playbooks. In addition, users can query Logz.io directly from Cortex XSOAR to investigate open questions or retrieve the logs responsible for triggering security rules.

Configure Logz.io on Cortex XSOAR


  1. Navigate to Settings > Integrations > Analytics & SIEM.
  2. Search for Logz.io.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Fetch incidents.
    • Incident type
    • API token for Logz.io Security account
    • API token for Logz.io Operations account
    • Region code of your Logz.io account
    • Filter on rule names (Lucene syntax)
    • Filter by rule severity
    • First fetch time range ({number} {time unit}, e.g., 1 hour, 30 minutes)
    • Max. number of incidents fetched per run
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. logzio-search-logs
  2. logzio-get-logs-by-event-id

1. logzio-search-logs


Returns logs from your Logz.io Operations account by Lucene query

Note: The search time range can span over 2 calender days at most. If you supply a time range greater than that, the search window will be the last 2 calender days within the range you supplied.

Required Permissions

Your Logz.io account type should be PRO or above.

Base Command

logzio-search-logs

Input
Argument NameDescriptionRequired
queryA string specifying the search query, written in Apache Lucene syntax e.g. 'fname:John AND sname:Smith' .Required
sizeAn integer specifying the maximum number of results to return.Optional
from_timeSpecifies the earliest timestamp to be returned by the query.Optional
to_timeSpecifies the latest timestamp to be returned by the query.Optional
timeoutTimeout in secondsOptional
Context Output
PathTypeDescription
Logzio.ResultUnknownAn array of search results
Logzio.Result.typestringLog type in the index
Logzio.Result.timestampdateThe log's timestamp
Command Example

!logzio-search-logs query="ThreatType:trojan OR input.type:tcp" size="5"

Context Example
{
"Logzio.Result": [
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T00:01:04.441+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T00:01:04.441+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:01:13.778+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:01:13.778+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:16:14.944+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:16:14.944+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:31:16.087+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:31:16.087+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T01:46:12.663+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T01:46:12.663+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
}
]
}
Human Readable Output

Logs

@metadata@timestampAMCoreContentVersionAccessRequestedAnalyzerAnalyzerContentCreationDateAnalyzerDATVersionAnalyzerDetectionMethodAnalyzerEngineVersionAnalyzerGTIQueryAnalyzerHostNameAnalyzerNameAnalyzerVersionAttackVectorTypeBladeNameCleanableDetectedUTCDetectionMessageDurationBeforeDetectionEPOEventsEPOeventEventIDFirstActionStatusFirstAttemptedActionGMTTimeNaturalLangDescriptionSecondActionStatusSecondAttemptedActionSeveritySourceHostNameSourceProcessNameTargetAccessTimeTargetCreateTimeTargetFileNameTargetFileSizeTargetHashTargetHostNameTargetModifyTimeTargetNameTargetPathTargetUserNameTaskNameThreatActionTakenThreatCategoryThreatDetectedOnCreationThreatEventIDThreatHandledThreatNameThreatSeverityThreatTypebeat_agentbpsIddomainecsinputloglogzio_codectagstenantGUIDtenantIdtenantNodePathtimestamptype
beat: filebeat version: 7.5.0 type: _doc2020-05-06T00:01:04.441+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T00:01:04.441+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:01:13.778+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:01:13.778+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:16:14.944+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:16:14.944+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:31:16.087+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:31:16.087+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T01:46:12.663+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T01:46:12.663+0000mcafee_epo

2. logzio-get-logs-by-event-id


Fetches the logs that triggered a security event in Logz.io Cloud SIEM

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

logzio-get-logs-by-event-id

Input
Argument NameDescriptionRequired
idLogz.io Alert Event ID (found under Incident details)Required
sizeAn integer specifying the maximum number of results to returnOptional
timeoutTimeout in secondsOptional
Context Output
PathTypeDescription
Logzio.ResultUnknownAn array of search results
Logzio.Result.typestringLog type in the index
Logzio.Result.timestampdateThe log's timestamp
Command Example

!logzio-get-logs-by-event-id id=9fb0e6a9-90c0-43ac-8e50-23028d8ea76c size=10

Context Example
{
"Logzio.Result": [
{
"log_information": {
"level": "warning"
},
"logzio_codec": "json",
"timestamp": "2020-05-06T08:28:04.640Z",
"@timestamp": "2020-05-06T08:28:04.640Z",
"tags": [
"beats-5015",
"_logzio_codec_json",
"_jsonparsefailure"
],
"ecs": {
"version": "1.4.0"
},
"beat_agent": {
"ephemeral_id": "2e94ea91-0375-4b60-8766-ee6d3f254832",
"type": "winlogbeat",
"hostname": "WinTesting",
"version": "7.6.2",
"id": "3aa2739f-7d9c-48d1-8d95-9441d5fbffe1"
},
"message": "Windows Defender Antivirus has detected malware or other potentially unwanted software.\n For more information please see the following:\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\n \tName: Virus:DOS/EICAR_Test_File\n \tID: 2147519003\n \tSeverity: Severe\n \tCategory: Virus\n \tPath: containerfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip; file:_C:\\Users\\test_user\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip|pid:7500,ProcessStart:132332202146885957\n \tDetection Origin: Internet\n \tDetection Type: Concrete\n \tDetection Source: Downloads and attachments\n \tUser: WinTesting\\test_user\n \tProcess Name: Unknown\n \tSignature Version: AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0\n \tEngine Version: AM: 1.1.17000.7, NIS: 1.1.17000.7",
"winlog": {
"activity_id": "{2baa0795-dcd6-4cf7-b921-d9ad5e9cd6f0}",
"task": "",
"event_id": 1116,
"process": {
"pid": 3232,
"thread": {
"id": 4992
}
},
"api": "wineventlog",
"opcode": "Info",
"user": {
"domain": "NT AUTHORITY",
"identifier": "S-1-5-18",
"type": "User",
"name": "SYSTEM"
},
"computer_name": "WinTesting",
"record_id": 136,
"provider_name": "Microsoft-Windows-Windows Defender",
"provider_guid": "{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
"event_data": {
"Type Name": "%%822",
"Error Code": "0x00000000",
"State": "1",
"Category Name": "Virus",
"Additional Actions String": "No additional actions required",
"Post Clean Status": "0",
"Action Name": "%%887",
"Threat ID": "2147519003",
"Signature Version": "AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0",
"Category ID": "42",
"Execution Name": "%%812",
"Detection ID": "{26C3583A-98B2-4E88-9B8A-0E9BDEBEB9B4}",
"Status Code": "1",
"Product Name": "%%827",
"Action ID": "9",
"Path": "containerfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip; file:_C:\\Users\\test_user\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip|pid:7500,ProcessStart:132332202146885957",
"Process Name": "Unknown",
"Detection User": "WinTesting\\test_user",
"Detection Time": "2020-05-06T08:28:04.604Z",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0",
"Execution ID": "0",
"Origin Name": "%%847",
"Error Description": "The operation completed successfully. ",
"Type ID": "0",
"Additional Actions ID": "0",
"Threat Name": "Virus:DOS/EICAR_Test_File",
"Severity ID": "5",
"Severity Name": "Severe",
"Engine Version": "AM: 1.1.17000.7, NIS: 1.1.17000.7",
"Source Name": "%%819",
"Origin ID": "4",
"Pre Execution Status": "0",
"Product Version": "4.18.2004.6",
"Source ID": "4"
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"event_id_description": "Unknown"
},
"type": "wineventlog",
"event": {
"kind": "event",
"code": 1116,
"provider": "Microsoft-Windows-Windows Defender",
"created": "2020-05-06T08:28:05.674Z"
},
"@metadata": {
"beat": "winlogbeat",
"version": "7.6.2",
"type": "_doc"
}
}
]
}
Human Readable Output

Logs

@metadata@timestampbeat_agentecseventlog_informationlogzio_codecmessagetagstimestamptypewinlog
beat: winlogbeat type: _doc version: 7.6.22020-05-06T08:28:04.640Zhostname: WinTesting id: 3aa2739f-7d9c-48d1-8d95-9441d5fbffe1 version: 7.6.2 type: winlogbeat ephemeral_id: 2e94ea91-0375-4b60-8766-ee6d3f254832version: 1.4.0kind: event code: 1116 provider: Microsoft-Windows-Windows Defender created: 2020-05-06T08:28:05.674Zlevel: warningjsonWindows Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\test_user\Downloads\eicar_com.zip; file:_C:\Users\test_user\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\test_user\Downloads\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip\|pid:7500,ProcessStart:132332202146885957 Detection Origin: Internet Detection Type: Concrete Detection Source: Downloads and attachments User: WinTesting\test_user Process Name: Unknown Signature Version: AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0 Engine Version: AM: 1.1.17000.7, NIS: 1.1.17000.7beats-5015, _logzio_codec_json, _jsonparsefailure2020-05-06T08:28:04.640Zwineventlogchannel: Microsoft-Windows-Windows Defender/Operational provider_name: Microsoft-Windows-Windows Defender api: wineventlog computer_name: WinTesting user: {"name": "SYSTEM", "domain": "NT AUTHORITY", "type": "User", "identifier": "S-1-5-18"} provider_guid: {11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78} activity_id: {2baa0795-dcd6-4cf7-b921-d9ad5e9cd6f0} process: {"pid": 3232, "thread": {"id": 4992}} event_data: {"Path": "containerfile:_C:\Users\test_user\Downloads\eicar_com.zip; file:_C:\Users\test_user\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\test_user\Downloads\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip\|pid:7500,ProcessStart:132332202146885957", "Action Name": "%%887", "Product Version": "4.18.2004.6", "Severity ID": "5", "Signature Version": "AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0", "Post Clean Status": "0", "Execution Name": "%%812", "Type ID": "0", "Category ID": "42", "Engine Version": "AM: 1.1.17000.7, NIS: 1.1.17000.7", "Threat Name": "Virus:DOS/EICAR_Test_File", "Category Name": "Virus", "Origin ID": "4", "Error Description": "The operation completed successfully. ", "Detection User": "WinTesting\test_user", "Product Name": "%%827", "State": "1", "Detection Time": "2020-05-06T08:28:04.604Z", "Error Code": "0x00000000", "Source Name": "%%819", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0", "Threat ID": "2147519003", "Source ID": "4", "Detection ID": "{26C3583A-98B2-4E88-9B8A-0E9BDEBEB9B4}", "Status Code": "1", "Additional Actions ID": "0", "Additional Actions String": "No additional actions required", "Severity Name": "Severe", "Action ID": "9", "Execution ID": "0", "Type Name": "%%822", "Origin Name": "%%847", "Pre Execution Status": "0", "Process Name": "Unknown"} task: opcode: Info event_id: 1116 record_id: 136 event_id_description: Unknown