Logz.io

Overview


Fetch & remediate security incidents identified by Logz.io Cloud SIEM This integration was integrated and tested with Logz.io platform.

Logz.io Playbook


Logz.Io Handle Alert: used to handle alerts retrieved from Logz.io. The playbook will retrieve the related events that generated the alert using the logzio-get-logs-by-event-id command

Use Cases


Integrate with Logz.io Cloud SIEM to automatically remediate security incidents identified by Logz.io and increase observability into incident details. The integration allows Cortex XSOAR users to automatically remediate incidents identified by Logz.io Cloud SIEM using Cortex XSOAR Playbooks. In addition, users can query Logz.io directly from Cortex XSOAR to investigate open questions or retrieve the logs responsible for triggering security rules.

Configure Logz.io on Cortex XSOAR


  1. Navigate to Settings > Integrations > Analytics & SIEM.
  2. Search for Logz.io.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Fetch incidents.
    • Incident type
    • API token for Logz.io Security account
    • API token for Logz.io Operations account
    • Region code of your Logz.io account
    • Filter on rule names (Lucene syntax)
    • Filter by rule severity
    • First fetch time range ({number} {time unit}, e.g., 1 hour, 30 minutes)
    • Max. number of incidents fetched per run
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. logzio-search-logs 2. logzio-get-logs-by-event-id

1. logzio-search-logs


Returns logs from your Logz.io Operations account by Lucene query

Required Permissions

Your Logz.io account type should be PRO or above.

Base Command

logzio-search-logs

Input
Argument NameDescriptionRequired
queryA string specifying the search query, written in Apache Lucene syntax e.g. 'fname:John AND sname:Smith' .Required
sizeAn integer specifying the maximum number of results to return.Optional
from_timeUnix timestamp. Specifies the earliest timestamp to be returned by the query.Optional
to_timeUnix timestamp. Specifies the latest timestamp to be returned by the query.Optional
timeoutTimeout in secondsOptional
Context Output
PathTypeDescription
Logzio.ResultUnknownAn array of search results
Logzio.Result.typestringLog type in the index
Logzio.Result.timestampdateThe log's timestamp
Command Example

!logzio-search-logs query="ThreatType:trojan OR input.type:tcp" size="5"

Context Example
{
"Logzio.Result": [
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T00:01:04.441+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T00:01:04.441+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:01:13.778+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:01:13.778+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:16:14.944+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:16:14.944+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T02:31:16.087+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T02:31:16.087+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
},
{
"ThreatType": [
"trojan",
"trojan"
],
"Severity": [
"3",
"3"
],
"DetectionMessage": [
"IDS_OAS_DEFAULT_THREAT_MESSAGE",
"IDS_OAS_DEFAULT_THREAT_MESSAGE"
],
"@timestamp": "2020-05-06T01:46:12.663+0000",
"TargetFileSize": [
"249952",
"249952"
],
"domain": [
"Win-Sec-2",
"Win-Sec-2"
],
"tenantGUID": "{00000000-0000-0000-0000-000000000000}",
"SecondActionStatus": [
"False",
"False"
],
"EPOEvents": "EventFwd",
"DurationBeforeDetection": [
"18",
"18"
],
"Cleanable": [
"True",
"True"
],
"bpsId": "1",
"FirstAttemptedAction": [
"IDS_ALERT_THACT_ATT_CLE",
"IDS_ALERT_THACT_ATT_CLE"
],
"SourceProcessName": [
"C:\\Windows\\explorer.exe",
"C:\\Windows\\explorer.exe"
],
"AnalyzerName": [
"McAfee Endpoint Security",
"McAfee Endpoint Security"
],
"AnalyzerContentCreationDate": [
"2020-02-22T08:24:00Z",
"2020-02-22T08:24:00Z"
],
"TargetAccessTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"TargetCreateTime": [
"2020-02-23T15:43:21Z",
"2020-02-23T15:43:21Z"
],
"TargetHostName": [
"WinSec3",
"WinSec3"
],
"logzio_codec": "plain",
"DetectedUTC": [
"2020-02-23T15:43:40Z",
"2020-02-23T15:43:40Z"
],
"Analyzer": [
"ENDP_AM_1060",
"ENDP_AM_1060"
],
"TargetHash": [
"81da244a770c46ace2cf112214f8e75e",
"81da244a770c46ace2cf112214f8e75e"
],
"AttackVectorType": [
"4",
"4"
],
"tags": [
"beats-5015",
"_grokparsefailure",
"_grokparsefailure",
"_logz_http_bulk_json_8070"
],
"ThreatActionTaken": [
"IDS_ALERT_ACT_TAK_DEL",
"IDS_ALERT_ACT_TAK_DEL"
],
"ThreatCategory": [
"av.detect",
"av.detect"
],
"AnalyzerEngineVersion": [
"6010.8670",
"6010.8670"
],
"SourceHostName": [
"WinSec3",
"WinSec3"
],
"FirstActionStatus": [
"True",
"True"
],
"TargetName": [
"test.exe",
"test.exe"
],
"TargetFileName": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe"
],
"tenantId": "1",
"log": {
"source": {
"address": "10.0.1.9:49874"
}
},
"GMTTime": [
"2020-02-23T15:43:40",
"2020-02-23T15:43:40"
],
"ThreatEventID": [
"1027",
"1027"
],
"AMCoreContentVersion": [
"3990.0",
"3990.0"
],
"AnalyzerDATVersion": [
"3990.0",
"3990.0"
],
"timestamp": "2020-05-06T01:46:12.663+0000",
"NaturalLangDescription": [
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio"
],
"beat_agent": {
"ephemeral_id": "8d15318f-3a3e-436c-a93e-1b6e8fec0cfb",
"type": "filebeat",
"hostname": "SecLinux",
"version": "7.5.0",
"id": "348cbd8b-b4ce-4531-b6d1-ab6beb37d65f"
},
"AnalyzerVersion": [
"10.6.1",
"10.6.1"
],
"TargetUserName": [
"WinSec3\\Logzio",
"WinSec3\\Logzio"
],
"TaskName": [
"IDS_OAS_TASK_NAME",
"IDS_OAS_TASK_NAME"
],
"ThreatName": [
"Trojan-FRTB!81DA244A770C",
"Trojan-FRTB!81DA244A770C"
],
"AnalyzerHostName": [
"WinSec3",
"WinSec3"
],
"EPOevent": {
"SoftwareInfo": {
"CommonFields": {
"AnalyzerDATVersion": "3990.0",
"Analyzer": "ENDP_AM_1060",
"AnalyzerDetectionMethod": "On-Access Scan",
"AnalyzerVersion": "10.6.1",
"AnalyzerEngineVersion": "6010.8670",
"AnalyzerHostName": "WinSec3",
"AnalyzerName": "McAfee Endpoint Security"
},
"Event": {
"EventID": "1027",
"GMTTime": "2020-02-23T15:43:40",
"CustomFields": {
"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE",
"TargetFileSize": "249952",
"SecondActionStatus": "false",
"DurationBeforeDetection": "18",
"Cleanable": "true",
"FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE",
"AnalyzerContentCreationDate": "2020-02-22T08:24:00Z",
"TargetAccessTime": "2020-02-23T15:43:22Z",
"AttackVectorType": "4",
"ThreatDetectedOnCreation": "true",
"FirstActionStatus": "true",
"TargetName": "test.exe",
"AMCoreContentVersion": "3990.0",
"NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\\Windows\\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\\Logzio",
"TaskName": "IDS_OAS_TASK_NAME",
"TargetHash": "81da244a770c46ace2cf112214f8e75e",
"SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL",
"TargetCreateTime": "2020-02-23T15:43:21Z",
"TargetModifyTime": "2020-02-23T15:43:22Z",
"BladeName": "IDS_BLADE_NAME_SPB",
"AnalyzerGTIQuery": "true",
"AccessRequested_obj": {},
"TargetPath": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
},
"CommonFields": {
"ThreatType": "trojan",
"ThreatEventID": "1027",
"TargetHostName": "WinSec3",
"DetectedUTC": "2020-02-23T15:43:40Z",
"TargetFileName": "C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth\\test.exe",
"ThreatSeverity": "2",
"ThreatCategory": "av.detect",
"TargetUserName": "WinSec3\\Logzio",
"SourceHostName": "WinSec3",
"ThreatName": "Trojan-FRTB!81DA244A770C",
"SourceProcessName": "C:\\Windows\\explorer.exe",
"ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL",
"ThreatHandled": "true"
},
"Severity": "3"
}
},
"MachineInfo": {
"RawMACAddress": "000d3a373482",
"UserName": "SYSTEM",
"MachineName": "WinSec3",
"OSName": "Windows 10 Workstation",
"TimeZoneBias": "0",
"AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}",
"IPAddress": "10.0.1.10"
}
},
"SecondAttemptedAction": [
"IDS_ALERT_THACT_ATT_DEL",
"IDS_ALERT_THACT_ATT_DEL"
],
"EventID": [
"1027",
"1027"
],
"input": {
"type": "tcp"
},
"type": "mcafee_epo",
"tenantNodePath": "1\\2",
"TargetModifyTime": [
"2020-02-23T15:43:22Z",
"2020-02-23T15:43:22Z"
],
"AnalyzerDetectionMethod": [
"On-Access Scan",
"On-Access Scan"
],
"BladeName": [
"IDS_BLADE_NAME_SPB",
"IDS_BLADE_NAME_SPB"
],
"ThreatSeverity": [
"2",
"2"
],
"AnalyzerGTIQuery": [
"True",
"True"
],
"AccessRequested": [
"",
""
],
"ecs": {
"version": "1.1.0"
},
"ThreatHandled": [
"True",
"True"
],
"TargetPath": [
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth",
"C:\\Users\\Logzio\\Downloads\\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\\taskhealth"
],
"@metadata": {
"beat": "filebeat",
"version": "7.5.0",
"type": "_doc"
},
"ThreatDetectedOnCreation": [
"True",
"True"
]
}
]
}
Human Readable Output

Logs

@metadata@timestampAMCoreContentVersionAccessRequestedAnalyzerAnalyzerContentCreationDateAnalyzerDATVersionAnalyzerDetectionMethodAnalyzerEngineVersionAnalyzerGTIQueryAnalyzerHostNameAnalyzerNameAnalyzerVersionAttackVectorTypeBladeNameCleanableDetectedUTCDetectionMessageDurationBeforeDetectionEPOEventsEPOeventEventIDFirstActionStatusFirstAttemptedActionGMTTimeNaturalLangDescriptionSecondActionStatusSecondAttemptedActionSeveritySourceHostNameSourceProcessNameTargetAccessTimeTargetCreateTimeTargetFileNameTargetFileSizeTargetHashTargetHostNameTargetModifyTimeTargetNameTargetPathTargetUserNameTaskNameThreatActionTakenThreatCategoryThreatDetectedOnCreationThreatEventIDThreatHandledThreatNameThreatSeverityThreatTypebeat_agentbpsIddomainecsinputloglogzio_codectagstenantGUIDtenantIdtenantNodePathtimestamptype
beat: filebeat version: 7.5.0 type: _doc2020-05-06T00:01:04.441+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T00:01:04.441+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:01:13.778+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:01:13.778+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:16:14.944+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:16:14.944+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T02:31:16.087+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T02:31:16.087+0000mcafee_epo
beat: filebeat version: 7.5.0 type: _doc2020-05-06T01:46:12.663+00003990.0, 3990.0,ENDP_AM_1060, ENDP_AM_10602020-02-22T08:24:00Z, 2020-02-22T08:24:00Z3990.0, 3990.0On-Access Scan, On-Access Scan6010.8670, 6010.8670True, TrueWinSec3, WinSec3McAfee Endpoint Security, McAfee Endpoint Security10.6.1, 10.6.14, 4IDS_BLADE_NAME_SPB, IDS_BLADE_NAME_SPBTrue, True2020-02-23T15:43:40Z, 2020-02-23T15:43:40ZIDS_OAS_DEFAULT_THREAT_MESSAGE, IDS_OAS_DEFAULT_THREAT_MESSAGE18, 18EventFwdSoftwareInfo: {"CommonFields": {"AnalyzerDATVersion": "3990.0", "Analyzer": "ENDP_AM_1060", "AnalyzerDetectionMethod": "On-Access Scan", "AnalyzerVersion": "10.6.1", "AnalyzerEngineVersion": "6010.8670", "AnalyzerHostName": "WinSec3", "AnalyzerName": "McAfee Endpoint Security"}, "Event": {"EventID": "1027", "GMTTime": "2020-02-23T15:43:40", "CustomFields": {"DetectionMessage": "IDS_OAS_DEFAULT_THREAT_MESSAGE", "TargetFileSize": "249952", "TargetModifyTime": "2020-02-23T15:43:22Z", "DurationBeforeDetection": "18", "Cleanable": "true", "FirstAttemptedAction": "IDS_ALERT_THACT_ATT_CLE", "AnalyzerContentCreationDate": "2020-02-22T08:24:00Z", "TargetAccessTime": "2020-02-23T15:43:22Z", "AttackVectorType": "4", "ThreatDetectedOnCreation": "true", "FirstActionStatus": "true", "TargetName": "test.exe", "AMCoreContentVersion": "3990.0", "NaturalLangDescription": "IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio", "TaskName": "IDS_OAS_TASK_NAME", "TargetHash": "81da244a770c46ace2cf112214f8e75e", "SecondAttemptedAction": "IDS_ALERT_THACT_ATT_DEL", "TargetCreateTime": "2020-02-23T15:43:21Z", "SecondActionStatus": "false", "BladeName": "IDS_BLADE_NAME_SPB", "AnalyzerGTIQuery": "true", "AccessRequested_obj": {}, "TargetPath": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth"}, "CommonFields": {"ThreatType": "trojan", "TargetHostName": "WinSec3", "DetectedUTC": "2020-02-23T15:43:40Z", "TargetFileName": "C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe", "SourceHostName": "WinSec3", "ThreatSeverity": "2", "ThreatCategory": "av.detect", "TargetUserName": "WinSec3\Logzio", "SourceProcessName": "C:\Windows\explorer.exe", "ThreatName": "Trojan-FRTB!81DA244A770C", "ThreatEventID": "1027", "ThreatActionTaken": "IDS_ALERT_ACT_TAK_DEL", "ThreatHandled": "true"}, "Severity": "3"}} MachineInfo: {"RawMACAddress": "000d3a373482", "UserName": "SYSTEM", "MachineName": "WinSec3", "OSName": "Windows 10 Workstation", "TimeZoneBias": "0", "AgentGUID": "{d140d3c9-53ed-4367-857d-a5a396a97775}", "IPAddress": "10.0.1.10"}1027, 1027True, TrueIDS_ALERT_THACT_ATT_CLE, IDS_ALERT_THACT_ATT_CLE2020-02-23T15:43:40, 2020-02-23T15:43:40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=test.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\Logzio, IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetNametest.exe|TargetPath=C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth|ThreatName=Trojan-FRTB!81DA244A770C|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=WinSec3\LogzioFalse, FalseIDS_ALERT_THACT_ATT_DEL, IDS_ALERT_THACT_ATT_DEL3, 3WinSec3, WinSec3C:\Windows\explorer.exe, C:\Windows\explorer.exe2020-02-23T15:43:22Z, 2020-02-23T15:43:22Z2020-02-23T15:43:21Z, 2020-02-23T15:43:21ZC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth\test.exe249952, 24995281da244a770c46ace2cf112214f8e75e, 81da244a770c46ace2cf112214f8e75eWinSec3, WinSec32020-02-23T15:43:22Z, 2020-02-23T15:43:22Ztest.exe, test.exeC:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealth, C:\Users\Logzio\Downloads\2019-12-20-Emotet-and-Trickbot-malware-and-artifacts\taskhealthWinSec3\Logzio, WinSec3\LogzioIDS_OAS_TASK_NAME, IDS_OAS_TASK_NAMEIDS_ALERT_ACT_TAK_DEL, IDS_ALERT_ACT_TAK_DELav.detect, av.detectTrue, True1027, 1027True, TrueTrojan-FRTB!81DA244A770C, Trojan-FRTB!81DA244A770C2, 2trojan, trojanephemeral_id: 8d15318f-3a3e-436c-a93e-1b6e8fec0cfb type: filebeat hostname: SecLinux version: 7.5.0 id: 348cbd8b-b4ce-4531-b6d1-ab6beb37d65f1Win-Sec-2, Win-Sec-2version: 1.1.0type: tcpsource: {"address": "10.0.1.9:49874"}plainbeats-5015, _grokparsefailure, _grokparsefailure, _logz_http_bulk_json_8070{00000000-0000-0000-0000-000000000000}11\22020-05-06T01:46:12.663+0000mcafee_epo

2. logzio-get-logs-by-event-id


Fetches the logs that triggered a security event in Logz.io Cloud SIEM

Required Permissions

FILL IN REQUIRED PERMISSIONS HERE

Base Command

logzio-get-logs-by-event-id

Input
Argument NameDescriptionRequired
idLogz.io Alert Event ID (found under Incident details)Required
sizeAn integer specifying the maximum number of results to returnOptional
timeoutTimeout in secondsOptional
Context Output
PathTypeDescription
Logzio.ResultUnknownAn array of search results
Logzio.Result.typestringLog type in the index
Logzio.Result.timestampdateThe log's timestamp
Command Example

!logzio-get-logs-by-event-id id=9fb0e6a9-90c0-43ac-8e50-23028d8ea76c size=10

Context Example
{
"Logzio.Result": [
{
"log_information": {
"level": "warning"
},
"logzio_codec": "json",
"timestamp": "2020-05-06T08:28:04.640Z",
"@timestamp": "2020-05-06T08:28:04.640Z",
"tags": [
"beats-5015",
"_logzio_codec_json",
"_jsonparsefailure"
],
"ecs": {
"version": "1.4.0"
},
"beat_agent": {
"ephemeral_id": "2e94ea91-0375-4b60-8766-ee6d3f254832",
"type": "winlogbeat",
"hostname": "WinTesting",
"version": "7.6.2",
"id": "3aa2739f-7d9c-48d1-8d95-9441d5fbffe1"
},
"message": "Windows Defender Antivirus has detected malware or other potentially unwanted software.\n For more information please see the following:\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\n \tName: Virus:DOS/EICAR_Test_File\n \tID: 2147519003\n \tSeverity: Severe\n \tCategory: Virus\n \tPath: containerfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip; file:_C:\\Users\\test_user\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip|pid:7500,ProcessStart:132332202146885957\n \tDetection Origin: Internet\n \tDetection Type: Concrete\n \tDetection Source: Downloads and attachments\n \tUser: WinTesting\\test_user\n \tProcess Name: Unknown\n \tSignature Version: AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0\n \tEngine Version: AM: 1.1.17000.7, NIS: 1.1.17000.7",
"winlog": {
"activity_id": "{2baa0795-dcd6-4cf7-b921-d9ad5e9cd6f0}",
"task": "",
"event_id": 1116,
"process": {
"pid": 3232,
"thread": {
"id": 4992
}
},
"api": "wineventlog",
"opcode": "Info",
"user": {
"domain": "NT AUTHORITY",
"identifier": "S-1-5-18",
"type": "User",
"name": "SYSTEM"
},
"computer_name": "WinTesting",
"record_id": 136,
"provider_name": "Microsoft-Windows-Windows Defender",
"provider_guid": "{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}",
"event_data": {
"Type Name": "%%822",
"Error Code": "0x00000000",
"State": "1",
"Category Name": "Virus",
"Additional Actions String": "No additional actions required",
"Post Clean Status": "0",
"Action Name": "%%887",
"Threat ID": "2147519003",
"Signature Version": "AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0",
"Category ID": "42",
"Execution Name": "%%812",
"Detection ID": "{26C3583A-98B2-4E88-9B8A-0E9BDEBEB9B4}",
"Status Code": "1",
"Product Name": "%%827",
"Action ID": "9",
"Path": "containerfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip; file:_C:\\Users\\test_user\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\test_user\\Downloads\\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip|pid:7500,ProcessStart:132332202146885957",
"Process Name": "Unknown",
"Detection User": "WinTesting\\test_user",
"Detection Time": "2020-05-06T08:28:04.604Z",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0",
"Execution ID": "0",
"Origin Name": "%%847",
"Error Description": "The operation completed successfully. ",
"Type ID": "0",
"Additional Actions ID": "0",
"Threat Name": "Virus:DOS/EICAR_Test_File",
"Severity ID": "5",
"Severity Name": "Severe",
"Engine Version": "AM: 1.1.17000.7, NIS: 1.1.17000.7",
"Source Name": "%%819",
"Origin ID": "4",
"Pre Execution Status": "0",
"Product Version": "4.18.2004.6",
"Source ID": "4"
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"event_id_description": "Unknown"
},
"type": "wineventlog",
"event": {
"kind": "event",
"code": 1116,
"provider": "Microsoft-Windows-Windows Defender",
"created": "2020-05-06T08:28:05.674Z"
},
"@metadata": {
"beat": "winlogbeat",
"version": "7.6.2",
"type": "_doc"
}
}
]
}
Human Readable Output

Logs

@metadata@timestampbeat_agentecseventlog_informationlogzio_codecmessagetagstimestamptypewinlog
beat: winlogbeat type: _doc version: 7.6.22020-05-06T08:28:04.640Zhostname: WinTesting id: 3aa2739f-7d9c-48d1-8d95-9441d5fbffe1 version: 7.6.2 type: winlogbeat ephemeral_id: 2e94ea91-0375-4b60-8766-ee6d3f254832version: 1.4.0kind: event code: 1116 provider: Microsoft-Windows-Windows Defender created: 2020-05-06T08:28:05.674Zlevel: warningjsonWindows Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0 Name: Virus:DOS/EICAR_Test_File ID: 2147519003 Severity: Severe Category: Virus Path: containerfile:_C:\Users\test_user\Downloads\eicar_com.zip; file:_C:\Users\test_user\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\test_user\Downloads\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip\|pid:7500,ProcessStart:132332202146885957 Detection Origin: Internet Detection Type: Concrete Detection Source: Downloads and attachments User: WinTesting\test_user Process Name: Unknown Signature Version: AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0 Engine Version: AM: 1.1.17000.7, NIS: 1.1.17000.7beats-5015, _logzio_codec_json, _jsonparsefailure2020-05-06T08:28:04.640Zwineventlogchannel: Microsoft-Windows-Windows Defender/Operational provider_name: Microsoft-Windows-Windows Defender api: wineventlog computer_name: WinTesting user: {"name": "SYSTEM", "domain": "NT AUTHORITY", "type": "User", "identifier": "S-1-5-18"} provider_guid: {11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78} activity_id: {2baa0795-dcd6-4cf7-b921-d9ad5e9cd6f0} process: {"pid": 3232, "thread": {"id": 4992}} event_data: {"Path": "containerfile:_C:\Users\test_user\Downloads\eicar_com.zip; file:_C:\Users\test_user\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\test_user\Downloads\eicar_com.zip|https://www.eicar.org/download/eicar_com.zip\|pid:7500,ProcessStart:132332202146885957", "Action Name": "%%887", "Product Version": "4.18.2004.6", "Severity ID": "5", "Signature Version": "AV: 1.315.44.0, AS: 1.315.44.0, NIS: 1.315.44.0", "Post Clean Status": "0", "Execution Name": "%%812", "Type ID": "0", "Category ID": "42", "Engine Version": "AM: 1.1.17000.7, NIS: 1.1.17000.7", "Threat Name": "Virus:DOS/EICAR_Test_File", "Category Name": "Virus", "Origin ID": "4", "Error Description": "The operation completed successfully. ", "Detection User": "WinTesting\test_user", "Product Name": "%%827", "State": "1", "Detection Time": "2020-05-06T08:28:04.604Z", "Error Code": "0x00000000", "Source Name": "%%819", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0", "Threat ID": "2147519003", "Source ID": "4", "Detection ID": "{26C3583A-98B2-4E88-9B8A-0E9BDEBEB9B4}", "Status Code": "1", "Additional Actions ID": "0", "Additional Actions String": "No additional actions required", "Severity Name": "Severe", "Action ID": "9", "Execution ID": "0", "Type Name": "%%822", "Origin Name": "%%847", "Pre Execution Status": "0", "Process Name": "Unknown"} task: opcode: Info event_id: 1116 record_id: 136 event_id_description: Unknown