JSON output Syslog samples
User activity sample
This JSON output provides a sample of the output.
Note
Some of the data values in these samples are changed to make the sample generic, such as email addresses and IP addresses.
{ "user": "[email protected]", "action": "UserInvited", "date": "04 15 2021 15:00:03 UTC" }
This JSON sample does not have linefeeds, for instance:
{"user":"[email protected]","action":"UserLogin 192.0.2.0","date":"04 15 2021 06:52:45 UTC"} {"user":"[email protected]","action":"User Logout (192.0.2.0)","date":"04 15 2021 06:11:06 UTC"} {"user":"[email protected]","action":"User Login Failed (192.0.2.0)","date":"04 15 2021 06:12:04 UTC"} {"user":"[email protected]","action":"User Updated ([email protected])","date":"04 15 2021 06:13:01 UTC"} {"user":"mtd-policy","action":"Privacy Published (Device1)","date":"04 15 2021 05:22:48 UTC"} {"user":"mtd-policy","action":"Policy Published (Device1)","date":"04 15 2021 05:22:48 UTC"} {"user":"[email protected]","action":"Policy Published (Device1)","date":"04 15 2021 05:23:06 UTC"} {"user":"[email protected]","action":"Privacy Published (Device1)","date":"04 15 2021 05:23:41 UTC"}
This sample has the syslog header information included:
Date: 2021-06-02T14:47:01+00:00 Facility: local0 Level: emerg Msg: {"user":"[email protected]","action":"UserLogin 192.0.2.0","date":"06 02 2021 14:47:01 UTC"} Date: 2021-06-02T14:51:36+00:00 Facility: local0 Level: crit Msg: {"user":"[email protected]","action":"User Login Failed (192.0.2.0)","date":"06 02 2021 14:51:36 UTC"} Date: 2021-06-02T14:51:38+00:00 Facility: local0 Level: crit Msg: {"user":"[email protected]","action":"UserLogin 192.0.2.0","date":"06 02 2021 14:51:38 UTC"} Date: 2021-06-02T15:13:53+00:00 Facility: syslog Level: err Msg: Error processing log message: <133>1 2021-06-02T15:13:53.191Z not found dataexport ->@< AUDIT - {"user":"[email protected]","action":"UserLogin 192.0.2.0","date":"06 02 2021 15:13:52 UTC"} Date: 2021-06-02T15:26:52+00:00 Facility: syslog Level: err Msg: Error processing log message: <133>1 2021-06-02T15:26:52.325Z not found dataexport ->@< AUDIT - {"user":"user":"[email protected]","action":"UserLogin 192.0.2.0","date":"06 02 2021 15:26:51 UTC"}
Threat Activity Concise Mode Sample
This JSON output provides a sample of concise mode output. Some of the contents of this sample were removed for brevity, like some of the array repetitions.
Note
Some of the data values in this sample are changed to make the sample generic, such as email addresses, IP addresses, and MAC addresses.
Singular threat example
{ "system_token": "export demo", "severity": 1, "event_id": "19fb0e4e-164c-4b7e-a4ff-84ced7934cf5", "mitigated": false, "location": null, "eventtimestamp": "02 24 2021 10:11:10 UTC", "user_info": { "user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211", "user_group": "TestGroup", "user_role": "End User", "user_email": "[email protected]", "employee_name": "anonymous user" }, "device_info": { "zdid": "1128481a-6f00-4407-975e-ed4dff65f181", "zapp_instance_id": "231b0fb2-2e18-41ac-963c-e5360eb54bf1", "device_time": "02 24 2021 10:11:10 UTC", "tag1": "TrackingID1", "tag2": "", "imei": "467a44e7-cf00-4a4d-aa52-89cd667a6711", "device_id": "467a55e7-cf00-4a4d-aa52-89cd667a6711", "mdm_id": null, "mam_id": null, "type": "iPhone10,6", "app": "Bitdefender", "jailbroken": false, "os_version": "10.0", "operator": "AT&T", "model": "iPhoneX", "app_version": "4.14.0", "os": "iOS", "usb_debugging_enabled": false, "developer_options_on": false, "disk_not_encrypted": false, "lock_screen_unprotected": false, "stagefright_vulnerable": false }, "threat": { "story": "Unsecured WiFi Network", "name": "Unsecured WiFi Network", "category": [ "Singular" ], "mitre_tactics": [ "Initial Access", "Collection", "Exfiltration", "Network Effects" ], "threat_uuid": "b2ce1f27-5e49-47ff-ac3a-c2670fa6e503", "child_threat_uuids": [], "general": { "time_interval": "0", "threat_type": "Unsecured WiFi Network", "device_ip": "192.0.2.0", "network": "AUTOMATION", "network_bssid": "00:00:4E:00:00:00", "network_interface": "lo0", "action_triggered": "Alert User", "external_ip": "192.0.2.24", "gateway_mac": "00:00:5E:00:00:00", "gateway_ip": "192.0.2.23", "device_time": "02 24 2021 10:11:08 UTC", "malware_list": "{}" } } }
Composite threat example
{ "system_token": "export composite demo", "severity": 3, "event_id": "881e062d-62eb-40a5-a5c4-522a6ebca18b", "mitigated": false, "location": null, "eventtimestamp": "02 24 2021 10:11:17 UTC", "user_info": { "user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211", "user_group": "TestGroup", "user_role": "End User", "user_email": "[email protected]", "employee_name": "anonymous user" }, "device_info": { "zdid": "1128481a-6f00-4407-975e-ed4dff65f181", "zapp_instance_id": "231b0fb2-2e18-41ac-963c-e5360eb54bf1", "device_time": "04 07 2021 20:28:05 UTC", "tag1": "TrackingID1", "tag2": "", "imei": "467a44e7-cf00-4a4d-aa52-89cd667a6711", "device_id": "467a55e7-cf00-4a4d-aa52-89cd667a6711", "mdm_id": null, "mam_id": null, "type": "iPhone11,8", "app": "Bitdefender", "jailbroken": false, "os_version": "14.4.3", "operator": "AT&T", "model": "iPhoneX", "app_version": "4.17.0", "os": "iOS", "usb_debugging_enabled": false, "developer_options_on": false, "disk_not_encrypted": false, "lock_screen_unprotected": false, "stagefright_vulnerable": false }, "threat": { "story": "Compromised Network", "name": "Compromised Network", "category": [ "Composite" ], "mitre_tactics": [ "Initial Access", "Collection", "Exfiltration", "Network Effects" ], "threat_uuid": "d9c1d239-6abc-4762-b2bb-663ca74dc7f8", "child_threat_uuids": [ "336e4163-9970-42ec-ba71-da919c32c817", "6d9d6509-ec9a-45c2-bcca-aa602400e77a", "b2ce1f27-5e49-47ff-ac3a-c2670fa6e503" ], "general": { "time_interval": "0", "threat_type": "Compromised Network", "device_ip": "192.0.2.21", "network": "AUTOMATION", "network_bssid": "00:00:4E:00:00:00", "network_interface": "lo0", "action_triggered": "Alert User", "external_ip": "192.0.2.18", "gateway_mac": "00:00:5E:00:00:00", "gateway_ip": "192.0.2.16", "device_time": "02 24 2021 10:11:15 UTC", "malware_list": "{}" } } }
Threat activity verbose mode sample
This JSON output provides a sample verbose output. Some of the contents of this sample were removed on the repetition of arrays.
Note
Some of the data values in this sample are changed to make the sample generic, like email addresses, IP addresses, and MAC addresses. Also, not all of these fields may exist for this threat type but are included to see data for additional fields.
{ "system_token": "demo verbose", "severity": 3, "event_id": "f443cb3f-bf7d-432e-a308-10c3b19bff61", "forensics": { "os": 1, "SSID": "AUTOMATION", "type": 38, "BSSID": "00:00:5E:00:00:00", "os_forensics": { "expected_security_patch": "20220101", "vulnerable_security_patch": "2021-08-01", "expected_os_version": "11", "device_model": "SM-M025F", "vulnerable_os_version": "11", "build_information": "RP1A.200720.012", "device_manufacturer": "samsung" }, "general": [ { "val": "20", "name": "Time Interval", "type": "interval" }, { "val": "Rogue Access Point", "name": "Threat Type" }, { "val": "192.0.2.0", "name": "Device IP" }, { "val": "\"Planet\"", "name": "Attacker SSID" }, { "val": "00:00:5E:00:00:00", "name": "Attacker BSSID" }, { "val": "AUTOMATION", "name": "Network" }, { "val": "00:00:5E:00:00:00", "name": "Network BSSID" }, { "val": "wlan0", "name": "Network Interface" }, { "val": "Alert User", "name": "Action Triggered" }, { "val": "192.0.2.24", "name": "External IP" }, { "val": "00:00:5E:00:00:00", "name": "Gateway MAC" }, { "val": "192.0.2.23", "name": "Gateway IP" }, { "val": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}", "name": "BaseStation", "type": "json_str" }, { "val": "02 24 2021 10:25:16 UTC", "name": "Device Time" }, { "val": "11", "name": "Vulnerable Os Version" }, { "val": "11", "name": "Expected Os Version" }, { "val": "2021-08-01", "name": "Vulnerable Security Patch" }, { "val": "20220101", "name": "Expected Security Patch" }, { "val": "samsung", "name": "Device Manufacturer" }, { "val": "SM-M025F", "name": "Device Model" }, { "val": "RP1A.200720.012", "name": "Build Information" } ], "severity": 3, "responses": [ 0 ], "attack_time": { "$date": 1614162316000 }, "threat_uuid": "a0fa1162-6582-46a2-b9ad-9dfcf5972e68", "process_list": [ { "User": "root", "Service": "u:r:init:s0", "Process Name": "/init", "Process ID(PID)": "1", "Parent process(PPID)": "0" }, { "User": "root", "Service": "u:r:kernel:s0", "Process Name": "kthreadd", "Process ID(PID)": "2", "Parent process(PPID)": "0" }, { "User": "root", "Service": "u:r:kernel:s0", "Process Name": "ksoftirqd/0", "Process ID(PID)": "3", "Parent process(PPID)": "2" }, { "User": "u0_a21", "Service": "u:r:untrusted_app:s0", "Process Name": "com.google.android.apps.walletnfcrel", "Process ID(PID)": "26737", "Parent process(PPID)": "179" } ], "routing_table": [ { "use": 31, "refs": 0, "flags": "0", "netif": "wlan0", "gateway": "192.168.43.1", "destination": "192.168.43.1" }, { "use": 31, "refs": 0, "flags": "84000000", "netif": "lo", "gateway": "192.168.43.199", "destination": "192.168.43.199" }, { "use": 7, "refs": 0, "flags": "0", "netif": "wlan0", "gateway": "192.168.43.1", "destination": "8.8.8.8" } ], "time_interval": 20, "close_networks": [ { "SSID": "AUTOMATION", "BSSID": "00:00:5E:00:00:00", "level": 0, "frequency": 0, "capabilities": "N/A" } ], "network_threat": { "gw_ip": "192.0.2.0", "my_ip": "192.0.2.2", "gw_mac": "00:00:5E:00:00:00", "my_mac": "00:00:5E:00:00:00", "net_stat": [ { "Proto": "TCP", "State": "LAST_ACK", "Recv-Q": "root", "Send-Q": "0", "Local Address": "192.0.2.0:37002", "Foreign Address": "192.0.2.0:443" } ], "interface": "wlan0", "arp_tables": { "after": { "table": [ { "ip": "192.0.2.0", "mac": "00:00:5E:00:00:00" } ] }, "before": { "table": [ { "ip": "192.0.2.0", "mac": "00:c0:ca:aa:bb:cc" } ] }, "initial": { "table": [ { "ip": "192.0.2.0", "mac": "00:00:5E:00:00:00" } ] } }, "basestation": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}", "routing_table": [ { "Use": "31", "Refs": "0", "Flags": "84000000", "Netif": "lo", "Gateway": "192.168.43.199", "Destination": "192.168.43.199" }, { "Use": "7", "Refs": "0", "Flags": "0", "Netif": "wlan0", "Gateway": "192.168.43.1", "Destination": "8.8.8.8" } ] }, "rogue_access_point": { "SSID": "\"Planet\"", "BSSID": "00:00:5E:00:00:00", "frequency": -1 } }, "mitigated": false, "location": null, "eventtimestamp": "02 24 2021 10:25:20 UTC", "user_info": { "user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211", "user_group": "TestGroup", "user_role": "End User", "user_email": "[email protected]", "employee_name": "anonymous user" }, "device_info": { "zdid": "000b731a-b152-4fd1-84f4-3de685eb9d72", "zapp_instance_id": "575cbcb7-e1b3-47ff-b56e-6b495ab7c938", "device_time": "02 24 2021 10:25:20 UTC", "tag1": "tag id one", "tag2": "tag id two", "imei": "68a9591f-cb6b-4d48-8244-96f484f678b6", "device_id": "68a9591f-cb6b-4d48-8244-96f484f678b6", "mdm_id": null, "mam_id": null, "type": "Pixel XL", "app": "Bitdefender", "jailbroken": false, "os_version": "8.0", "operator": "AT&T", "model": "Pixel XL", "app_version": "4.14.0", "os": "Android", "usb_debugging_enabled": false, "developer_options_on": false, "disk_not_encrypted": false, "lock_screen_unprotected": false, "stagefright_vulnerable": false }, "threat": { "story": "Rogue Access Point", "name": "Rogue Access Point", "category": [ "Singular" ], "mitre_tactics": [ "Initial Access", "Credential Access", "Network Effects" ], "threat_uuid": "a0fa1162-6582-46a2-b9ad-9dfcf5972e68", "child_threat_uuids": [], "general": { "time_interval": "20", "threat_type": "Rogue Access Point", "device_ip": "192.0.2.0", "attacker_ssid": "\"Planet\"", "attacker_bssid": "00:00:5E:00:00:00", "network": "AUTOMATION", "network_bssid": "00:00:5E:00:00:00", "network_interface": "wlan0", "action_triggered": "Alert User", "external_ip": "192.0.2.4", "gateway_mac": "00:c0:ca:aa:bb:cc", "gateway_ip": "192.0.2.4", "basestation": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}", "device_time": "02 24 2021 10:25:16 UTC" } } }