Per filtrare i rapporti degli eventi inviati a Syslog, creare una notifica della categoria di rapporti con un filtro definito.
LEEF è un formato personalizzato di eventi per IBM® Security QRadar®. Gli eventi presentano attributi standard e personalizzati:
•ESET PROTECT utilizza alcuni attributi standard descritti nella documentazione ufficiale di IBM.
•Gli attributi personalizzati sono uguali a quelli disponibili nel formato JSON. L’attributo deviceGroupName contiene il percorso completo del gruppo statico del computer che genera l’evento. Se il percorso è più lungo di 255 caratteri, deviceGroupName contiene solo il nome del gruppo statico. L’attributo deviceOSName contiene informazioni sul sistema operativo del computer, mentre l’attributo deviceGroupDescription contiene la descrizione del gruppo statico.
Categorie eventi:
•Rilevamenti antivirus
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|Threat Event|cat=ESET Threat Event sev=3 devTime=Jan 18 2022 14:46:00 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All threatType=Virus threatName=W97M/Marker.KS scannerID=On-demand scanner engineVersion=18563 objectUri=mekpoimnjoheutqgzz1o objectType=File threatHandled=true needRestart=false detectionUuid=90a37fe6-f4f4-4ea6-a265-93dfd9823b12 accountName=Feri firstseen=20220118T14460hash=AB37916418A79BF117E9F7D91D35CD0ABFD78E4B
|
• Firewall
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|Firewall Event|cat=ESET Firewall Event sev=5 devTime=Dec 11 2022 05:39:49 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All action=Blocked eventDesc=TCP Port Scanning attack dst=192.168.27.20 src=192.168.26.208 inbound=true dstPort=2508 srcPort=49192 targetAddressType=IPv4 sourceAddressType=IPv4 proto=TCP threatName=Win32/Botnet.generic aggregateCount=1 handled=1 detectionUuid=ed8232d9-ddff-411a-ad48-efdaea13a0e6
|
•Siti web filtrati: protezione web
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|Filtered Website Event|cat=ESET Filtered Website Event sev=5 devTime=Jan 19 2022 00:50:00 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All objectUri=https://deloplen.com actionTaken=Blocked eventDesc=An attempt to connect to URL scannerID=HTTP filter dst=192.168.200.81 targetAddressType=IPv4 detectionUuid=ccec3a9e-0f15-4629-982a-22afdd7b9400 accountName=Frantisek hash=8EECCDD290BE2E99183290FDBE4172EBE3DC7EC5 processName=chrome.exe ruleID=Blocked by internal blacklist handled=0
|
• HIPS
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|ESET HIPS Event|cat=ESET HIPS Event sev=3 devTime=Dec 01 2022 15:00:02 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All handled=1 application=C:\Users\Admin\Desktop\HIPS_test\HIPS_test\es_pack_to_test\es_pack_to_test\test\java.exe operation=Attempt to run a suspicious object target=C:\Users\Admin\Desktop\HIPS_test\HIPS_test\es_pack_to_test\es_pack_to_test\test\trojan.exe action=Blocked ruleID=Suspicious attempt to launch an application aggregateCount=1 detectionUuid=8f95d794-4075-46d1-a0b0-749e34327c8d
|
•Controllo
• ESET Inspect Avvisi
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|ESET Inspect Alert|cat=ESET Inspect Alert sev=3 devTime=Dec 02 2022 08:43:59 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All hash=4F7B45CA215E163E963FB3AE00A52650A7E8AF2B detectionUuid=8407c4d1-c629-4d03-930a-895d135a0edc user=kj_win10_local\damian process=%TMP%\34e1824e-5612-4879-92da-5713ceaa965b\rsawdds.doc.exe eiconsolelink=https://test-inspect.eset.com:443/console/detection/31 rule=Process with a suspicious extension has started [Z0406] count=1 compSevScore=2976 sevScore=75 triggerEvent=Test Trigger commandLine=C:\Windows\System32\cmd.exe eialarmid=31
|
• File bloccati
LEEF:1.0|ESET|RemoteAdministrator|10.1.0.0|Blocked File Event|cat=ESET Blocked File Event sev=5 devTime=Nov 30 2022 12:51:58 GMT devTimeFormat=MMM dd yyyy HH:mm:ss z src= deviceName=mydevice deviceUuid=fb6c25d2-116e-4d0f-a159-695bb16e7b78 deviceGroupName=All objectUri=file:///C:/Program Files/WindowsApps/Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe/Calculator.exe action=Blocked and cleaned description=ESET Inspect hash=FF1CE0EB6007E6BC2EB9D563B2DAA8C4D8F45E87 detectionUuid=edc7c64c-5097-40d5-b45a-e854270c0bb4 firstseen=20210508T072301 cause=Blocked by Administrator
|