JSON输出Syslog示例
用户活动示例
此JSON输出提供了输出内容示例。
注意
部分示例数据值已做通用化处理(如电子邮件地址和IP地址)。
{
"用户": "auditlogtest@example.com",
"操作": "用户邀请",
"日期": "2021年4月15日 15:00:03 UTC"
}
此JSON示例不含换行符,例如:
{"用户":"useractivity@example.com","操作":"用户登录 192.0.2.0","日期":"2021年4月15日 06:52:45 UTC"}
{"用户":"auditlogtest@example.com","操作":"用户注销 (192.0.2.0)","日期":"2021年4月15日 06:11:06 UTC"}
{"用户":"auditlogtest@example.com","操作":"用户登录失败 (192.0.2.0)","日期":"2021年4月15日 06:12:04 UTC"}
{"用户":"auditlogtest@example.com","操作":"用户更新 (useractivity@example.com)","日期":"2021年4月15日 06:13:01 UTC"}
{"用户":"mtd策略","操作":"隐私政策发布 (设备1)","日期":"2021年4月15日 05:22:48 UTC"}
{"用户":"mtd策略","操作":"策略发布 (设备1)","日期":"2021年4月15日 05:22:48 UTC"}
{"用户":"auditlogtest@example.com","操作":"策略发布 (设备1)","日期":"2021年4月15日 05:23:06 UTC"}
{"用户":"auditlogtest@example.com","操作":"隐私政策发布 (设备1)","日期":"2021年4月15日 05:23:41 UTC"}
此示例包含syslog头部信息:
日期: 2021-06-02T14:47:01+00:00
设施: local0
级别: 紧急
消息: {"用户":"admin@example.com","操作":"用户登录 192.0.2.0","日期":"2021年6月2日 14:47:01 UTC"}
日期: 2021-06-02T14:51:36+00:00
设施: local0
级别: 严重
消息: {"用户":"upgradetest@example.com","操作":"用户登录失败 (192.0.2.0)","日期":"2021年6月2日 14:51:36 UTC"}
日期: 2021-06-02T14:51:38+00:00
设施: local0
级别: 严重
消息: {"用户":"upgradetest@example.com","操作":"用户登录 192.0.2.0","日期":"2021年6月2日 14:51:38 UTC"}
日期: 2021-06-02T15:13:53+00:00
设施: syslog
级别: 错误
消息: 日志消息处理错误: <133>1 2021-06-02T15:13:53.191Z 未找到数据导出 ->@< 审计 - {"用户":"user@example.com","操作":"用户登录 192.0.2.0","日期":"2021年6月2日 15:13:52 UTC"}
日期: 2021-06-02T15:26:52+00:00
设施: syslog
级别: 错误
消息: 日志消息处理错误: <133>1 2021-06-02T15:26:52.325Z 未找到数据导出 ->@< 审计 - {"用户":"user":"user@example.com","操作":"用户登录 192.0.2.0","日期":"2021年6月2日 15:26:51 UTC"}
威胁活动精简模式示例
此JSON输出展示了精简模式示例,部分数组重复内容已为简洁性删除。
注意
本示例中的部分数据值已进行泛化处理,例如电子邮件地址、IP地址和MAC地址。
单一威胁示例
{
"system_token": "导出演示",
"severity": 1,
"event_id": "19fb0e4e-164c-4b7e-a4ff-84ced7934cf5",
"mitigated": false,
"location": null,
"eventtimestamp": "2021年2月24日 10:11:10 UTC",
"user_info": {
"user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211",
"user_group": "测试组",
"user_role": "终端用户",
"user_email": "jon@example.com",
"employee_name": "匿名用户"
},
"device_info": {
"zdid": "1128481a-6f00-4407-975e-ed4dff65f181",
"zapp_instance_id": "231b0fb2-2e18-41ac-963c-e5360eb54bf1",
"device_time": "2021年2月24日 10:11:10 UTC",
"tag1": "跟踪ID1",
"tag2": "",
"imei": "467a44e7-cf00-4a4d-aa52-89cd667a6711",
"device_id": "467a55e7-cf00-4a4d-aa52-89cd667a6711",
"mdm_id": null,
"mam_id": null,
"type": "iPhone10,6",
"app": "Bitdefender",
"jailbroken": false,
"os_version": "10.0",
"operator": "AT&T",
"model": "iPhoneX",
"app_version": "4.14.0",
"os": "iOS",
"usb_debugging_enabled": false,
"developer_options_on": false,
"disk_not_encrypted": false,
"lock_screen_unprotected": false,
"stagefright_vulnerable": false
},
"threat": {
"story": "未加密WiFi网络",
"name": "未加密WiFi网络",
"category": [
"单一威胁"
],
"mitre_tactics": [
"初始访问",
"收集",
"外泄",
"网络效应"
],
"threat_uuid": "b2ce1f27-5e49-47ff-ac3a-c2670fa6e503",
"child_threat_uuids": [],
"general": {
"time_interval": "0",
"threat_type": "未加密WiFi网络",
"device_ip": "192.0.2.0",
"network": "自动化网络",
"network_bssid": "00:00:4E:00:00:00",
"network_interface": "lo0",
"action_triggered": "用户告警",
"external_ip": "192.0.2.24",
"gateway_mac": "00:00:5E:00:00:00",
"gateway_ip": "192.0.2.23",
"device_time": "2021年2月24日 10:11:08 UTC",
"malware_list": "{}"
}
}
}
复合威胁示例
{
"system_token": "导出复合演示",
"severity": 3,
"event_id": "881e062d-62eb-40a5-a5c4-522a6ebca18b",
"mitigated": false,
"location": null,
"eventtimestamp": "2021年2月24日 10:11:17 UTC",
"user_info": {
"user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211",
"user_group": "测试组",
"user_role": "终端用户",
"user_email": "jon@example.com",
"employee_name": "匿名用户"
},
"device_info": {
"zdid": "1128481a-6f00-4407-975e-ed4dff65f181",
"zapp_instance_id": "231b0fb2-2e18-41ac-963c-e5360eb54bf1",
"device_time": "2021年4月7日 20:28:05 UTC",
"tag1": "追踪ID1",
"tag2": "",
"imei": "467a44e7-cf00-4a4d-aa52-89cd667a6711",
"device_id": "467a55e7-cf00-4a4d-aa52-89cd667a6711",
"mdm_id": null,
"mam_id": null,
"type": "iPhone11,8",
"app": "Bitdefender",
"jailbroken": false,
"os_version": "14.4.3",
"operator": "AT&T",
"model": "iPhoneX",
"app_version": "4.17.0",
"os": "iOS",
"usb_debugging_enabled": false,
"developer_options_on": false,
"disk_not_encrypted": false,
"lock_screen_unprotected": false,
"stagefright_vulnerable": false
},
"threat": {
"story": "受感染网络",
"name": "受感染网络",
"category": [
"复合型"
],
"mitre_tactics": [
"初始访问",
"信息收集",
"数据渗出",
"网络效应"
],
"threat_uuid": "d9c1d239-6abc-4762-b2bb-663ca74dc7f8",
"child_threat_uuids": [
"336e4163-9970-42ec-ba71-da919c32c817",
"6d9d6509-ec9a-45c2-bcca-aa602400e77a",
"b2ce1f27-5e49-47ff-ac3a-c2670fa6e503"
],
"general": {
"time_interval": "0",
"threat_type": "受感染网络",
"device_ip": "192.0.2.21",
"network": "自动化网络",
"network_bssid": "00:00:4E:00:00:00",
"network_interface": "lo0",
"action_triggered": "用户告警",
"external_ip": "192.0.2.18",
"gateway_mac": "00:00:5E:00:00:00",
"gateway_ip": "192.0.2.16",
"device_time": "2021年2月24日 10:11:15 UTC",
"malware_list": "{}"
}
}
}
威胁活动详细模式示例
本JSON输出提供详细模式示例样本。部分重复数组内容已从样本中移除。
注意
本样本中部分数据值(如电子邮件地址、IP地址和MAC地址)已做泛化处理。此外,并非所有字段都适用于该威胁类型,但为展示额外字段数据而保留。
{
"system_token": "演示详细输出",
"severity": 3,
"event_id": "f443cb3f-bf7d-432e-a308-10c3b19bff61",
"forensics": {
"os": 1,
"SSID": "自动化网络",
"type": 38,
"BSSID": "00:00:5E:00:00:00",
"os_forensics": {
"expected_security_patch": "20220101",
"vulnerable_security_patch": "2021-08-01",
"expected_os_version": "11",
"device_model": "SM-M025F",
"vulnerable_os_version": "11",
"build_information": "RP1A.200720.012",
"device_manufacturer": "三星"
},
"general": [
{
"val": "20",
"name": "时间间隔",
"type": "interval"
},
{
"val": "恶意接入点",
"name": "威胁类型"
},
{
"val": "192.0.2.0",
"name": "设备IP"
},
{
"val": "\"Planet\"",
"name": "攻击者SSID"
},
{
"val": "00:00:5E:00:00:00",
"name": "攻击者BSSID"
},
{
"val": "自动化网络",
"name": "网络"
},
{
"val": "00:00:5E:00:00:00",
"name": "网络BSSID"
},
{
"val": "wlan0",
"name": "网络接口"
},
{
"val": "警报用户",
"name": "触发动作"
},
{
"val": "192.0.2.24",
"name": "外部IP"
},
{
"val": "00:00:5E:00:00:00",
"name": "网关MAC"
},
{
"val": "192.0.2.23",
"name": "网关IP"
},
{
"val": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}",
"name": "基站信息",
"type": "json_str"
},
{
"val": "02 24 2021 10:25:16 UTC",
"name": "设备时间"
},
{
"val": "11",
"name": "易受攻击系统版本"
},
{
"val": "11",
"name": "预期系统版本"
},
{
"val": "2021-08-01",
"name": "易受攻击安全补丁"
},
{
"val": "20220101",
"name": "预期安全补丁"
},
{
"val": "三星",
"name": "设备制造商"
},
{
"val": "SM-M025F",
"name": "设备型号"
},
{
"val": "RP1A.200720.012",
"name": "构建信息"
}
],
"severity": 3,
"responses": [
0
],
"attack_time": {
"$date": 1614162316000
},
"threat_uuid": "a0fa1162-6582-46a2-b9ad-9dfcf5972e68",
"process_list": [
{
"User": "root",
"Service": "u:r:init:s0",
"Process Name": "/init",
"Process ID(PID)": "1",
"Parent process(PPID)": "0"
},
{
"User": "root",
"Service": "u:r:kernel:s0",
"Process Name": "kthreadd",
"Process ID(PID)": "2",
"Parent process(PPID)": "0"
},
{
"User": "root",
"Service": "u:r:kernel:s0",
"Process Name": "ksoftirqd/0",
"Process ID(PID)": "3",
"Parent process(PPID)": "2"
},
{
"User": "u0_a21",
"Service": "u:r:untrusted_app:s0",
"Process Name": "com.google.android.apps.walletnfcrel",
"Process ID(PID)": "26737",
"Parent process(PPID)": "179"
}
],
"routing_table": [
{
"use": 31,
"refs": 0,
"flags": "0",
"netif": "wlan0",
"gateway": "192.168.43.1",
"destination": "192.168.43.1"
},
{
"use": 31,
"refs": 0,
"flags": "84000000",
"netif": "lo",
"gateway": "192.168.43.199",
"destination": "192.168.43.199"
},
{
"use": 7,
"refs": 0,
"flags": "0",
"netif": "wlan0",
"gateway": "192.168.43.1",
"destination": "8.8.8.8"
}
],
"time_interval": 20,
"close_networks": [
{
"SSID": "自动化网络",
"BSSID": "00:00:5E:00:00:00",
"level": 0,
"frequency": 0,
"capabilities": "N/A"
}
],
"network_threat": {
"gw_ip": "192.0.2.0",
"my_ip": "192.0.2.2",
"gw_mac": "00:00:5E:00:00:00",
"my_mac": "00:00:5E:00:00:00",
"net_stat": [
{
"Proto": "TCP",
"State": "LAST_ACK",
"Recv-Q": "root",
"Send-Q": "0",
"Local Address": "192.0.2.0:37002",
"Foreign Address": "192.0.2.0:443"
}
],
"interface": "wlan0",
"arp_tables": {
"after": {
"table": [
{
"ip": "192.0.2.0",
"mac": "00:00:5E:00:00:00"
}
]
},
"before": {
"table": [
{
"ip": "192.0.2.0",
"mac": "00:c0:ca:aa:bb:cc"
}
]
},
"initial": {
"table": [
{
"ip": "192.0.2.0",
"mac": "00:00:5E:00:00:00"
}
]
}
},
"basestation": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}",
"routing_table": [
{
"Use": "31",
"Refs": "0",
"Flags": "84000000",
"Netif": "lo",
"Gateway": "192.168.43.199",
"Destination": "192.168.43.199"
},
{
"Use": "7",
"Refs": "0",
"Flags": "0",
"Netif": "wlan0",
"Gateway": "192.168.43.1",
"Destination": "8.8.8.8"
}
]
},
"rogue_access_point": {
"SSID": "\"Planet\"",
"BSSID": "00:00:5E:00:00:00",
"frequency": -1
}
},
"mitigated": false,
"location": null,
"eventtimestamp": "02 24 2021 10:25:20 UTC",
"user_info": {
"user_id": "0baa981e-0e66-45c4-86c8-e45f3c843211",
"user_group": "测试组",
"user_role": "终端用户",
"user_email": "reshma@example.com",
"employee_name": "匿名用户"
},
"device_info": {
"zdid": "000b731a-b152-4fd1-84f4-3de685eb9d72",
"zapp_instance_id": "575cbcb7-e1b3-47ff-b56e-6b495ab7c938",
"device_time": "02 24 2021 10:25:20 UTC",
"tag1": "标签ID一",
"tag2": "标签ID二",
"imei": "68a9591f-cb6b-4d48-8244-96f484f678b6",
"device_id": "68a9591f-cb6b-4d48-8244-96f484f678b6",
"mdm_id": null,
"mam_id": null,
"type": "Pixel XL",
"app": "Bitdefender",
"jailbroken": false,
"os_version": "8.0",
"operator": "AT&T",
"model": "Pixel XL",
"app_version": "4.14.0",
"os": "Android",
"usb_debugging_enabled": false,
"developer_options_on": false,
"disk_not_encrypted": false,
"lock_screen_unprotected": false,
"stagefright_vulnerable": false
},
"threat": {
"story": "恶意接入点",
"name": "恶意接入点",
"category": [
"单一威胁"
],
"mitre_tactics": [
"初始访问",
"凭证窃取",
"网络影响"
],
"threat_uuid": "a0fa1162-6582-46a2-b9ad-9dfcf5972e68",
"child_threat_uuids": [],
"general": {
"time_interval": "20",
"threat_type": "恶意接入点",
"device_ip": "192.0.2.0",
"attacker_ssid": "\"Planet\"",
"attacker_bssid": "00:00:5E:00:00:00",
"network": "自动化网络",
"network_bssid": "00:00:5E:00:00:00",
"network_interface": "wlan0",
"action_triggered": "警报用户",
"external_ip": "192.0.2.4",
"gateway_mac": "00:c0:ca:aa:bb:cc",
"gateway_ip": "192.0.2.4",
"basestation": "{\"mnc\":260,\"psc\":251,\"type\":\"WCDMA\",\"cid\":124989446,\"mcc\":310,\"lac\":45991}",
"device_time": "02 24 2021 10:25:16 UTC"
}
}
}