The tags beginning with ids.attivo identify events generated by Company.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as ids.attivo. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
The following are sample logs sent to each of the ids.attivo data tables. Also, find how the information will be parsed in your data table under each sample log.
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
<12>2021-01-01 01:00:30.000 localhost=127.0.0.1 ids.attivo.botsink: <9> BOTsink: Severity:[Medium] Attacker IP:[188.8.131.52] Target Host:[myHost] Target IP:[184.108.40.206] Target OS:[Windows 2008] Description:[Network Monitoring - Inbound RDP] Details:[Process [System] has incoming tcp connection from [220.127.116.11:63267] at [myHost:3389].] Phase:[Information] Service:[RDP] VLANID: Forwarder:[eth3] Attacker IP Domain:[mydomain.com] Target IP Domain: Attacker HostName: Attacker MAC: Attacker UserNames: TargetIP List: Target Ports: Target IP Ports: Forwarder IP: Dest UserName: subscriberName: Attacker HostName: Attacker MAC: Attacker UserNames: Attivo AlertID:[1234567890ABCDEF] MITRE Technique ID:[T1021] MITRE Technique Name:[Remote Services] MITRE Tactic Name:[Lateral Movement] VTSummaryResult: WebRootReputation:
And this is how the log would be parsed: