forked from jerry-frady/STIX
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathSplunk.json
More file actions
148 lines (148 loc) · 8.33 KB
/
Splunk.json
File metadata and controls
148 lines (148 loc) · 8.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
{
"id": "bundle--ba4e815d-dd60-4f9b-bd06-edda52e71ce3",
"objects": [
{
"created": "2020-08-23T14:40:59.719Z",
"id": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6",
"identity_class": "system",
"modified": "2020-08-23T14:40:59.719Z",
"name": "splunk",
"type": "identity"
},
{
"created": "2020-08-23T14:38:59.000Z",
"created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6",
"first_observed": "2020-08-23T14:38:59.000Z",
"id": "observed-data--5fc544cd-515e-41cc-829e-05b3379bd36c",
"last_observed": "2020-08-23T14:38:59.000Z",
"modified": "2020-08-23T14:38:59.000Z",
"number_observed": 1,
"objects": {
"0": {
"resolves_to_refs": "2",
"type": "ipv4-addr",
"value": "192.168.0.8"
},
"1": {
"dst_port": 1120,
"dst_ref": "3",
"protocols": [
"tcp"
],
"src_port": 1220,
"src_ref": "0",
"type": "network-traffic"
},
"2": {
"type": "mac-addr",
"value": "AA:BB:CC:DD:11:22"
},
"3": {
"resolves_to_refs": "4",
"type": "ipv4-addr",
"value": "127.0.0.1"
},
"4": {
"type": "mac-addr",
"value": "EE:DD:BB:AA:CC:11"
},
"5": {
"hashes": {
"SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0"
},
"type": "file"
},
"6": {
"account_login": "test",
"type": "user-account",
"user_id": "test"
},
"7": {
"type": "url",
"value": "https://test.fireeye.com/malware_analysis/analyses?maid=1"
},
"8": {
"type": "domain-name",
"value": "test.fireeye.com"
},
"9": {
"payload_bin": "QXVnIDIzIDIwMTkgMTQ6Mzg6NTkgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxNDozODo1OSBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK",
"type": "artifact"
}
},
"type": "observed-data",
"x_com_splunk_spl": {
"user": "sname",
"utf8_payload": "Aug 23 2020 14:38:59 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2020 14:38:59 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n"
}
},
{
"created": "2020-08-23T13:39:02.000Z",
"created_by_ref": "identity--f8b6ee06-9176-40b8-8127-f3d1ac0b30d6",
"first_observed": "2020-08-23T13:39:02.000Z",
"id": "observed-data--7709dbed-40e8-4d4c-beb3-c7023f771204",
"last_observed": "2020-08-23T13:39:02.000Z",
"modified": "2020-08-23T13:39:02.000Z",
"number_observed": 1,
"objects": {
"0": {
"resolves_to_refs": "2",
"type": "ipv4-addr",
"value": "192.168.0.1"
},
"1": {
"dst_port": 1120,
"dst_ref": "3",
"protocols": [
"tcp"
],
"src_port": 1220,
"src_ref": "0",
"type": "network-traffic"
},
"2": {
"type": "mac-addr",
"value": "AA:BB:CC:DD:11:22"
},
"3": {
"resolves_to_refs": "4",
"type": "ipv4-addr",
"value": "127.0.0.1"
},
"4": {
"type": "mac-addr",
"value": "EE:DD:BB:AA:CC:11"
},
"5": {
"hashes": {
"SHA-256": "c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0"
},
"type": "file"
},
"6": {
"account_login": "test",
"type": "user-account",
"user_id": "test"
},
"7": {
"type": "url",
"value": "https://test.fireeye.com/malware_analysis/analyses?maid=1"
},
"8": {
"type": "domain-name",
"value": "test.fireeye.com"
},
"9": {
"payload_bin": "QXVnIDIzIDIwMTkgMTM6Mzk6MDIgMTkyLjE2OC4zMy4xMzEgZmVub3RpZnktMi5hbGVydDogQ0VGOjB8RmlyZUV5ZXxNQVN8Ni4yLjAuNzQyOTh8TU98bWFsd2FyZS1vYmplY3R8NHxydD1BdWcgMjMgMjAxOSAxMzozOTowMiBaIHNyYz0xNjkuMjUwLjAuMSBkcHQ9MTEyMCBkc3Q9MTI3LjAuMC4xIHNwdD0xMjIwIHNtYWM9QUE6QkI6Q0M6REQ6MTE6MjIgZG1hYz1FRTpERDpCQjpBQTpDQzoxMSBjbjJMYWJlbD1zaWQgY24yPTExMSBmaWxlSGFzaD1jNmVkYWExZTYxMjVmYWRkYWNiMzRmNWY1NjdjYmI3OGFiYjFjMTM4Zjk3MGQ5MTRiOTVmZGQ0NDk5MDUyYWEwIHByb3RvPXRjcCByZXF1ZXN0PWh0dHA6Ly9xYS1zZXJ2ZXIuZW5nLmZpcmVleWUuY29tL1FFL05vdGlmaWNhdGlvblBjYXBzLzU4LjI1My42OC4yOV84MC0xOTIuMTY4Ljg1LjEyOF8xMTY1LTIxMTkyODMxMDlfVC5leGUgY3MzTGFiZWw9b3NpbmZvIGNzMz1NaWNyb3NvZnQgV2luZG93czcgUHJvZmVzc2lvbmFsIDYuMSBzcDEgZHZjaG9zdD13YWxseSBkdmM9MTAuMi4xMDEuMTAxIGNuMUxhYmVsPXZsYW4gY24xPTAgZXh0ZXJuYWxJZD0xIGNzNExhYmVsPWxpbmsgY3M0PWh0dHBzOi8vd2FsbHkuZmlyZWV5ZS5jb20vbWFsd2FyZV9hbmFseXNpcy9hbmFseXNlcz9tYWlkPTEgY3MyTGFiZWw9YW5vbWFseSBjczI9bWlzYy1hbm9tYWx5IGNzMUxhYmVsPXNuYW1lIGNzMT1GRV9VUFg7VHJvamFuLlBXUy5PbmxpbmVHYW1lcyAK",
"type": "artifact"
}
},
"type": "observed-data",
"x_com_splunk_spl": {
"user": "sname",
"utf8_payload": "Aug 23 2020 13:39:02 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Aug 23 2020 13:39:02 Z src=192.168.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://test.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n"
}
}
],
"type": "bundle"
}