mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
67 lines
1.8 KiB
YAML
67 lines
1.8 KiB
YAML
|
title: DN_0084_av_alert
|
||
|
description: >
|
||
|
Anti-virus alert
|
||
|
loggingpolicy:
|
||
|
- None # well, some of them require additional configuraiotn to provide filehash
|
||
|
references:
|
||
|
- None
|
||
|
category: AV Alerts
|
||
|
platform: antivirus
|
||
|
type: None
|
||
|
channel: None
|
||
|
provider: None
|
||
|
fields:
|
||
|
- Hostname
|
||
|
- Signature
|
||
|
- AlertTitle
|
||
|
- Category
|
||
|
- Severity
|
||
|
- Sha1
|
||
|
- FileName
|
||
|
- FilePath
|
||
|
- IpAddress
|
||
|
- UserName
|
||
|
- UserDomain
|
||
|
- FileHash
|
||
|
- Hashes
|
||
|
- Imphash
|
||
|
- Sha256hash
|
||
|
- Sha1hash
|
||
|
- Md5hash
|
||
|
sample: |
|
||
|
{
|
||
|
"AlertTime":"2017-01-23T07:32:54.1861171Z",
|
||
|
"ComputerDnsName":"desktop-bvccckk",
|
||
|
"AlertTitle":"Suspicious PowerShell commandline",
|
||
|
"Category":"SuspiciousActivity",
|
||
|
"Severity":"Medium",
|
||
|
"AlertId":"636207535742330111_-1114309685",
|
||
|
"Actor":null,
|
||
|
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
|
||
|
"IocName":null,
|
||
|
"IocValue":null,
|
||
|
"CreatorIocName":null,
|
||
|
"CreatorIocValue":null,
|
||
|
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
|
||
|
"FileName":"powershell.exe",
|
||
|
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
|
||
|
"IpAddress":null,
|
||
|
"Url":null,
|
||
|
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
|
||
|
"UserName":null,
|
||
|
"AlertPart":0,
|
||
|
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
|
||
|
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
|
||
|
"ThreatCategory":null,
|
||
|
"ThreatFamily":null,
|
||
|
"ThreatName":null,
|
||
|
"RemediationAction":null,
|
||
|
"RemediationIsSuccess":null,
|
||
|
"Source":"Windows Defender ATP",
|
||
|
"Md5":null,
|
||
|
"Sha256":null,
|
||
|
"WasExecutingWhileDetected":null,
|
||
|
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
|
||
|
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"
|
||
|
}
|