Understanding Identifiers in SSP Logs Forwarded via SIEM Integration
Article ID: 404747
Updated On:
Products
Issue/Introduction
SSP NDR generates rich security telemetry in JSON format. These events are intended to be consumed by SIEM platforms via HTTPS or Kafka, including vRealize Log Insight (vRLI) , Splunk if configured as a destination.
Environment
SSP 5.0 / NAPP 4.2.X
Log Destination: vRealize Log Insight / Splunk
Integration Mode: SIEM Forwarding via HTTPS using JSON payloads
Resolution
Security Event Notifications in SSP use well-defined JSON formats to structure information for both detection events and campaigns.
Detection Events:
Each detection notification includes identifiers such as:
|
Field |
Required |
Type |
Event Type/Version |
Example |
Description |
Product version |
|
notification_type |
Y |
enum |
"DETECTION" |
Will always be "DETECTION" for this type of message |
||
|
url |
Y |
string |
"https://example.com/ndr#/detection-events/2371d11e-0d53-4868-8eb1-ff5d7ce11774?event_time=2017-07-21T17:32:28Z" |
URL permalink to the detection event in the NDR UI |
||
|
uuid |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Unique identifier of the detection event |
||
|
start_time |
Y |
date-time |
"2017-07-21T17:32:28Z" |
Start of the event |
||
|
end_time |
Y |
date-time |
"2017-07-21T17:32:28Z" |
End of the event |
||
|
impact |
Y |
integer |
80 |
0-100 badness of detection |
||
|
mitre_tactic_name |
Y |
string |
"Command and Control" |
Name of MITRE Attack tactic detected For this, mitre classification is extended with additional tactics "Vulnerability" and "Undetermined" |
||
|
mitre_tactic_id |
N |
string |
"TA0011" |
Identifier of MITRE Attack tactic detected
|
||
|
mitre_technique_name |
N |
string |
"Remote Access Software" |
Name of MITRE Attack technique detected (if any) |
||
|
mitre_technique_id |
N |
string |
"T1219" |
Identifier of MITRE Attack technique detected (if any)
|
||
|
threat_name |
Y |
string |
"Winlocker" |
Name of threat detected |
||
|
threat_uuid |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Uuid of threat detected
|
||
|
detection_type |
Y |
enum |
"IDS" |
"IDS", "NETWORK_ANOMALY", "FILE", "FILE_TRANSFER" |
||
|
detector_name |
N |
string |
"http_bots:828" |
name of detector that detected this event (if any) |
||
|
detector_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
uuid of detector that detected this event (if any)
|
||
|
action |
Y |
enum |
"BLOCK" |
Action taken: "LOG", "BLOCK" |
||
|
notification_format |
Y |
string |
"1.0" |
Format version for these notifications.
|
||
|
campaign_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Uuid of campaign this detection belongs to, if any |
||
|
cve |
N |
string |
"CVE-2022-25237" |
Detected CVE, if any |
||
|
ids_signature_id |
N |
int |
2036817 |
The IDS signature ID, if any |
||
|
ids_signature_rev |
N |
int |
1 |
The IDS signature revision, if any |
||
|
description |
Y |
string |
"IDS Signature Match" |
Brief human-readable description of the detection. |
||
|
src_ip |
N |
ip |
"#.#.#.#" |
IP address of the source (client) in case of network detection |
||
|
src_vm_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
vm or bare metal uuid of the source (client) in case of network detection vm or bare metal uuid of the endpoint in case of endpoint detection |
||
|
src_vm_name |
N |
string |
"My VM 3" |
name of the source workload (vm name of the vm uuid), if any
|
||
|
src_site_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
ID/uuid of site that source belongs to |
||
|
src_site_name |
N |
string |
"Santa Barbara Office" |
Name of site that source belongs to
|
||
|
dst_ip |
N |
ip |
"#.#.#.#" |
IP address of the destination (server) in case of network detection |
||
|
dst_vm_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
vm or bare metal uuid of the destination (server) in case of network detection |
||
|
dst_vm_name |
N |
string |
"My VM 3" |
name of the destination workload (vm name of the vm uuid), if any
|
||
|
dst_site_uuid |
N |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
ID/uuid of site that destination belongs to |
||
|
dst_site_name |
N |
string |
"Santa Barbara Office" |
Name of site that destination belongs to
|
||
|
transport_protocol |
N |
enum |
"TCP" |
tranport protocol of network detection: "TCP", "UDP", "SCTP", "GRE", "ESP" |
||
|
src_port |
N |
integer |
12345 |
TCP/UDP source (client) port number |
||
|
dst_port |
N |
integer |
80 |
TCP/UDP destination (server) port number |
||
|
is_src_target |
Y |
boolean |
true |
Is the source IP/uuid the target of the attack? |
||
|
application_protocol |
N |
string |
"http" |
Application-level network protocol, if any/known |
||
|
http_host |
N |
string |
"www.example.com" |
Hostname from HTTP Host header, if applicable |
||
|
file_detection_context |
N |
enum |
"FILE_CREATED" |
In what context file was detected on a workload |
||
|
file_action |
N |
enum |
"DELETED" |
Action taken on file on workload. "DELETED" or "DETECTED" |
||
|
file_name |
N |
string |
"malware.exe" |
Name of the detected file |
||
|
file_sha256_hash |
N |
string |
"050fc28b62be90110b2c7b437b072eb1dce7767c7ce6058e71f4a6afb54a7b73" |
sha256 hash of the detected file |
||
|
file_sha1_hash |
N |
string |
"f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" |
sha1 hash of the detected file |
||
|
file_category |
N |
enum |
"EXECUTABLE" |
Category of the detected file "EXECUTABLE", "DOCUMENT", "SCRIPT", "ARCHIVE", |
||
|
file_magic |
N |
string |
"PDF document" |
"magic" file type of the detected file |
||
|
file_mime_type |
N |
string |
"application/pdf" |
mime type of detected file |
||
|
src_ip_is_private |
N |
boolean |
true |
source IP address part of the customer network |
SSP 5.0 |
|
|
dst_ip_is_private |
N |
boolean |
true |
destination IP address part of the customer network |
SSP 5.0 |
|
|
original_signature_id |
N |
integer |
IDS (custom sig)/>=5.0 |
12345 |
Original sid of the custom IDS signature, as provided by user |
|
|
signature_name |
N |
string |
IDS (custom sig)/>=5.0 |
(Initial Access) Detect CVE-2014-6332 |
Name of custom IDS signature |
|
|
process_name |
N |
string |
PROCESS/>=5.1 |
wscript.exe |
Name of detected processprocess |
|
|
process_command_line |
N |
string |
PROCESS/>=5.1 |
"PowerShell.exe -NonInteractive -EncodedCommand aGVsbG8gd29ybGQhCg==" |
Command line of the detected process |
|
|
process_executable_path |
N |
string |
PROCESS/>=5.1 |
"C:\Windows\System32\WindowsPowerShell\v1. 0\powershell.exe" |
Path to the executable Not to be confused with file_name field, |
|
|
process_executable_sha256_hash |
N |
string |
PROCESS/>=5.1 |
"050fc28b62be90110b2c7b437b072eb1dce7767c7ce6058e71f4a6afb54a7b73" |
Hash of the executable. Not to be confused with file_sha256_hash field, |
|
|
buffer_application_names |
N |
array[string] |
PROCESS/>=5.1 |
["vbscript"] |
Sequence of applications that executed buffers in this process. Is a sequence because different buffers within the same process |
Campaigns:
Each campaign notification includes identifiers such as:
|
Field |
Required |
Type |
Example |
Description |
|
notification_type |
Y |
enum |
"CAMPAIGN" |
Will always be "CAMPAIGN" for this type of message |
|
url |
Y |
string |
"https://example.com/ndr#/campaigns/2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
URL permalink to the campaign in the NDR UI |
|
uuid |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Unique identifier of the campaign |
|
organization_id |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Unique identifier of the CSP organization (customer) |
|
instance_id |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Unique identifier of the NSX-aaS instance |
|
name |
Y |
string |
"Foobot C&C Wave-0efb99a1" |
Name of campaign. This is user-editable (with an auto-generated default) Name is not guaranteed to be unique. |
|
start_time |
Y |
date-time |
"2017-07-21T17:32:28Z" |
Start of the campaign |
|
end_time |
Y |
date-time |
"2017-07-21T17:32:28Z" |
End of the campaign |
|
impact |
Y |
integer |
80 |
0-100 badness of campaign |
|
notification_format |
Y |
string |
"1.0" |
Format version for these notifications.
|
|
num_affected_workloads |
Y |
integer |
18 |
Total number of workloads affected by campaign. |
|
num_threats |
Y |
integer |
3 |
Total number of threats detected in this campaign. |
|
num_detection_events |
Y |
integer |
123 |
Total number of detection events in this campaign. |
|
num_sites |
Y |
integer |
3 |
Total number of sites to which affected workloads belong |
|
campaign_notification_type |
Y |
enum |
"CAMPAIGN_CREATED" |
"CAMPAIGN_CREATED" or "CAMPAIGN_UPDATED" |
|
mitre_tactic_ids |
N |
array[string] |
["TA0008","TA0011"] |
Sequence of identifiers of MITRE Attack tactics detected
|
|
mitre_tactic_names |
Y |
array[string] |
["Lateral Movement","Command and Control"] |
Sequence of names of MITRE Attack tactics detected For this, mitre classification is extended with additional tactics "Vulnerability" and "Undetermined" |
|
detections_added |
Y |
array[uuid] |
["e4788077-d045-427b-800a-dabb81238d8e","6d5d7b19-f4b2-434f-ae34-78c3f4aaa185"] |
Sequence of detection events that were added to this campaign This is not all the detections in the campaign, just those that were added just now, and caused this notification to be sent out. It also does not include detections that were added to this campaign as a side effect of campaign merging. |
|
campaigns_merged |
N |
array[uuid] |
["b4733399-05c9-4718-bfcb-a1cf1fc601c5","7f0fdba9-a768-458a-95b9-dea510bfd5b1"] |
Sequence of other campaigns that were merged into this campaign This is not all the campaigns that were ever merged |
|
correlation_rule_uuid |
Y |
uuid |
"2371d11e-0d53-4868-8eb1-ff5d7ce11774" |
Unique identifier of the campaign correlation rule that caused this campaign creation/update |
|
correlation_rule_name |
Y |
string |
"IDS Command&Control Wave Rule" |
Human-readable name of the campaign correlation rule that caused this campaign creation/update |
Additional Information
In Splunk, these appear under the event or message fields
in vRLI, under log details.
Feedback
