Back to top

Observation Details

type 

type is the source that produced the observation.

A list of available observation types:

  • ids - Observations found through our intrusion detection system

  • http - Observations found by analyzing HTTP traffic

  • iprep - Observations found by comparing IP addresses in traffic to a database of known bad IP addresses

  • urlrep - Observations found by comparing the URL of the request to a database of known bad URLs

  • protocol - Observations

  • file - Observations found by analyzing file attachments against a database of known malicious files

JSON structure for observation types:

  • idsEvent - Observations found through our intrusion detection system
{
         "timestampSeconds": int,
         "timestampMicros": int,
         "signatureId": int,
         "generatorId": int,
         "revision": int,
         "classification": "string",
         "priorityId": int,
         "description": "string"
     }
  • httpRequest - Observations found by analyzing HTTP traffic
{
         "url": {
             "hostname": "string",
             "path": "string",
             "queryString": "string",
             "port": int
         },
         "method": "string",
         "header": [
             {
                 "name": "string",
                 "value": "string"
             }
         ]
     }
  • ipReputation - Observations found by comparing IP addresses in traffic to a database of known bad IP addresses
{
        "ip": "10.0.0.1",
        "category": "string",
        "partnerCategory": "string"
    }
  • urlReputation - Observations found by comparing the URL of the request to a database of known bad URLs
{
        "url": {
            "hostname": "string",
            "path": "string",
            "queryString": "string",
            "port": int
        },
        "category": "string",
        "partnerCategory": "string",
        "urlData": {
            "hostname": "string",
            "path": "string",
            "queryString": "string",
            "port": int
        }

    }
  • protocol - Observations
{
        "protocol": "string",
        "packetsUntilDetection": int,
        "method": "enum"
    }

method values: DPI, GUESS, PORT

  • fileReputation - Observations found by analyzing file attachments against a database of known malicious files
{
        "pwid": "string",
        "isResultCached": boolean,
        "serviceType": "enum",
        "serviceName": "string",
        "serviceVersion": "string",
        "databaseVersion": "string",
        "databaseDate": "string",
        "findings": [
            {
                "infectionIdentifier": "string"
            }
        ]
    }

serviceType values: ANTIVIRUS, SANDBOX, REPLIST, YARA

  • file

    {
        "pwid": "string",
        "md5": "string",
        "sha1": "string",
        "sha256": "string",
        "sha512": "string",
        "originalName": "string",
        "contentType": "string",
        "fileSize": int,
        "packetNumberAtStart": int
    }

  • dns

    {
        "transactionId": int,
        "responseCode": "enum"
        "query": {
            "query": "string",
            "queryType": "enum"
        }
        "response": [
            {
                "response": {
                    "ipAddress": "string",
                    "hostname": "string"
                },
                "responseType": "enum"
                "ttl": int
        ]
    }

    responseCode values: UNKNOWN, NO_ERROR, FORMAT_ERROR, SERVER_FAILURE, NO_SUCH_NAME, NOT_IMPLEMENTED, REFUSED, NAME_EXISTS, RRSET_EXISTS, RRSET_DOES_NOT_EXIST, NOT_AUTHORITATIVE, NAME_OUT_OF_ZONE

    queryType and responseType have too many possible values to enumerate here

  • dnsReputation

    {
        "dns": "string",
        "category": "enum",
        "partnerCategory": "enum"
        "dnsObservationData": {
            // Same structure as __dns__ above
        }
    }

  • httpTransaction

    {
        "index": int,
        "request": {
            // Same as __httpRequest__ above
        },
        "response": {
            "code": int,
            "header": [
                {
                    "name": "string",
                    "value": "string"
                }
            ]
        }
    }

eventType 

A list of available event types:

  • MaliciousFlow

  • KillChainEscalation

  • MaliciousConversation

killChainStage 

The Kill Chain is a definition of stages that an attack moves through.

These values are case-insensitive when provided as URL parameters.

List of Kill Chain stages:

  • Methodology

  • Recon

  • Delivery

  • Exploit

  • Beacon

  • CnC

  • Fortification

  • Data_Theft

threatLevel 

ThreatLevel is a simplification to allow you to quickly search for observations without having to specify a range of threat scores.

List of Threat Levels

  • NONE

  • LOW

  • MEDIUM

  • HIGH

threatCategory 

Threat categories are a list of broad categories. More specific categorization is provided in the threatSubCategory field.

List of Threat Categories

  • ExploitsAndAttacks

  • DenialOfService

  • Malware

  • Scanning

  • Botnets

  • Phishing

  • Suspicious

  • MaliciousHost

  • APT

  • Misc

  • Unknown

signatureId 

SignatureID is an available filter for IDS observation types.

This is generally used to find more observations similar to one that you’ve already identified. You can use the signatureId field from a known observation to find more.

observationStage 

Observations and events are found either in real time as the traffic is coming into ProtectWise, or it is found through retrospective analysis, which consists of scanning existing network traffic for newly identified threats.

Stages

  • Realtime - This event or observation was found in live traffic

  • Retrospective - This event or observation was found by analyzing past network traffic

Generated by aglio on 19 Oct 2020