Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
ProtectWise Observations | ✅ | ✅ | protectwise_observations | NDJSON | API/S3 | ||
ProtectWise Events | protectwise_events | NDJSON | API/S3 |
Overview
ProtectWise was a network detection and response (NDR) solution that provided real-time monitoring and analysis of network traffic to identify and respond to advanced threats. The platform utilized deep packet inspection and machine learning to detect suspicious activity, such as malware or unusual traffic patterns. ProtectWise enabled retrospective analysis, allowing security teams to investigate past incidents and identify threats that may have gone unnoticed at first. With features like long-term data retention, traffic metadata analysis, and centralized visibility of the network, it helped organizations monitor, detect, and respond to security risks across both cloud and on-premises environments.
Supported data types
ProtectWise Observations
Table name: protectwise_observations
Observations in the ProtectWise platform were generated through a comprehensive analysis of network traffic and were designed to highlight suspicious activities, anomalies, or known threat patterns. These observations could range from indicators of compromise (IoCs), unusual data flows, to signatures of known malware, among others. The strength of ProtectWise lay in its ability to store vast amounts of network data, allowing security teams to go back in time to investigate the origin and pathway of an attack, even long after the initial compromise occurred.
Learn more here.
ProtectWise Events
Table name: protectwise_events
Security incidents or anomalies identified by the platform within an organization's network traffic. These events were generated based on sophisticated analysis, leveraging both threat intelligence and advanced analytics to pinpoint activities indicative of a security threat, such as malware infections, unauthorized access attempts, and suspicious network behaviors.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from Protectwise using API.
To connect Protectwise logs:
Retrieve the Protectwise API access token from your Protectwise account.
Complete the process on the Hunters platform, following this guide.
Expected format
The expected format of the logs is the JSON format as exported by ProtectWise. It is recommended to log the full schema, however, any subset of the fields can be ingested given you are providing your specific schema to Hunters.
ProtectWise Observations Data Sample
{'tags': None,'sensorId': 12408,'agentId': 12408,'flowId': None,'netflowId': '0000017ef1fb877edbf1e572bfc5115a','associatedId': {'flowId': {'key': '0000017ef1fb877edbf1e572bfc5115a','startTime': 1644737300350,'srcGeo': None,'dstGeo': None,'direction': 'None','flowStates': [],'srcDeviceId': 'e92cc150e322986f','dstDeviceId': '8177804b0fe8dd2b','interfaceAlias': None,'nat': None,'applicationProtocols': None,'protocols': None,'vlan': None,'pcapBytes': None,'srcDeviceDetails': None,'dstDeviceDetails': None,'flags': [],'ip': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}},'data': {'idsEvent': {'timestampSeconds': 0,'timestampMicros': 0,'signatureId': 2012811,'generatorId': 901189276,'revision': 7,'classification': 'bad-unknown','priorityId': 3,'description': 'Query to a .tk domain - Likely Hostile'}},'occurredAt': 1644737300350,'observedAt': 1644737315040,'threatLevel': 'Low','confidence': 90,'killChainStage': 'Recon','severity': 10,'category': 'Suspicious','threatScore': 9,'cid': 3898,'observedStage': 'Realtime','source': 'Surricata','id': '0000017ef1fb877edbf1e572bfc5115a23c1f6260000','threatSubCategory': 'None','netflow': None,'srcGeo': None,'dstGeo': None,'analysisId': None,'observationDirection': 'None','endedAt': None,'info': {'ips': ['2.2.20.131', '1.1.65.253'],'ports': [53, 56562],'coordinates': [],'protocols': [],'properties': {},'hostIds': [{'host': {'ip': '2.2.20.131'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None},{'host': {'ip': '1.1.65.253'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None}],'listId': '158b5865-a9a8-4286-b1ee-530991903501','intelKey': '901189276:2012811','domains': [],'flags': []},'connectionInfo': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}
ProtectWise Events Data Sample
{'state': 'resolved', 'resolvedReason': 'noAction', 'assignee': {'email': None, 'firstname': None, 'lastname': None}, 'priority': False, 'tags': None, 'sensorId': 12402, 'sensorIds': [12402], 'cid': 3898, 'agentId': 12402, 'id': '0005d7e000598c20c4403c0331a2eaa67fc2ec6d7818cbe664f5f995', 'type': 'MaliciousConversation', 'message': 'Kill Chain Progression: Delivery to Beacon on Host: 10.1.2.3', 'observations': [], 'netflows': [], 'confidence': 100, 'threatScore': 25, 'threatLevel': 'Low', 'killChainStage': 'Beacon', 'category': 'Misc', 'startedAt': 1644731962068, 'endedAt': 1644807240591, 'observedAt': 1644836058167, 'observedStage': 'Realtime', 'isUpdate': True, 'threatSubCategory': 'None', 'observationCount': 10, 'netflowCount': 10, 'analysisId': None, 'flags': [], 'workflow': {'status': 30, 'resolution': 10, 'assignedTo': None, 'priority': 50}}