Protectwise

Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

ProtectWise Observations

✅

✅

protectwise_observations

NDJSON

API/S3

ProtectWise Events

protectwise_events

NDJSON

API/S3


Overview

imageProtectWise was a network detection and response (NDR) solution that provided real-time monitoring and analysis of network traffic to identify and respond to advanced threats. The platform utilized deep packet inspection and machine learning to detect suspicious activity, such as malware or unusual traffic patterns. ProtectWise enabled retrospective analysis, allowing security teams to investigate past incidents and identify threats that may have gone unnoticed at first. With features like long-term data retention, traffic metadata analysis, and centralized visibility of the network, it helped organizations monitor, detect, and respond to security risks across both cloud and on-premises environments.

Supported data types

ProtectWise Observations

Table name: protectwise_observations

Observations in the ProtectWise platform were generated through a comprehensive analysis of network traffic and were designed to highlight suspicious activities, anomalies, or known threat patterns. These observations could range from indicators of compromise (IoCs), unusual data flows, to signatures of known malware, among others. The strength of ProtectWise lay in its ability to store vast amounts of network data, allowing security teams to go back in time to investigate the origin and pathway of an attack, even long after the initial compromise occurred.

Learn more here.

ProtectWise Events

Table name: protectwise_events

Security incidents or anomalies identified by the platform within an organization's network traffic. These events were generated based on sophisticated analysis, leveraging both threat intelligence and advanced analytics to pinpoint activities indicative of a security threat, such as malware infections, unauthorized access attempts, and suspicious network behaviors.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Protectwise using API.

To connect Protectwise logs:

  1. Retrieve the Protectwise API access token from your Protectwise account.

  2. Complete the process on the Hunters platform, following this guide.

Expected format

The expected format of the logs is the JSON format as exported by ProtectWise. It is recommended to log the full schema, however, any subset of the fields can be ingested given you are providing your specific schema to Hunters.

ProtectWise Observations Data Sample

{'tags': None,'sensorId': 12408,'agentId': 12408,'flowId': None,'netflowId': '0000017ef1fb877edbf1e572bfc5115a','associatedId': {'flowId': {'key': '0000017ef1fb877edbf1e572bfc5115a','startTime': 1644737300350,'srcGeo': None,'dstGeo': None,'direction': 'None','flowStates': [],'srcDeviceId': 'e92cc150e322986f','dstDeviceId': '8177804b0fe8dd2b','interfaceAlias': None,'nat': None,'applicationProtocols': None,'protocols': None,'vlan': None,'pcapBytes': None,'srcDeviceDetails': None,'dstDeviceDetails': None,'flags': [],'ip': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}},'data': {'idsEvent': {'timestampSeconds': 0,'timestampMicros': 0,'signatureId': 2012811,'generatorId': 901189276,'revision': 7,'classification': 'bad-unknown','priorityId': 3,'description': 'Query to a .tk domain - Likely Hostile'}},'occurredAt': 1644737300350,'observedAt': 1644737315040,'threatLevel': 'Low','confidence': 90,'killChainStage': 'Recon','severity': 10,'category': 'Suspicious','threatScore': 9,'cid': 3898,'observedStage': 'Realtime','source': 'Surricata','id': '0000017ef1fb877edbf1e572bfc5115a23c1f6260000','threatSubCategory': 'None','netflow': None,'srcGeo': None,'dstGeo': None,'analysisId': None,'observationDirection': 'None','endedAt': None,'info': {'ips': ['2.2.20.131', '1.1.65.253'],'ports': [53, 56562],'coordinates': [],'protocols': [],'properties': {},'hostIds': [{'host': {'ip': '2.2.20.131'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None},{'host': {'ip': '1.1.65.253'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None}],'listId': '158b5865-a9a8-4286-b1ee-530991903501','intelKey': '901189276:2012811','domains': [],'flags': []},'connectionInfo': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}

ProtectWise Events Data Sample

{'state': 'resolved', 'resolvedReason': 'noAction', 'assignee': {'email': None, 'firstname': None, 'lastname': None}, 'priority': False, 'tags': None, 'sensorId': 12402, 'sensorIds': [12402], 'cid': 3898, 'agentId': 12402, 'id': '0005d7e000598c20c4403c0331a2eaa67fc2ec6d7818cbe664f5f995', 'type': 'MaliciousConversation', 'message': 'Kill Chain Progression: Delivery to Beacon on Host: 10.1.2.3', 'observations': [], 'netflows': [], 'confidence': 100, 'threatScore': 25, 'threatLevel': 'Low', 'killChainStage': 'Beacon', 'category': 'Misc', 'startedAt': 1644731962068, 'endedAt': 1644807240591, 'observedAt': 1644836058167, 'observedStage': 'Realtime', 'isUpdate': True, 'threatSubCategory': 'None', 'observationCount': 10, 'netflowCount': 10, 'analysisId': None, 'flags': [], 'workflow': {'status': 30,  'resolution': 10,  'assignedTo': None,  'priority': 50}}