ProtectWise
Overview
ProtectWise is a cloud-powered security company that provides Network Detection and Response (NDR) services.
Integrating your ProtectWise logs to the Hunters ecosystem will allow storing the data in a parsed format, as well as investigate threat scenarios over it and getting related Hunters' detections for your tenant.
Supported Data Types
ProtectWise Observations- Detailed ProtectWise Native Alerts also known as ProtectWise Observations. (see more details here)
ProtectWise Events- Aggregated Events data logged by ProtectWise (see more details here)
Hunters Integration
In order to Collect and integrate your ProtectWise Logs into Hunters you will need to provide Hunters your ProtectWise Access token. Alternately, You can collect the logs from your account to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
The expected format of the logs is the JSON format as exported by ProtectWise. It is recommended to log the full schema, however any subset of the fields can be ingested given you are providing your specific schema to Hunters.
{'tags': None,'sensorId': 12408,'agentId': 12408,'flowId': None,'netflowId': '0000017ef1fb877edbf1e572bfc5115a','associatedId': {'flowId': {'key': '0000017ef1fb877edbf1e572bfc5115a','startTime': 1644737300350,'srcGeo': None,'dstGeo': None,'direction': 'None','flowStates': [],'srcDeviceId': 'e92cc150e322986f','dstDeviceId': '8177804b0fe8dd2b','interfaceAlias': None,'nat': None,'applicationProtocols': None,'protocols': None,'vlan': None,'pcapBytes': None,'srcDeviceDetails': None,'dstDeviceDetails': None,'flags': [],'ip': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}},'data': {'idsEvent': {'timestampSeconds': 0,'timestampMicros': 0,'signatureId': 2012811,'generatorId': 901189276,'revision': 7,'classification': 'bad-unknown','priorityId': 3,'description': 'Query to a .tk domain - Likely Hostile'}},'occurredAt': 1644737300350,'observedAt': 1644737315040,'threatLevel': 'Low','confidence': 90,'killChainStage': 'Recon','severity': 10,'category': 'Suspicious','threatScore': 9,'cid': 3898,'observedStage': 'Realtime','source': 'Surricata','id': '0000017ef1fb877edbf1e572bfc5115a23c1f6260000','threatSubCategory': 'None','netflow': None,'srcGeo': None,'dstGeo': None,'analysisId': None,'observationDirection': 'None','endedAt': None,'info': {'ips': ['2.2.20.131', '1.1.65.253'],'ports': [53, 56562],'coordinates': [],'protocols': [],'properties': {},'hostIds': [{'host': {'ip': '2.2.20.131'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None},{'host': {'ip': '1.1.65.253'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None}],'listId': '158b5865-a9a8-4286-b1ee-530991903501','intelKey': '901189276:2012811','domains': [],'flags': []},'connectionInfo': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}
{'state': 'resolved', 'resolvedReason': 'noAction', 'assignee': {'email': None, 'firstname': None, 'lastname': None}, 'priority': False, 'tags': None, 'sensorId': 12402, 'sensorIds': [12402], 'cid': 3898, 'agentId': 12402, 'id': '0005d7e000598c20c4403c0331a2eaa67fc2ec6d7818cbe664f5f995', 'type': 'MaliciousConversation', 'message': 'Kill Chain Progression: Delivery to Beacon on Host: 10.1.2.3', 'observations': [], 'netflows': [], 'confidence': 100, 'threatScore': 25, 'threatLevel': 'Low', 'killChainStage': 'Beacon', 'category': 'Misc', 'startedAt': 1644731962068, 'endedAt': 1644807240591, 'observedAt': 1644836058167, 'observedStage': 'Realtime', 'isUpdate': True, 'threatSubCategory': 'None', 'observationCount': 10, 'netflowCount': 10, 'analysisId': None, 'flags': [], 'workflow': {'status': 30, 'resolution': 10, 'assignedTo': None, 'priority': 50}}