Overview

ProtectWise is a cloud-powered security company that provides Network Detection and Response (NDR) services.

Integrating your ProtectWise logs to the Hunters ecosystem will allow storing the data in a parsed format, as well as investigate threat scenarios over it and getting related Hunters' detections for your tenant.

Supported Data Types

  • ProtectWise Observations- Detailed ProtectWise Native Alerts also known as ProtectWise Observations. (see more details here)

  • ProtectWise Events- Aggregated Events data logged by ProtectWise (see more details here)

Hunters Integration

In order to Collect and integrate your ProtectWise Logs into Hunters you will need to provide Hunters your ProtectWise Access token. Alternately, You can collect the logs from your account to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

The expected format of the logs is the JSON format as exported by ProtectWise. It is recommended to log the full schema, however any subset of the fields can be ingested given you are providing your specific schema to Hunters.

ProtectWise Observations Data Sample

{'tags': None,'sensorId': 12408,'agentId': 12408,'flowId': None,'netflowId': '0000017ef1fb877edbf1e572bfc5115a','associatedId': {'flowId': {'key': '0000017ef1fb877edbf1e572bfc5115a','startTime': 1644737300350,'srcGeo': None,'dstGeo': None,'direction': 'None','flowStates': [],'srcDeviceId': 'e92cc150e322986f','dstDeviceId': '8177804b0fe8dd2b','interfaceAlias': None,'nat': None,'applicationProtocols': None,'protocols': None,'vlan': None,'pcapBytes': None,'srcDeviceDetails': None,'dstDeviceDetails': None,'flags': [],'ip': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}},'data': {'idsEvent': {'timestampSeconds': 0,'timestampMicros': 0,'signatureId': 2012811,'generatorId': 901189276,'revision': 7,'classification': 'bad-unknown','priorityId': 3,'description': 'Query to a .tk domain - Likely Hostile'}},'occurredAt': 1644737300350,'observedAt': 1644737315040,'threatLevel': 'Low','confidence': 90,'killChainStage': 'Recon','severity': 10,'category': 'Suspicious','threatScore': 9,'cid': 3898,'observedStage': 'Realtime','source': 'Surricata','id': '0000017ef1fb877edbf1e572bfc5115a23c1f6260000','threatSubCategory': 'None','netflow': None,'srcGeo': None,'dstGeo': None,'analysisId': None,'observationDirection': 'None','endedAt': None,'info': {'ips': ['2.2.20.131', '1.1.65.253'],'ports': [53, 56562],'coordinates': [],'protocols': [],'properties': {},'hostIds': [{'host': {'ip': '2.2.20.131'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None},{'host': {'ip': '1.1.65.253'},'geo': None,'deviceId': None,'srcPorts': [],'dstPorts': [],'layer3Protocols': [],'layer4Protocols': [],'applicationProtocols': None,'protocols': None,'hostLocation': None,'deviceDetails': None}],'listId': '158b5865-a9a8-4286-b1ee-530991903501','intelKey': '901189276:2012811','domains': [],'flags': []},'connectionInfo': {'srcMac': '','dstMac': '','srcIp': '2.2.20.131','dstIp': '1.1.65.253','srcPort': 56562,'dstPort': 53,'proto': 'UDP','layer3Proto': 'IPv4','layer4Proto': 'Udp'}}

ProtectWise Events Data Sample

{'state': 'resolved', 'resolvedReason': 'noAction', 'assignee': {'email': None, 'firstname': None, 'lastname': None}, 'priority': False, 'tags': None, 'sensorId': 12402, 'sensorIds': [12402], 'cid': 3898, 'agentId': 12402, 'id': '0005d7e000598c20c4403c0331a2eaa67fc2ec6d7818cbe664f5f995', 'type': 'MaliciousConversation', 'message': 'Kill Chain Progression: Delivery to Beacon on Host: 10.1.2.3', 'observations': [], 'netflows': [], 'confidence': 100, 'threatScore': 25, 'threatLevel': 'Low', 'killChainStage': 'Beacon', 'category': 'Misc', 'startedAt': 1644731962068, 'endedAt': 1644807240591, 'observedAt': 1644836058167, 'observedStage': 'Realtime', 'isUpdate': True, 'threatSubCategory': 'None', 'observationCount': 10, 'netflowCount': 10, 'analysisId': None, 'flags': [], 'workflow': {'status': 30, 'resolution': 10, 'assignedTo': None, 'priority': 50}}