Skip to content

Commit

Permalink
Fix comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@vg-svitla
vg-svitla committed Jan 21, 2025
1 parent c63989e commit 32efe8d
Show file tree
Hide file tree
Showing 5 changed files with 116 additions and 6 deletions.
25 changes: 25 additions & 0 deletions Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,28 @@ process.parent.user.domain:
description: ''
name: process.parent.user.domain
type: keyword

trendmicro.visionone.oat.detectionType:
description: ''
name: trendmicro.visionone.oat.detectionType
type: keyword

trendmicro.visionone.oat.eventId:
description: ''
name: trendmicro.visionone.oat.eventId
type: keyword

trendmicro.visionone.oat.eventName:
description: ''
name: trendmicro.visionone.oat.eventName
type: keyword

trendmicro.visionone.oat.eventSubName:
description: ''
name: trendmicro.visionone.oat.eventSubName
type: keyword

trendmicro.visionone.oat.riskLevel:
description: ''
name: trendmicro.visionone.oat.riskLevel
type: keyword
18 changes: 18 additions & 0 deletions Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ stages:
agent.id: "{{parsed_event.message.endpoint.agentGuid}}"
event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}"
event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}"
event.action: "{{parsed_event.message.act}}"
event.provider: "{{parsed_event.message.pname}}"
event.reason: "{{parsed_event.message.description}}"

host.id: "{{parsed_event.message.detail.endpointGuid}}"
host.os.name: "{{parsed_event.message.detail.osName}}"
Expand Down Expand Up @@ -79,6 +82,21 @@ stages:
process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}"
process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}"

url.original: "{{ parsed_event.message.request }}"

organization.id: "{{parsed_event.message.orgId}}"

rule.ruleset: "{{parsed_event.message.policyName}}"
rule.name: "{{parsed_event.message.ruleName}}"

cloud.service.name: "{{parsed_event.message.cloudAppName}}"

trendmicro.visionone.oat.eventId: "{{parsed_event.message.eventId}}"
trendmicro.visionone.oat.eventName: "{{parsed_event.message.eventName}}"
trendmicro.visionone.oat.eventSubName: "{{parsed_event.message.eventSubName}}"
trendmicro.visionone.oat.detectionType: "{{parsed_event.message.detectionType}}"
trendmicro.visionone.oat.riskLevel: "{{parsed_event.message.riskLevel}}"

- set:
threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"

Expand Down
39 changes: 37 additions & 2 deletions Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,26 @@
{
"input": {
"message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"[email protected]\",\"suser\":[\"[email protected]\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"[email protected]\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"[email protected]\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"[email protected]\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"[email protected]\",\"riskLevel\":\"RISK_DANGEROUS\"}"
"message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"[email protected]\",\"suser\":[\"[email protected]\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"[email protected]\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"[email protected]\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"[email protected]\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"[email protected]\",\"riskLevel\":\"RISK_DANGEROUS\"}"
},
"expected": {
"message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"[email protected]\",\"suser\":[\"[email protected]\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"[email protected]\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"[email protected]\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"[email protected]\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"[email protected]\",\"riskLevel\":\"RISK_DANGEROUS\"}",
"message": "{\"uuid\":\"05c522d1-e2d8-42da-a06d-1b2a0535b4cf\",\"filterRiskLevel\":\"medium\",\"request\":\"https://urlshorter.net/wjhHjf\",\"attachmentFileName\":[\"Mail Body\"],\"objectType\":\"url\",\"suid\":\"[email protected]\",\"suser\":[\"[email protected]\"],\"mailMsgSubject\":\"XXXXXXXXXXX.\",\"msgId\":\"[email protected]\",\"tags\":[\"THREAT.PHISHING\",\"MITRE.T1071\",\"MITRE.T1071.003\",\"MITRE.T1566.002\",\"XSAE.F1906\",\"XSAE.F3036\",\"XSAE.F4960\"],\"eventName\":\"WEB_THREAT_DETECTION\",\"eventSubName\":\"Web Security Violation\",\"eventId\":\"100101\",\"actResult\":[\"Successful\"],\"scanType\":\"exchange_mailbox_realtime_detection_logs\",\"productCode\":\"sca\",\"pname\":\"Cloud Email and Collaboration Protection\",\"act\":[\"Quarantine\"],\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"orgId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"groupId\":\"XXXXXX-xxxxx-XXXXXX-Xx\",\"urlCat\":[\"Phishing\"],\"policyName\":\"CUGR-politique_principale\",\"detectionType\":\"Web Reputation\",\"eventTime\":\"1733960830000\",\"logReceivedTime\":\"1733960918475\",\"scanTs\":\"2024-12-11T23:48:01.0000000Z\",\"mailMsgId\":\"[email protected]\",\"mailReceivedTime\":\"2024-12-11T23:47:10.0000000Z\",\"eventSourceType\":3,\"mailbox\":\"[email protected]\",\"threatType\":\"104\",\"mailUniqueId\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0A7dXJVkGT2UayhNKtrEISCgACGlUj_gAA\",\"rt_utc\":\"2024-12-11T23:47:10.0000000Z\",\"rt\":\"2024-12-11T23:47:10.0000000Z\",\"filterName\":\"Web Reputation\",\"logKey\":\"c6ce5d74664fffb9011f9e8e2c99a7f1f1d03348b2f7c1f80edaae2eef23b665\",\"cloudAppName\":\"exchange\",\"mailFolder\":\"[email protected]\",\"riskLevel\":\"RISK_DANGEROUS\"}",
"event": {
"action": [
"Quarantine"
],
"category": [
"email"
],
"provider": "Cloud Email and Collaboration Protection",
"type": [
"info"
]
},
"cloud": {
"service": {
"name": "exchange"
}
},
"email": {
"delivery_timestamp": "2024-12-11T23:47:10Z",
"from": {
Expand All @@ -26,6 +35,32 @@
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"organization": {
"id": "XXXXXX-xxxxx-XXXXXX-Xx"
},
"rule": {
"ruleset": "CUGR-politique_principale"
},
"trendmicro": {
"visionone": {
"oat": {
"detectionType": "Web Reputation",
"eventId": "100101",
"eventName": "WEB_THREAT_DETECTION",
"eventSubName": "Web Security Violation",
"riskLevel": "RISK_DANGEROUS"
}
}
},
"url": {
"domain": "urlshorter.net",
"original": "https://urlshorter.net/wjhHjf",
"path": "/wjhHjf",
"port": 443,
"registered_domain": "urlshorter.net",
"scheme": "https",
"top_level_domain": "net"
}
}
}
20 changes: 18 additions & 2 deletions Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
{
"input": {
"message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"[email protected]\",\"duser\":[\"[email protected]\",\"[email protected]\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"[email protected]\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"[email protected]\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}"
"message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"[email protected]\",\"duser\":[\"[email protected]\",\"[email protected]\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"[email protected]\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"[email protected]\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}"
},
"expected": {
"message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"[email protected]\",\"duser\":[\"[email protected]\",\"[email protected]\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"groupId\":\"75e85c79-7108-4ca0-8ecc-10487bcb232a\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"[email protected]\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"[email protected]\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}",
"message": "{\"uuid\":\"ba4e0d21-e780-4087-b06d-d26262fa46e9\",\"filterRiskLevel\":\"medium\",\"attachmentFileName\":[\"PVI_06-12-2024.pdf\"],\"suser\":\"[email protected]\",\"duser\":[\"[email protected]\",\"[email protected]\"],\"mailMsgSubject\":\"RE: PVI\",\"msgId\":\"[PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM](mailto:PR0P264MB3306D2475FE344E1FD724A37913E2@PR0P264MB3306.FRAP264.PROD.OUTLOOK.COM)\",\"tags\":[\"mitre.t1566.002\",\"XSJG.MA-01-009\"],\"ruleName\":\"MA-01-009\",\"eventName\":\"MESSAGE_SUSPICIOUS_DETECTION\",\"eventId\":\"100139\",\"scanType\":\"realtime_mailmeta-exchange\",\"productCode\":\"xms\",\"pname\":\"Email Sensor\",\"msgUuid\":\"AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AWm1bI0La5USA2IfmIqtGdAACGeP81wAA\",\"orgId\":\"123-123-123-123\",\"groupId\":\"123-123-123-123\",\"eventTime\":\"1733925103000\",\"logReceivedTime\":\"1733925177217\",\"attachmentFileSizes\":[\"-1\"],\"groupIdCorrValues\":[\"[email protected]\"],\"mailMsgDirection\":1,\"dataType\":1,\"eventSourceType\":2,\"mailbox\":\"[email protected]\",\"rt_utc\":\"2024-12-11T13:52:57.0150000Z\",\"attachmentFileTlshes\":[\"\"],\"rt\":\"1733925103000\",\"description\":\"The writing style is different from the past his/her sent emails\",\"ruleVer\":\"\",\"samUser\":\"\",\"attachmentFileHashs\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachment\":[{\"attachmentFileTlsh\":\"\",\"attachmentFileName\":\"PVI_06-12-2024.pdf\",\"attachmentFileHash\":\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\",\"attachmentFileSize\":\"-1\"}],\"groupIdCorrKey\":\"SENDER_ADDRESS\",\"attachmentFileHashes\":[\"cb3a5f1e1f42dcef43c619d79f1cd17f4d516ea2\"],\"attachmentFileTlshs\":[\"\"]}",
"event": {
"category": [
"email"
],
"provider": "Email Sensor",
"reason": "The writing style is different from the past his/her sent emails",
"type": [
"info"
]
Expand Down Expand Up @@ -38,6 +40,20 @@
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"organization": {
"id": "123-123-123-123"
},
"rule": {
"name": "MA-01-009"
},
"trendmicro": {
"visionone": {
"oat": {
"eventId": "100139",
"eventName": "MESSAGE_SUSPICIOUS_DETECTION"
}
}
}
}
}
Loading

0 comments on commit 32efe8d

Please sign in to comment.