-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into v-sabiraj-insiderriskmanagement1
- Loading branch information
Showing
110 changed files
with
14,573 additions
and
4,062 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
[ | ||
{ | ||
"ip": "1.1.2.2", | ||
"metadata": { | ||
"asn": "AS25000", | ||
"city": "Ta’if", | ||
"country": "Saudi Arabia", | ||
"country_code": "SA", | ||
"organization": "Saudi Telecom Company JSC", | ||
"category": "isp", | ||
"tor": false, | ||
"rdns": "" , | ||
"os": "Windows 7/8", | ||
"sensor_count": 78, | ||
"sensor_hits": 433, | ||
"region": "Mecca Region", | ||
"destination_countries": [ | ||
"Belarus", | ||
"United States", | ||
"Saudi Arabia", | ||
"Bulgaria", | ||
"United Kingdom", | ||
"Israel", | ||
"Australia", | ||
"Indonesia", | ||
"South Korea" | ||
], | ||
"source_country": "Saudi Arabia", | ||
"source_country_code": "SA", | ||
"destination_country_codes": [ | ||
"BY", | ||
"US", | ||
"SA", | ||
"BG", | ||
"GB", | ||
"IL", | ||
"AU", | ||
"ID", | ||
"KR" | ||
] | ||
}, | ||
"bot": false, | ||
"vpn": false, | ||
"vpn_service": "N/A", | ||
"spoofable": false, | ||
"raw_data": { | ||
"scan": [ | ||
{ | ||
"port": 445, | ||
"protocol": "TCP" | ||
}, | ||
{ | ||
"port": 1433, | ||
"protocol": "TCP" | ||
} | ||
], | ||
"web": {}, | ||
"ja3": [], | ||
"hassh": [] | ||
}, | ||
"first_seen": "2023-08-23", | ||
"last_seen": "2023-08-25", | ||
"seen": true, | ||
"tags": [ | ||
"MSSQL Bruteforcer", | ||
"SMBv1 Crawler" | ||
], | ||
"actor": "unknown", | ||
"classification": "malicious", | ||
"cve": [] | ||
} | ||
] |
13 changes: 13 additions & 0 deletions
13
...stom/Recoreded Future/RecordedFutureDomainWorkbook_ExampleDomainProxyLog_IngestedLogs.csv
Large diffs are not rendered by default.
Oops, something went wrong.
6 changes: 6 additions & 0 deletions
6
...ecoreded Future/RecordedFutureDomainWorkbook_ThreatIntelligenceIndicator_IngestedLogs.csv
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
TenantId,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type,TenantId1,SourceSystem1,MG,ManagementGroupName,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"Action_s","Content_Type_s","Device_s","Domain_s","Response_s","Src_IPv4_s","URL_s",Type1,"_ResourceId",parts,tld,"DNS_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]" | ||
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8","9/19/2023, 7:07:32.983 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:45.466 PM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 5:08:45.466 PM" | ||
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8","9/19/2023, 7:07:32.983 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 11:20:55.461 AM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 11:20:55.461 AM" | ||
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.117 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--0fc20b4c-3c37-4321-b991-2eaafc2d744e","9/19/2023, 7:07:36.511 PM",95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported Botnet Domain\"",\""EvidenceString\"":\""9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691544788241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695104194129,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695104194092,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"nihsxhvkfjwotm.bid",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 4:05:12.176 PM",,,GET,"image/webp","Squid_Proxy","nihsxhvkfjwotm.bid","TCP_MISS/304","10.1.147.78","http://nihsxhvkfjwotm.bid/nkavfib","Squid_Proxy_Domain_CL",,"[""nihsxhvkfjwotm"",""bid""]",bid,"9/15/2023, 4:05:12.176 PM" | ||
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.343 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",91,"Recorded Future - Domains - Command and Control Activity",,"indicator--78c75a0a-c236-4f67-907f-facde94f5c6d","9/19/2023, 7:07:32.698 PM",7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1688562323000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695051741313,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"csyeywqwyikqaiim.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:25.443 PM",,,GET,"text/css","Squid_Proxy","csyeywqwyikqaiim.xyz","TCP_MISS/304","10.1.203.27","http://csyeywqwyikqaiim.xyz/wixylmz","Squid_Proxy_Domain_CL",,"[""csyeywqwyikqaiim"",""xyz""]",xyz,"9/19/2023, 5:08:25.443 PM" | ||
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.074 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",90,"Recorded Future - Domains - Command and Control Activity",,"indicator--b29ed22d-bc66-4ea3-9527-cb1f7d5996de","9/19/2023, 7:07:35.900 PM",4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695057312382,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"ikomoouessgqekmc.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/16/2023, 4:05:13.099 PM",,,GET,"text/javascript","Squid_Proxy","ikomoouessgqekmc.xyz","TCP_MISS/200","10.1.70.199","http://ikomoouessgqekmc.xyz/qgdaxsi","Squid_Proxy_Domain_CL",,"[""ikomoouessgqekmc"",""xyz""]",xyz,"9/16/2023, 4:05:13.099 PM" |
Oops, something went wrong.