Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Syslog Malware Event Infection Notification Example

CEF Email Malware Event Notification Example:

Syslog Email Malware Event Notification Example:

CEF CnC Notification Example:

Syslog CnC Notification Example:

CEF File Submission Notification Example:

Syslog File Upload Notification Example:

CEF Exploit Notification Example:

Syslog Exploit Notification Example:

CEF Data Theft Notification Example:

Syslog Data Theft Notification Example:

CEF System Health Notification Example:

Syslog System Health Notification Example:

CEF System Audit Notification Examples:

Syslog System Audit Notification Examples:

Using CEF Alert eventID or incidentID to Display Details in the Juniper ATP Appliance Web UI

Given an incidentID or eventID, you can use the following URLs to display relative details in the Juniper ATP Appliance Web UI.

Replace “JATP_HOSTNAME_HERE” with your Juniper ATP Appliance host name, and replace “0000000” with the event_id or incident_id.

  • https://JATP_HOSTNAME_HERE/admin/index.html?incident_id=0000000

  • https://JATP_HOSTNAME_HERE/admin/index.html?event_id=0000000

Note:

The system will prompt for login/password if no login session is currently active.

CEF Extension Field Key=Value Pair Definitions

Juniper ATP Appliance uses the following parameters in its CEF extension field key=value pairs. The keys in extension have "=" sign; for example:. cncServers=a.b.c.d eventId=123. The fields before extensions are surrounded by pipes ("|"); for example: |login|, |cnc|, |JATP|.

The following table defines each extension field key in CEF and/or Syslog messages.

Table 1: Extension field keys in CEF and/or Syslog messages

Extension Field Key

Full Name & Description

Event Type

Data Type & Length

CEF or Syslog Key Value (Example)

description=

Only for System Audit

description

desc is the description of the system audit event

Audit

String

1023

characters

description=update-user

json=

json output sends different data depending on what kind of System Audit event is referenced.

The following sample json= is for update-user:

json = { "user_id" : "2721f188-682e-03d0- 6dfa-5d5d688047b6", "username" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 0}

Audit

String

1023

characters

json=

This json= field is for login:

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|login|5|username=a dmin desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

login

Login

Audit

String

login

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|login|5|username=a dmin desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

login-fail

Login failure

Audit

String

login-fail

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|loginfail| 5|username=admin desc=description

json={ "user_id" : "8d7c450edf6a- 0ab6-193d- 143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

logout

Lockout

Audit

String

logout

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|logout|5|username= admin desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

add-user

Add User

Audit

String

add-user

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|adduser| 5|username=admin desc=description

json={ "user_id" : "8d7c450edf6a- 0ab6-193d- 143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

update-user

Update User

Audit

String

update-user

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|updateuser| 5|username=admin desc=description

json={ "user_id" : "8d7c450edf6a- 0ab6-193d- 143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

update-system-config

System Config Update

Audit

String

update-system-config

<134>Nov 24 14:35:48 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|update-systemconfig| 5|username=adm in desc=Updated update settings: software auto update: 'yes', Set hostname: 'tap0', Set server_fqdn : 'tap0.eng.JATP.net', Set ivp_format : 'application/ zip' remote shell enabled: yes

json={ "do_auto_update" : 1, "hostname" : "tap0", "server_fqdn" : "tap0.eng.JATP.net", "ivp_format" : "application/zip", "remote_shell_enabled : 1

reboot

Reboot

Audit

String

reboot

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|reboot|5|username =admin desc=description

json={ "user_id" : "8d7c450edf6a- 0ab6-193d- 143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

appliance-connecthealth

health of appliance connection

Audit

String

appliance-connecthealth

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|appliance-connecthealth| 5|username=adm in desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

link-health

Link health

    

link-health

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|linkhealth| 5|username=adm in desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

traffic-health

Traffic health

    

traffic-health

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|traffichealth| 5|username=adm in desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

clear-db

Clear DB

Audit

String

clear-db

<134>Nov 24 16:32:03 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|cleardb| 5|username=admin desc=Clear event database

json={ "status" : 0}

restart-services

Restart Services

Audit

String

restart-services

<134>Nov 24 14:37:07 tap54.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|restartservices| 5|username=ad min desc=Restart services

json={ "status" : 0}

add-report

Add Report

Audit

String

add-report

<134>Nov 24 14:37:32 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|addreport| 5|username=adm in desc=Add report (id '300BF9F1-973B-4523- 8BEB-B82B70B78925')

json={ "report_id" : "300BF9F1-973B-4523- 8BEB-B82B70B78925”}

delete-report

Delete Report

Audit

String

delete-report

<134>Nov 24 14:37:41 tap0.eng.JATP.netJATP JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|deletereport| 5|username=adm in desc=Delete report (id 'CF411F54-EB45-0C41- 654A-AFA1B9FF9DEB')

json={ "report_id" : "CF411F54-EB45-0C41- 654A-AFA1B9FF9DEB”}

add-notification

Add Notification

Audit

String

add-notification

<134>Nov 24 14:35:04 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|addnotification| 5|username =admin desc=Add notification (id 'AD5D3D6C-6A51-4BB5- 958A-A1B392D3DFDA')

json={ "report_id" : "AD5D3D6C-6A51- 4BB5-958AA1B392D3DFDA”}

delete-notification

Delete Notification

Audit

String

delete-notification

<134>Nov 24 14:38:13 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|deletenotification| 5|username =admin desc=Delete notification (id '26EC53CA-B1A7-4DBAA111- 013CD2548FFD')

json={ "report_id" : "26EC53CA-B1A7-4DBAA111- 013CD2548FFD”}

add-siem

Add SIEM

Audit

String

add-siem

<134>Nov 24 14:29:08 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|addsiem| 5|username=admin desc=Add SIEM upload to 'splunktest. eng.JATP.net' (id '768687F7-4A81-42AF- 897A-6814A48D4155')

json={ "report_id" : "768687F7-4A81-42AF- 897A-6814A48D4155", "host_name": "splunktest. eng.JATP.net”}

delete-siem

Delete SIEM

Audit

String

delete-siem

<134>Nov 24 14:38:57 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|deletesiem| 5|username=admin desc=Delete SIEM upload to '10.9.8.7' (id '8165C17F-F375-4226- 8E7A-BC8E690E3370')

json={ "report_id" : "8165C17F-F375-4226- 8E7A-BC8E690E3370", "host_name": "10.9.8.7”}

add-email-collector

Add Email Collector

Audit

String

add-email-collector

<134>Nov 24 14:39:35 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|add-emailcollector| 5|username=a dmin desc=Add email collector from '10.2.10.3' (id '5FB8FFDC-7024- 467A-8AC8- 6CD68CA8781D')

json={ "report_id" : "5FB8FFDC- 7024-467A-8AC8- 6CD68CA8781D", "host_name": "10.2.10.3”}

delete-email-collector

Delete Email Collector

Audit

String

delete-email-collector

<134>Nov 24 14:39:09 tap0.eng.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|delete-emailcollector| 5|username=a dmin desc=Delete email collector from '10.2.10.7' (id '6C36F94A-3CF2- 45D8-83B9- CDF50BE0490B')

json={ "report_id" : "6C36F94A-3CF2- 45D8-83B9- CDF50BE0490B", "host_name": "10.2.10.7”}

dst=

destinationIPAddress

dst represents the IP address of the destination when any communication to an external host is observed within the detection engine.

Events

IPv4 and IPv6 Addresses

dst=128.12.38.6

Note:

Note: This could also be the destination IP address from which the user downloaded malware; this extension is not specific to infection only.

lastActivityTime=

Time stamp of the last activity associated with this event.

Events

string

1023

characters

lastActivityTime=2016- 12-26 18:06:52.333023+00

fileHash=

fileHash represents the checksum of the malware object from a Juniper ATP Appliance detection engine

Events

255

characters

filehash=3174990d783f4 a1bd5e99db60176b920

fileName=

fileName represents the name of the object file analyzed by Juniper ATP Appliance detection engine

Events

255

characters

fileName=Trojan.Generic

fileType=

fileType represents the analyzed object type.

Events

255

characters

fileType=pdf

startTime=

startTime represents the date and time of the initial malware event in the Juniper ATP Appliance detection system.

Event

string

1023

characters

startTime=2016-08-11 18:22:19

malwareSeverity=

Severity risk in the range 0-10

Event

integer

malwareSeverity=0.75

malwareCategory=

Juniper ATP Appliance malware category determination

Event

string

1023

characters

malwareCategory=

cncServers=

IP address of the CnC server associated with this event

Event

IPv4 and IPv6 Addresses

cncServers=31.170.165.131

submissionTime=

Date and time of user File Submit option from the CM Web UI

Event

data

submissionTime=2016- 12-26 17:54:46.04875+00

src=

The source address associated with this malware event.

Event

IPv4 and IPv6 Addresses

src=64.202.116.124

dst=

The source address associated with this malware event.

Event

IPv4 and IPv6 Addresses

dst=10.1.1.1

reqReferer=

The URL of the HTTP address that triggered or with which the malware exploit is associated

Event

URL

reqReferer=http:// www.christianforums.com/

url=

The URL associated with an exploit malware event.

Event

URL

url=http:// 64.202.116.124/5butqfk/ ?2

ExternalId=

The Juniper ATP Appliance incident number.

Example:

externalId=1003

Extern al ID

The Juniper ATP Appliance incident number.

Example:

externalId=1003

EventId=

The Juniper ATP Appliance Event ID number.

Example: eventId=13405

Event ID

The Juniper ATP Appliance Event ID number.

Example: eventId=13405

username=

The admin or user’s username

Username is included in System Audit Syslogs.

Event

string

Example:

username=”s_roberts”

port=

Port number associated with the event

Event

integer

port=22

protocol=

Protocol associated with the event

Event

integer

protocol=http

appliance-connecthealth

Connection health between Web Collectors and Secondary Cores.

Health

String

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|appliance-connecthealth| 5|username=adm in desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

traffic-health

Traffic health

Health

String

traffic-health

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|traffichealth| 5|desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

link-health

Link health

Health

String

link-health

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|linkhealth| 5|desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

services-health

Services health

Health

String

services-health

<134> Nov 23 18:50:00 tap0.test.JATP.net JATP: CEF:0|JATP|Cortex|3.6.0. 15|2|serviceshealth| 5|desc=description

json={ "user_id" : "8d7c450e-df6a-0ab6- 193d-143bfc6f7cac", "user_name" : "test.JATP", "is_admin" : 0, "has_debug": 1 , "reset_password" : 1}

src_hostname

Hostname of the threat source. Information is obtained from Active Directory (applicable to SMB Lateral detection where host details of threat source are obtained from Active Directory)

Event

String

Dec 2 17:17:25 IP Dec 02 17:08:08 hostname CEF:0|JATP|Cortex|3.6.0. 1444|cnc|TROJAN_DUSV EXT.|10|externalId=1489 eventId=14046 lastActivityTime=2016- 05-03 00:08:08.349+00 src=31.170.165.131 dst=172.20.1.201 src_hostname= dst_hostname=emailuse r-host src_username= dst_username=emailuse r malwareSeverity=0.75 malwareCategory=Troja n_Generic cncServers=31.170.165.131

dst_hostname

Endpoint hostname (threat target); information is obtained from Active Directory

Event

String

Dec 6 16:52:22 IP Dec 06 16:51:38 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1504 eventId=14067 lastActivityTime=2016- 12-06 23:51:38+00 src= dst= src_hostname= dst_hostname= src_username= dst_username=src_email_id=src@abc.com dst_email_id={test@abc.com} startTime=2016- 12-06 23:51:38+00 url=http:// greatfilesarey.asia/QA/ files_to_pcaps/ 74280968a4917da52b5 555351eeda969.bin fileHash=bce00351cfc55 9afec5beb90ea387b037 88e4af5 fileType=PE32 executable (GUI) Intel 80386, for MS Windows

src_username

Username of the person logged in into the threat source host. Information is obtained from Active Directory (applicable to Lateral spread because only then we will get the host details of threat source from Active Directory)

Event

String

Dec 3 16:42:24 IP Dec 03 16:42:54 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1499 eventId=14058 lastActivityTime=2016- 05-03 23:42:54+00 src= dst= src_hostname= dst_hostname= src_username= dst_username=src_email_id=src@abc.com dst_email_id={test1@ab c.com,test2@abc.com,test3@abc.com,} url=http:/ /greatfilesarey.asia/QA/ fileType=PE32 executable (GUI) Intel 80386, for MS Windows

dst_username:

Username of the person logged in into the threat target host. Information is obtained from Active Directory.

      

Dec 3 16:42:24 IP Dec 03 16:42:54 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1499 eventId=14058 lastActivityTime=2016- 05-03 23:42:54+00 src= dst= src_hostname= dst_hostname= src_username= dst_username=src_email_id=src@abc.com dst_email_id={test1@ab c.com,test2@abc.com,test3@abc.com,} url=http:/ /greatfilesarey.asia/QA/ fileType=PE32 executable (GUI) Intel 80386, for MS Windows

src_email_id

Email ID of the sender of the email

Event

String

Dec 3 16:42:24 IP Dec 03 16:42:54 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1499 eventId=14058 lastActivityTime=2016- 05-03 23:42:54+00 src_email_id=src@abc.com dst_email_id={test1@ab c.com,test2@ab c.com,test3@ab c.com,} startTime=2016-05-03 23:42:54+00 url=http:// greatfilesarey.asia/QA/ files_to_pcaps/ 74280968a4917da52b5 555351eeda969.bin fileType=PE32 executable (GUI) Intel 80386, for MS Windows

dst_email_id

Email IDs of recipients

Event

String

Dec 3 16:42:24 IP Dec 03 16:42:54 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1499 eventId=14058 lastActivityTime=2016- 05-03 23:42:54+00 src_email_id=src@abc.com dst_email_id={test1@ab c.com,test2@ab c.com,test3@ab c.com,} startTime=2016-05-03 23:42:54+00 url=http:// greatfilesarey.asia/QA/ files_to_pcaps/ 74280968a4917da52b5 555351eeda969.bin fileType=PE32 executable (GUI) Intel 80386, for MS Windows

url

Bad URLs sent in email (In CEF/Syslog, the maximum number of bad URLs Juniper ATP Appliance sends is 5, separated by a character space)

Event

String

Dec 3 16:42:24 IP Dec 03 16:42:54 hostname CEF:0|JATP|Cortex|3.6.0. 1444|email|Phishing|8|e xternalId=1499 eventId=14058 lastActivityTime=2016- 05-03 23:42:54+00 src_email_id=src@abc.com dst_email_id={test1@ab c.com,test2@ab c.com,test3@ab c.com,} startTime=2016-05-03 23:42:54+00 url=http:// greatfilesarey.asia/QA/ files_to_pcaps/ 74280968a4917da52b5 555351eeda969.bin fileType=PE32 executable (GUI) Intel 80386, for MS Windows