1.2.5 安全信息(security)
安全信息,当日志中的_isRisk=1时为安全日志,会有安全日志节点
字段定义
| 字段 | 类型 | 说明 |
|---|---|---|
| ruleName | string | 防护规则名称 |
| firstDefense | string | SDP防线,可选值:DvcDefense(设备防线)、IdDefense(账号防线)、AppDefense(终端防线) |
| secondDefense | string | SDP子防线,可选值:PrimaryAuthDefense(主认证防线)、ApiDefense(API防线)、SecondaryAuthDefense(从认证防线)、UdpSpaDefense(UDP SPA防线)、TcpSpaDefense(TCP SPA防线)、TrapDefense(诱捕防线)、SessionDefense(会话防线) |
| attTactic | []string | ATT&CK战术 |
| attTechnique | []string | ATT&CK技术 |
| d3Tactic | string | D3Fend防御战术 |
| d3Technique | string | D3Fend防御技术 |
| engine | string | 安全引擎名称 |
| engineVersion | string | 安全引擎版本 |
| engineRuleVersion | string | 防护规则版本 |
| severity | number | 严重程度,1~3,分别代表低中高 |
| riskLevel | number | 风险等级,1~3,分别代表低中高 |
| confidence | number | 威胁置信度,1~3,分别代表低中高 |
| threatCategory | string | 威胁分类 |
| threatType | string | 威胁类型 |
JSON格式
"security": {
"ruleName": "RASP_API_SCAN",
"firstDefense": "DvcDefense",
"secondDefense": "ApiDefense",
"attTactic": [
"TA0043"
],
"attTechnique": [
"T1595"
],
"d3Tactic": "Detect",
"d3Technique": "D3-PMAD",
"engine": "RASP",
"engineVersion": "1.0.0",
"engineRuleVersion": "1.0.0",
"severity": 1,
"riskLevel": 1,
"confidence": 1,
"threatCategory": "HackingTool",
"threatType": "ScanningTool"
}