4.1 示例

设备安全日志的programname包含:@vendorSecurityLog

完整报文示例如下:

<150>Aug 14 10:56:05 localhost apiguard@vendorSecurityLog[149]: { "_isRisk": 1, "traceId": "0131412b2cb8aff8", "security": { "confidence": 3, "riskLevel": 1, "firstDefense": "DvcDefense", "engineVersion": "1.4.4", "engine": "RASP", "engineRuleVersion": "1.5.0", "severity": 1, "attTactic": [ "TA0043" ], "attTechnique": [ "T1595" ], "ruleName": "RASP_API_SCAN", "threatCategory": "HackingTool", "d3Technique": "D3-PMAD", "threatType": "ScanningTool", "secondDefense": "ApiDefense", "d3Tactic": "Detect" }, "src": { "port": 50762, "ip": "1.1.1.1", "geo": { "country": "内网IP", "province": "-", "city": "-", "organization": "内网IP" } }, "api": { "query": "status[]=1", "url": "https:\/\/1.1.1.1:4433\/api\/v1\/securityEvent\/getSecurityEvent", "method": "GET", "userAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/115.0.0.0 Safari\/537.36" }, "event": { "action": "", "timestamp": 1691981765314, "id": "4c08c0db-801b-43d1-8c86-b73aae189240", "reason": "[QUERY_NAME]invalid arg name in query: status[]", "_vSchema": "apiGuard,risk", "subType": "security.api_guard.ngswaf.query_name_check", "result": "-", "mainType": "security.ngswaf" }, "_logId": "244", "vendor": { "product": "aTrust", "productType": "hybrid", "productVersion": "2.3.10", "dvcId": "A14C0E10", "sourceName": "A14C0E10", "dvcIp": "1.1.1.1" } }

其中正文为:

{
    "_isRisk": 1,
    "traceId": "0131412b2cb8aff8",
    "security": {
        "confidence": 3,
        "riskLevel": 1,
        "firstDefense": "DvcDefense",
        "engineVersion": "1.4.4",
        "engine": "RASP",
        "engineRuleVersion": "1.5.0",
        "severity": 1,
        "attTactic": [
            "TA0043"
        ],
        "attTechnique": [
            "T1595"
        ],
        "ruleName": "RASP_API_SCAN",
        "threatCategory": "HackingTool",
        "d3Technique": "D3-PMAD",
        "threatType": "ScanningTool",
        "secondDefense": "ApiDefense",
        "d3Tactic": "Detect"
    },
    "src": {
        "port": 50762,
        "ip": "1.1.1.1",
        "geo": {
            "country": "内网IP",
            "province": "-",
            "city": "-",
            "organization": "内网IP"
        }
    },
    "api": {
        "query": "status[]=1",
        "url": "https://1.1.1.1:4433/api/v1/securityEvent/getSecurityEvent",
        "method": "GET",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
    },
    "event": {
        "action": "",
        "timestamp": 1691981765314,
        "id": "4c08c0db-801b-43d1-8c86-b73aae189240",
        "reason": "[QUERY_NAME]invalid arg name in query: status[]",
        "_vSchema": "apiGuard,risk",
        "subType": "security.api_guard.ngswaf.query_name_check",
        "result": "-",
        "mainType": "security.ngswaf"
    },
    "_logId": "244",
    "vendor": {
        "product": "aTrust",
        "productType": "hybrid",
        "productVersion": "2.3.10",
        "dvcId": "A14C0E10",
        "sourceName": "A14C0E10",
        "dvcIp": "1.1.1.1"
    }
}
深信服科技 all right reserved,powered by Gitbook本文档更新于: 2024-10-15 17:37

results matching ""

    No results matching ""