1.1 示例
用户日志的programname包含:@userCtrlLog
完整报文示例如下:
<150>Aug 14 10:42:46 localhost sdp-controller@userCtrlLog[128]: { "actor": { "id": "9f8146c0-8aeb-11ec-b30f-e50f6db6d9d6", "externalId": "", "directoryName": "本地用户目录", "type": "user", "name": "user", "description": "描述", "displayName": "张三", "groupPath": "\/test\/99", "domain": "local", "phoneNumber": "185****0000", "email": "881****988@qq.com", "sTraceId": "8de0bdf2-fa99-46a2-b618-580ec74e27a4", "tags": [ ] }, "src": { "dvc": { "id": "", "os": "Windows 10", "mac": "", "hostname": "", "modelName": "", "tags": [ ], "externalId": "" }, "geo": { "tags": [ ], "country": "内网IP", "province": "-", "city": "-", "organization": "内网IP" }, "loginGeo": { "tags": [ ], "country": "内网IP", "province": "-", "city": "-", "organization": "内网IP" }, "client": { "type": "SDPBrowserClient", "version": "", "httpUserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/115.0.0.0 Safari\/537.36", "browser": "Chrome\/115.0.0.0", "browserVersion": "" }, "ip": "1.1.1.1", "ipTags": [ ], "loginIp": "1.1.1.1", "loginIpTags": [ ], "preProxyIp": "1.1.1.1" }, "event": { "id": "408ad571-3a4c-11ee-961b-1fea8304b102", "subType": "user.try_primary_bruteforce", "mainType": "auth", "reason": "连续登陆失败4次", "result": "-", "timestamp": 1691980966983, "_vSchema": "risk" }, "security": { "engine": "IDP", "confidence": 3, "riskLevel": 1, "firstDefense": "IdDefense", "secondDefense": "PrimaryAuthDefense", "severity": 1, "attTactic": [ "TA0006" ], "attTechnique": [ "T1110.001" ], "threatCategory": "AccountBruteForce", "threatType": "AccountBruteForce", "d3Tactic": "Detect", "d3Technique": "D3-ANET", "engineVersion": "1.4.3", "engineRuleVersion": "1.6.1", "ruleName": "IDP_USER_TRY_PRIMARY_BRUTE_FORCE" }, "traceId": "4953bd3b", "_isRisk": 1, "_logId": "1122419", "vendor": { "product": "aTrust", "productType": "hybrid", "productVersion": "2.3.10", "dvcId": "A14C0E10", "sourceName": "A14C0E10", "dvcIp": "1.1.1.1" } }
其中正文为:
{
"actor": {
"id": "9f8146c0-8aeb-11ec-b30f-e50f6db6d9d6",
"externalId": "",
"directoryName": "本地用户目录",
"type": "user",
"name": "user",
"description": "描述",
"displayName": "张三",
"groupPath": "/test/99",
"domain": "local",
"phoneNumber": "185****0000",
"email": "881****988@qq.com",
"sTraceId": "8de0bdf2-fa99-46a2-b618-580ec74e27a4",
"tags": []
},
"src": {
"dvc": {
"id": "",
"os": "Windows 10",
"mac": "",
"hostname": "",
"modelName": "",
"tags": [],
"externalId": ""
},
"geo": {
"tags": [],
"country": "内网IP",
"province": "-",
"city": "-",
"organization": "内网IP"
},
"loginGeo": {
"tags": [],
"country": "内网IP",
"province": "-",
"city": "-",
"organization": "内网IP"
},
"client": {
"type": "SDPBrowserClient",
"version": "",
"httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36",
"browser": "Chrome/115.0.0.0",
"browserVersion": ""
},
"ip": "1.1.1.1",
"ipTags": [],
"loginIp": "1.1.1.1",
"loginIpTags": [],
"preProxyIp": "1.1.1.1"
},
"event": {
"id": "408ad571-3a4c-11ee-961b-1fea8304b102",
"subType": "user.try_primary_bruteforce",
"mainType": "auth",
"reason": "连续登陆失败4次",
"result": "-",
"timestamp": 1691980966983,
"_vSchema": "risk"
},
"security": {
"engine": "IDP",
"confidence": 3,
"riskLevel": 1,
"firstDefense": "IdDefense",
"secondDefense": "PrimaryAuthDefense",
"severity": 1,
"attTactic": [
"TA0006"
],
"attTechnique": [
"T1110.001"
],
"threatCategory": "AccountBruteForce",
"threatType": "AccountBruteForce",
"d3Tactic": "Detect",
"d3Technique": "D3-ANET",
"engineVersion": "1.4.3",
"engineRuleVersion": "1.6.1",
"ruleName": "IDP_USER_TRY_PRIMARY_BRUTE_FORCE"
},
"traceId": "4953bd3b",
"_isRisk": 1,
"_logId": "1122419",
"vendor": {
"product": "aTrust",
"productType": "hybrid",
"productVersion": "2.3.10",
"dvcId": "A14C0E10",
"sourceName": "A14C0E10",
"dvcIp": "1.1.1.1"
}
}