Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Trust Center Alert and Audit Logging

            Modified on Thu, 31 Oct, 2024 at 4:27 PM


            TABLE OF CONTENTS


            Overview

            The Trust Center Emits its Audit Logs via Syslog in CEF format. The following description describes fields present in the CEF payload.


            Syslog + CEF Headers – 

            AZT Syslog Headers:

            2024-08-07T15:21:24.887577+00:00 aria-azt-trustcenter AZT - - - 
2024-08-08T15:36:59.613080+00:00 aria-azt-trustcenter AZT - - -
            HTML

            This is the basic Syslog Header containing the date and time, the source hostname, and the source application. 


            AZT CEF Headers: 

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info| 
CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Audit|info|
            HTML

            Our Syslog Messages are formatted in CEF format. A breakdown of the CEF header is as follows:


            ItemExample
            CEF Version
            CEF:0
            HTML
            Device Vendor
            ARIA
            HTML

            Device Product
            AZT
            HTML

            Device Version
            1.15.0.4822
            HTML
            Signature ID
            TrustCenter
            HTML

            Name
            [Alert, Audit]
            HTML
            Severity
            info
            HTML


            CEF Payload (Alert) –

            Example Messages: (Separate Countermeasures)

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-09 20:32:28.737041+00:00" countermeasure__name="SHELLCODE" countermeasure__display_name="Malicious Shellcode" filename="c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" message="Malicious Shellcode detected for c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" blocked="False" payload__alert_type="ALERT_TYPE_SHELLCODE" payload__binary_id="d833b9523e3813950065f6979ea59edcc3366d20d997b68933cca59387f32d85" payload__cmdLine="" payload__filename="c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="True" application__version="4.8.9037.0" application_architecture="None" 

CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-09 20:20:51.324187+00:00" countermeasure__name="WRITE_BUF" countermeasure__display_name="Write Buffer" filename="c:\windows\explorer.exe" message="No TrustID was found for a buffer in c:\windows\explorer.exe" blocked="False" payload__alert_type="ALERT_TYPE_WRITE_BUF" payload__binary_id="0dd5c564ca75e2bf273340b113c90db222f685f50b27d901e9795bc1d30fd376" payload__cmdLine="explorer.exe" payload__filename="c:\windows\explorer.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="\Users\aria\Desktop\Attacks\Attacks\vcrun140dx64\vcruntime140d.dll" application__trusted="True" application__version="10.0.19041.4648" application_architecture="None" 

CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-07 15:21:24.830187+00:00" countermeasure__name="NO_TRUST" countermeasure__display_name="No Trust" filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" message="No TrustID found for c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" blocked="False" payload__alert_type="ALERT_TYPE_NO_TRUST" payload__binary_id="aed57423999265d5d14b2a04d89a00f115e9e54a583b5057828b409e64ed8d21" payload__cmdLine="" payload__filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="False" application__version="" application_architecture="None"
            HTML

            CEF Payload (Alert Events)

            time="2024-08-07 15:21:24.830187+00:00" countermeasure__name="NO_TRUST" countermeasure__display_name="No Trust" filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" message="No TrustID found for c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" blocked="False" payload__alert_type="ALERT_TYPE_NO_TRUST" payload__binary_id="aed57423999265d5d14b2a04d89a00f115e9e54a583b5057828b409e64ed8d21" payload__cmdLine="" payload__filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="False" application__version="" application_architecture="None"
            HTML


            KeyDescriptionExample
            timeTime of Alert
            2024-08-07 15:21:24.830187+00:00
            HTML
            countermeasure nameCountermeasure type
            NO_TRUST
            HTML

            filenameFilename associated with alert
            c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe
            HTML

            messageThe Audit Message
            WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe
            HTML

            blockedWhether AZT blocked the binary from executing
            False
            HTML


            Splunk Output (Alert Event)


            CEF Payload (Audit) –


            Example Message:

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Audit|info|id="187872" category="ALERT" acknowledged="False" message="WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" user="None" ip_addr="10.6.10.29" data__pk="4727" data__id="4727" data__created_at="2024-08-08 15:36:59.570382" data__created_by="None" data__created_ip="10.6.10.29" data__updated_at="2024-08-08 15:36:59.570415" data__updated_by="None" data__updated_ip="10.6.10.29" data__time="2024-08-08 15:36:59.569978" data__device="WIN10-22H2-64 (10.6.10.29)" data__trustcenter="None" data__recorded="2024-08-08 15:36:59.570078" data__timestamp="2024-08-08 15:36:59.570453" data__user="aria" data__facility="alert" data__severity="4" data__message="No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__payload="{" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None" data__audits="audit.Audit.None" source_model="alert.Alert" action="create"
            HTML


            CEF Payload (Audit Events)

            id="187872" category="ALERT" acknowledged="False" message="WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" user="None" ip_addr="10.6.10.29" data__pk="4727" data__id="4727" data__created_at="2024-08-08 15:36:59.570382" data__created_by="None" data__created_ip="10.6.10.29" data__updated_at="2024-08-08 15:36:59.570415" data__updated_by="None" data__updated_ip="10.6.10.29" data__time="2024-08-08 15:36:59.569978" data__device="WIN10-22H2-64 (10.6.10.29)" data__trustcenter="None" data__recorded="2024-08-08 15:36:59.570078" data__timestamp="2024-08-08 15:36:59.570453" data__user="aria" data__facility="alert" data__severity="4" data__message="No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__payload="{" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None" data__audits="audit.Audit.None" source_model="alert.Alert" action="create"
            HTML


            For Audit Events, the CEF payload is a combination of key value pairs which is automatically groked. Here are the current keys, their descriptions:


            KeyDescriptionExample
            idUnique ID for the Audit Message
            187872
            HTML

            categoryCategory String for the Audit Message
            ALERT
            HTML



            acknowledgedWhether the Audit Message has been acknowledged by the Trust Center
            False
            HTML



            messageThe Audit Message
            WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe
            HTML



            userThe User who generated the Audit Message
            None
            HTML

            ip_addrThe IP Address which caused the audit message to be generated.
            10.6.10.29
            HTML

            payloadAdditional information about the audit message in JSON format.
            {" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None"
            HTML


            source_modelThe Trust Center component which invoked the audit log message.
            alert.Alert
            HTML


            Splunk Output (Audit Event)





            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0