Alert events
A description of alert events in common event format (CEF).
Alert events
Alert events should be identified by the alert type ID. There are many alert types in the Nozomi Networks environment.
For a full list of alert types, see Alerts in the Alerts and Incidents - Reference Guide.
<137>Oct 17 2019 22:32:23 local-sg-19.x n2osevents[0]: CEF:0|Nozomi
Networks|N2OS|19.0.3-10142120_A2F44|SIGN:MALWARE-DETECTED|Malware detected|
9|
app=smb
dvc=172.16.248.11
dvchost=local-sg-19.x
cs1=9.0
cs2=true
cs3=d25c520f-7f79-4820-b5ae-d1b334b05c75
cs4={trigger_type: yara_rules, trigger_id: MALW_DragonFly2.yar}
cs5=["5740a157-08e8-490f-85ad-eef23657e3cb"]
cs6=1
cs1Label=Risk
cs2Label=IsSecurity
cs3Label=Id
cs4Label=Detail
cs5Label=Parents
cs6Label=n2os_schema
flexString1=T0843
flexString1Label=mitre_attack_techniques
flexString2=Impair process (etc)
flexString2Label=mitre_attack_tactics
flexString3=Suspicious Activity
flexString3Label=name
dst=172.16.0.55
dmac=00:0c:29:28:dd:c5
dpt=445
msg=Suspicious transferring of malware named 'TemplateAttack_DragonFly_2_0'
was detected involving resource '\\172.16.0.55\ADMIN
\CVcontrolEngineer.docx' after a 'read' operation [rule author: US-CERT
Code Analysis Team - improved by Nozomi Networks] [yara file name:
MALW_DragonFly2.yar]
src=172.16.0.253
smac=00:04:23:e0:04:1c
spt=1148
proto=TCP
start=1571351543431Note the highlighted part of the Alert message. This is the Alert Type identifier (ID). This should be used as the key for performing searches once Nozomi Networks syslog events have been ingested into the integration platform.
Best practice
Make sure that your parsing logic extracts the appropriate data. If you are integrating with CEF messages, a CEF parser must be used. Do not use regular expressions. This will ensure the integration integrity in the future. When using the correct parser for the data that is expected, be sure to test different inputs to ensure that data is correctly extracted from the messages.