VMware NSX Network Detection and Response HTTP Post Integration

The HTTP Post Integration allows On-Premises appliances to automatically send HTTP POST notifications to a specific URL when events that match some specified criteria are triggered.

About HTTP Post Integration

Some of the terms used in this document are defined here:

Trigger category

A trigger category represents a type of event for which notifications should be sent.

Notifications can be triggered by different classes of events. When configuring a notification, you must specify for which trigger notifications should be sent.

Appliance trigger

A trigger category related to events concerning appliances status. These can be either appliance-checkin (an occurrence of an appliance check-in) or appliance-message (status messages from the components of an appliance).

Audit trigger

A trigger category related to audit events (relevant actions performed by a user account on the User Portal). The following are audit event categories:

  • Authentication Authentication related actions (for example, a user logged in to the User Portal).

  • Configuration Appliance related (for example, the reconfiguration of an appliance).

  • Registration Customer/account/license related actions (for example, the creation of a new customer).

Intrusion trigger

A trigger category related to intrusion events.

Mail trigger

A trigger category for email detection events. Suspicious or malicious emails can be detected because of attachments, URLs, or other characteristics of the message.

Network trigger

A trigger category related to network events. The following are network events:

  • Malware Command and Control traffic.

  • Drive-by download.

  • Fake anti-virus software activity.

  • Malicious file download.

  • Suspicious network activity.

  • Suspicious URL activity.

  • System network test.

  • Unwanted software activity (for example, adware).

  • Network traffic rule matches.

  • Network anomalies: DNS, HTTP, kerberos, netflow, SMB, and TLS.

Network IoC trigger

A trigger category related to indicators of compromise (IoC) events. The following are network IoC events:

  • A domain name was identified as a potential IoC.

  • An IP address was identified as a potential IoC.

Test trigger

A trigger category for testing events. A notification can be triggered from the User Portal to verify that the integration was successfully configured. A notification can be verified for:

  • Email

  • HTTP Post

  • Slack

  • Streaming

  • Syslog

Architecture

When using HTTP Post Integration, the Manager can be configured to automatically send HTTP POST notifications to a chosen URL whenever the configured events are triggered. The Manager can either send the notification directly to the specified server, through a Sensor, or sent through the system-configured proxy.

The content of the notifications differs depending on the event that has been triggered.

Appliance trigger fields

  • appliance_detail_link: A URL to the status page of the appliance on the User Portal.

  • appliance_fqdn: The fully qualified domain name of the appliance.

  • appliance_private_ip: The private IP address of the appliance.

  • appliance_public_ip: The public IP address of the appliance.

  • appliance_type: The type of the appliance.

  • appliance_uuid: The unique identifier of the appliance.

  • format_version: The version of the notification format.

  • impact: The impact of this event, ranging from 0-100.

  • timestamp: The timestamp of the event as reported by the appliance.

  • trigger_type: The type of event that triggered this notification. Possible values are appliance-checkin or appliance-message.

  • Special fields:

    • component_name: The name of the component that sent the message (appliance-message event only). Possible values are shown in the Appliance trigger fields list.

    • detail_name: The name of the sub-component (appliance-message event only). Possible values are shown in the Appliance trigger fields list.

    • is_online: The appliance status (appliance-checkin event only).

    • key; The source and key together provide an identifier of what is being reported (appliance-message event only). Possible values for source.key are shown in the Appliance trigger fields list.

    • last_checkin_timestamp: (appliance-checkin event only)

    • message: A text string describing the notification (appliance-message event only).

    • source: The source and key together provide an identifier of what is being reported (appliance-message event only). Possible values for source.key are shown in the Appliance trigger fields list.

Audit trigger fields

  • account: Account of the user that performed the logged action.

  • affected_entity_id: Identifier of the object affected by this action (for example, license key, name of the account, UUID of the appliance).

  • affected_entity_type: The type of the object affected by this action (for example, "license", "account", "appliance").

  • audit_action_type: The type of the audit action, some possible values are described in the Audit action field list.

  • audit_event_category: Category of the audit action, currently one of:

    • configuration: Appliance related actions.

    • registration: Account/customer/license related actions.

  • audit_event_id: ID of the audit event.

  • configured_software_version: The version of the software that has been reconfigured (appliance_upgraded events).

  • customer: Customer to which the action refers.

  • description: An extended description of the action.

  • device_id: The unique identifier of the Manager appliance (On-Premises only).

  • event_detail_link: Link to details about this action on the User Portal.

  • event_type: The type of event. audit-event is the only valid value.

  • format_version: The version of the notification format.

  • impact: The impact of this event, ranging from 0-100.

  • source_ip: IP address of the user that performed this action.

  • timestamp: The timestamp of the event.

Intrusion trigger fields

  • correlation_rule: The correlation rule that caused the event, if any.

  • description: A short description of the event (for example, "Detected intrusion").

  • device_id: Obfuscated identifier of the appliance.

  • end_timestamp: Ending timestamp of the event.

  • extended_description: Detailed information about the intrusion event (for example, "Correlated 3 incidents into an intrusion").

  • format_version: The version of the notification format.

  • hosts_affected: A sequence of each host with the threats and attack stages associated with it.

  • intrusion_details_link: A URL that links directly to the intrusion in the User Portal.

  • intrusion_name: The name of the intrusion.

  • intrusion_uuid: Unique identifier of the intrusion.

  • last_modified: The last modification time of this entry.

  • most_advanced_stage: The most advanced attack stage.

  • nr_affected_hosts: Number of affected hosts in the intrusion.

  • nr_malware: Number of distinct threats in the intrusion.

  • reason: The reason behind the intrusion event.

  • start_timestamp: Starting timestamp of the event.

  • trigger_type: The type of event that triggered this notification. Valid value is intrusion-event.

Mail trigger fields

  • action: Action taken in response to this event. Some of the possible values are described in the Mail event action list.

  • description: Description of the event (for example, "Suspicious Email Attachment").

  • detection_type: The type of detection (for example, email-attachment, email-message, or email-url).

  • detectors: The detectors that flagged this message as malicious (email-message only).

  • device_id: obfuscated identifier of the appliance.

  • event_detail_link: link to details about this event on the user website .

  • file_detail_link: Link to details about the malicious attachment on the User Portal (email-attachment only).

  • file_md5: MD5 hash of the malicious attachment (email-attachment only).

  • file_name: Name of the malicious attachment (email-attachment only).

  • file_sha1: SHA-1 hash of the malicious attachment (email-attachment only).

  • file_size: Size of the malicious attachment (email-attachment only).

  • file_type: Type of the malicious attachment (email-attachment only).

  • format_version: The version of the notification format.

  • impact: The impact of this event, ranging from 0-100.

  • mail_url: Malicious URL found in the mail message (email-url only).

  • mail_url_md5: MD5 hash of the malicious URL (email-url only).

  • recipients: Recipients of the email message.

  • sender: Sender of the email message.

  • subject: Subject of the email message.

  • threat: The threat that was detected (email-message only).

  • threat_class: The class of the detected threat (email-message only).

  • timestamp: The timestamp of the event.

Network trigger fields

A notification can include information about PCAPs related to the network event. If multiple PCAPs are available for a single event, multiple notifications are sent for the event, each with different PCAP information.

  • action: Action taken in response to this event.

  • description: Description of the event (for example, "Suspicious DNS Resolution").

  • destination_host: Destination hostname of the event.

  • destination_ip: Destination IP address of the event.

  • destination_port: Destination port of the event.

  • detection_type: The type of detection (for example, dns-resolution, file-download, or network-connection).

  • detection_id: Obfuscated string representing the concatenation of threat, activity, and detector id.

  • device_id: Obfuscated identifier of the appliance.

  • end_timestamp: Ending timestamp of the event.

  • event_detail_link: Link to details about this event on the User Portal.

  • event_id: Identifier of the event.

  • event_url: URL of the network event. In case of a file download this will be the URL the file was downloaded from. Otherwise it will be the URL directly associated with the network event.

  • format_version: The version of the notification format.

  • impact: The impact of this event, ranging from 0-100.

  • logged_users: String representation of the list of users that were logged on at the time of the event.

  • malware_class: The class of the detected threat.

  • malware: The name of the detected threat.

  • occurrences: The number of occurrences of this event.

  • resolved_domain: Resolved destination domain.

  • source_dns_domain: Hostname of the source.

  • source_ip: Source IP address of the event.

  • source_mac: Source MAC address of the event.

  • start_timestamp: Starting timestamp of the event.

  • transport_protocol: Transport layer protocol used by the event.

  • Incident information:

    • incident_id: Identifier of the incident related to this event.

    • incident_impact: Impact of the incident related to this event.

    • incident_malware_class: Name of the threat family involved in the incident.

    • incident_malware: Name of the threat related to the incident.

  • Malicious file information:

    • file_detail_link: Link to details about the malicious file on the User Portal.

    • file_md5: MD5 hash of the malicious file.

    • file_name: Name of the malicious file.

    • file_sha1: SHA-1 hash of the malicious file.

    • file_size: Size of the malicious file.

    • file_type: Type of the malicious file.

  • Suspicious URL information:

    • url_detail_link: Link to details about the suspicious URL on the User Portal.

  • Custom intelligence fields:

    • comment: Comment on the Intelligence entry.

    • detection_id: String representing the concatenation of group rule and revision id (IDS rules only).

    • last_modified: last modification time of this entry.

    • message: Rule message (IDS rules only).

    • source: Name of the source.

  • PCAP fields:

    • pcap_body: Raw binary content of the traffic capture, base64 encoded (might be truncated if too long).

    • pcap_dst_ip: Destination IPV4 address of the PCAP.

    • pcap_dst_port: Destination port of the PCAP.

    • pcap_failed_connections: Number of failed connections from the PCAP.

    • pcap_hosts: List of contacted hostnames from the PCAP.

    • pcap_in_bytes: Number of bytes received.

    • pcap_id: Identifier of the PCAP related to this event.

    • pcap_out_bytes: Number of bytes sent.

    • pcap_protocols: Llist of protocols.

    • pcap_src_ip: Source IPV4 address of the PCAP.

    • pcap_src_port: Source port of the PCAP.

    • pcap_start_time: Start time of the PCAP.

    • pcap_successful_connections: Number of successful connections from the PCAP.

    • pcap_threats: List of threats involved in this PCAP.

    • pcap_urls: List of URLs associated with this PCAP.

Network IoC trigger fields

  • additional_threats: Additional threats associated with the network IoC.

  • detection_id: Unique identifier of the network IoC.

  • detection_time: Origin time of the network IoC.

  • detection_type: Origin of the network IoC.

  • dns_name: Domain name of the resolved network IoC. The presence of a domain name together with an IP address is used to keep track of whether the IP comes from a DNS resolution.

  • domain: Domain name of the resolved network IoC.

  • impact: Impact of the network IoC.

  • ip: IP address of the network IoC.

  • last_update: Last time reputation information was updated.

  • license: Unique identifier of the appliance associated with the origin of the network IoC.

  • main_threat: Main threat associated with the network IoC.

  • metadata: Additional attributes associated with the network IoC.

  • sensor: Name of the sensor associated with the origin of the network IoC.

  • trigger_type: Type of trigger.

Test trigger fields

  • description: Description of the event (for example, "User triggered test event").

  • format_version: The version of the notification format.

  • impact: The impact of this event, currently 10 for tests.

  • notification_config_id: Unique identifier for the notification configuration.

  • test_uuid: Unique identifier for the test.

  • timestamp: The timestamp of the event.

  • trigger_type: The type of event that triggered this notification. Valid value is test-notification.

Configure the User Portal

If you want to send HTTP POST notifications through the system-configured proxy you must first configure the HTTPS proxy using the form proxy_address : port.

To enable the Manager to send HTTP POST notifications, the appropriate configuration must be set in the User Portal.

  1. Login to the Web UI

    Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.

  2. Navigate to the generic HTTP notification tab

    From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Generic HTTP notification.

  3. Create an HTTP notification

    Click the plus icon to add a notification.

  4. Configure the notification

    The Create Generic HTTP Notification form is comprised of three sections:

    1. Common settings: select the appliance, limits, and timezone.

    2. HTTP post settings: hostname, protocol, and other options.

    3. Triggers: the events that send notifications.

    1. Select an appliance

      In the Appliance block, select a License from the pull-down menu. Choose from All licenses (selects all sensors), All sensors, or select a specific license. Then from the Sensor pull-down menu, select All sensors for the chosen license or any specific sensor.

    2. Select a daily limit

      In the Daily limit box, select the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

    3. Set the timezone

      In the Timezone box, set the timezone by which daily limits are computed. The selected timezone does not need to be the same as the system timezone.

    4. Enable the notification

      By default, the notification is enabled when you save. Click the Enabled button to toggle this setting.

    5. Define the Post URL

      In the Post URL block, enter the URL that the notification will be posted to. From pull-down menu, select the protocol to use: HTTPS:// or HTTP://. Then enter either a domain name or IP address. Enter the Port. Enter the Path (which may be query strings, a path, or both) required for the POST request to succeed.

    6. Optional: Select the HTTP Proxy

      If the HTTP Proxy toggle is Enabled, the POST request uses the configured system proxy. This is Disabled by default.

    7. Optional: Select certificate validation

      If the Verify SSL Cert toggle is Enabled, the SSL certificate must be valid in order for the POST request to succeed. This is Disabled by default.

    8. Select the HTTP source

      From the HTTP source pull-down menu, select either Manager or Sensor. This is the source of the HTTP notifications in your network.

      Selecting Manager allows you to centralize your notification source at the Manager.

      Selecting Sensor allows you to distribute the notifications across your network to the Sensor that generated the alert.

    9. Select the POST body format

      From the POST body format pull-down menu, select either JSON or XML.

    10. Optional: Select packet capture data

      If the Include PCAP toggle is Enabled, PCAP information will be included with the notification for network events. This is a base-64-encoded dump of the packet capture associated with the event. This is Disabled by default.

    11. Select the triggers

      Select the appropriate triggers for the notification. These are the default settings:

      Appliance triggers

      Appliance triggers are set to Enabled.

      Audit triggers

      Audit triggers are set to Disabled.

      Network triggers

      Network triggers are set to Enabled.

      Intrusion triggers

      Intrusion triggers are set to Disabled.

      Mail triggers

      Mail triggers are set to Enabled.

      Network IoC triggers

      Network IoC triggers are set to Enabled.

      Intelligence triggers

      Intelligence triggers are set to Disabled. These triggers are only available when All licenses is selected.

      See the topic About notification triggers in the User Portal on-line help for further details.

  5. Save the notification

    Once the notification is properly configured, click the Save button to apply the changes. The Generic HTTP notification configuration summary pop-up is displayed. When you close the pop-up, the Generic HTTP notifications list is displayed.

Test the HTTP Post Integration

Test that the HTTP Post Integration on the User Portal has been correctly configured.

  1. Generate a trigger request

    On the User Portal, navigate to the Generic HTTP notification tab. Click the heartbeat/test icon in the appropriate row of the Generic HTTP notifications list to send a test notification.

    Alternatively, you can manually generate a request that will trigger one of the configured events. For example:

    $ curl test.lastline.com
  2. Check the destination server

    On the destination server, check that the request was correctly received.

  3. Check the User Portal

    On the User Portal, an entry for the HTTP Post notification will be displayed regardless of success or failure.

    Navigate to Admin Appliances Logs Monitoring Logs.

    Click plus to expand the Filters widget. Select "Component" from the pull-down menu to add the Component item. Select "Notification Delivery Service" from its pull-down menu.

    In the monitoring log, look for "Httppost Server Status" in the Type column. It will contain details about the notification delivery.

Notifications examples

Some examples of the content of HTTP Post notifications for each trigger category.

Appliance event notifications

Example of a notification reporting that an appliance is online.

"impact": 10,
"appliance_detail_link": "https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7",
"format_version": "9.0",
"appliance_type": "SENSOR",
"trigger_type": "appliance-checkin",
"timestamp": "2019-08-27 13:34:14",
"appliance_fqdn": "lastline-sensor.lastline.local",
"last_checkin_timestamp": "2019-08-27 13:34:14",
"is_online": true,
"appliance_public_ip": "192.168.1.57",
"appliance_private_ip": "192.168.1.57",
"appliance_uuid": "0284f6fcf42f4e859499f00bc00c19a7"

Example of a notification reporting the successful upload of email metadata.

"impact": 10,
"detail_name": "Email metadata uploader",
"appliance_detail_link": "https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7",
"format_version": "9.0",
"appliance_type": "SENSOR",
"trigger_type": "appliance-message",
"timestamp": "2019-08-27 13:46:36",
"source": "llmail",
"appliance_uuid": "0284f6fcf42f4e859499f00bc00c19a7",
"key": "sharduploader.upload",
"appliance_fqdn": "lastline-sensor.lastline.local",
"appliance_public_ip": "192.168.1.57",
"appliance_private_ip": "192.168.1.57",
"message": "Successful upload of email metadata",
"component_name": "Email Analysis Service"

Audit event notifications

Example of a notification reporting that the software version of an appliance has been upgraded.

"affected_entity_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"customer": "test@fake.bet",
"account": "fake@test.bet",
"description": "The software version of the appliance has been upgraded",
"format_version": "9.0",
"configured_software_version": "2.2.2",
"impact": 40,
"timestamp": "2019-11-25 14:25:45+00:00",
"source_ip": "192.168.0.1",
"event_type": "audit-event",
"audit_action_type": "appliance_upgraded",
"event_detail_link": "https://user.lastline.local/settings#/audit/a/2019-11-24/2019-11-26?audit_event_id=17",
"affected_entity_type": "appliance",
"audit_event_id": 17,
"audit_event_category": "configuration"

Intrusion event notifications

Example of a notification triggered by a intrusion event.

"hosts_affected": [
  "host": "1.2.3.4",
  "attack_stages": ["Command and Control"],
  "malware": ["Upatre Public IP Check"]
],
"correlation_rule": "C&C Rule",
"device_id": "3287884757:3459119816",
"device_id": "3287884757:3459119816",
"end_timestamp": "2018-02-01 15:16:17",
"format_version": "9.0",
"impact": 90,
"intrusion_details_link": "https://do.not.connect/portal#/campaigns/details/d5ec0e2e01cb49d993a0c4d7dbee968c?customer=mannimarco@oblivion.bet",
"intrusion_name": "intrusion",
"intrusion_uuid": "d5ec0e2e01cb49d993a0c4d7dbee968c",
"last_modified": "2018-01-12 03:15:20",
"most_advanced_stage": "Command and Control",
"nr_affected_hosts": 1,
"nr_malware": 1,
"reason": "Detected Command&Control traffic indicating that 2 hosts are infected with malware Upatre Public IP Check",
"start_timestamp": "2018-01-07 20:01:02",
"trigger_type": "intrusion-event",
"extended_description": "Added detection information: hosts: 1.2.3.4; malware: Upatre Public IP Check"

Mail event notifications

Example of a notification body after the detection of mail based on an attachment.

"impact": 100,
"file_detail_link": "https://user.lastline.local/malscape/#/task/613de0cc17534adbb0f046b88e1f70f7",
"start_timestamp": "2019-08-27 14:16:06+00:00",
"sender": "fake@example.com",
"description": "Suspicious Email Attachment",
"format_version": "9.0",
"recipients": ["<test@example.com>"],
"file_type": "Rich Text Format data, unknown version",
"file_name": "f0b3f8277c884d4be2397bb05cd102f3",
"file_sha1": "b4be2633ac9ca6ff6670d67473b042123a0a7644",
"subject": "Test",
"file_md5": "f0b3f8277c884d4be2397bb05cd102f3",
"detection_type": "email-attachment",
"file_size": 163699,
"device_id": "3053322414:602745899",
"end_timestamp": "2019-08-27 14:16:06+00:00",
"action": "BLOCK_ATTACHMENT",
"event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9561?mail_time=2016-03-21"

Example of a notification body after the detection of mail based on a URL.

"end_timestamp": "2019-11-25 14:28:05+00:00",
"impact": 99,
"start_timestamp": "2019-11-25 14:28:05+00:00",
"sender": "test@lastline.com",
"description": "Suspicious Email Url",
"format_version": "9.0",
"recipients": ["fake@lastline.com"],
"mail_url_md5": "2be456f055282b7dc6d6b0f002a52dad",
"detection_type": "email-url",
"device_id": "3287884757:3459119816",
"appliance_name": "sensor01",
"mail_url": "http://www.evil.fake",
"subject": "TEST EMAIL!",
"action": "BLOCK_URL",
"event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9561?mail_time=2016-03-21"

Example of a notification body after the detection of mail based on a mail message characteristic.

"end_timestamp": "2019-09-09 22:17:17+00:00",
"impact": 80,
"start_timestamp": "2019-09-09 22:17:17+00:00",
"sender": "test@lastline.com",
"description": "Suspicious Email Message",
"format_version": "9.1",
"recipients": ["fake@lastline.com"],
"detectors": [
  "email_anomaly:spam_domain",
  "email_anomaly:spam_ip"
],
"threat": "Mebroot",
"threat_class": "drive-by",
"detection_type": "email-message",
"device_id": "3287884757:3459119816",
"appliance_name": "sensor01",
"subject": "TEST EMAIL!",
"action": "BLOCK_EMAIL",
"event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9359?date=2019-09-09"

Network event notifications

Example of a notification triggered by the detection of a malicious file download.

"file_detail_link": "https://user.lastline.local/malscape/#/task/6ad71b9ddc554d1eac73ce27f55e2abb",
"file_type": "PDF document",
"file_name": "/5e2eceec69c9ef5435298abc1d10624b.pdf",
"file_size": 5984,
"detection_type": "file-download",
"occurrences": 1,
"detection_id": "2535ec71:30fbe7df:e52cff2b",
"end_timestamp": "2019-08-27 13:46:13+00:00",
"transport_protocol": "TCP",
"malware": "Malicious Document Download",
"event_id": 9,
"src_ip": "127.0.0.1",
"event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/9?event_time=2019-08-27",
"impact": 100,
"description": "Suspicious File Download",
"format_version": "9.0",
"file_md5": "5e2eceec69c9ef5435298abc1d10624b",
"http_host": "127.0.0.2",
"device_id": "3053322414:602745899",
"event_url": "http://127.0.0.2/5e2eceec69c9ef5435298abc1d10624b.pdf",
"incident_id": 12,
"incident_impact": 100,
"incident_malware": "Malicious Document Download",
"incident_malware_class": "Malicious File Download",
"start_timestamp": "2019-08-27 13:46:13+00:00",
"malware_class": "Malicious File Download",
"file_sha1": "e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a",
"dst_port": 80,
"action": "LOG",
"dst_ip": "127.0.0.2"

Example of a notification reporting the detection of a suspicious network connection.

"impact": 1,
"transport_protocol": "TCP",
"malware": "Lastline test",
"description": "Suspicious Network Connection",
"format_version": "9.0",
"event_id": 8,
"dst_port": 80,
"start_timestamp": "2019-08-27 13:38:44+00:00",
"dst_host": "test.lastline.com",
"src_ip": "192.168.1.57",
"detection_type": "network-connection",
"malware_class": "Lastline test",
"occurrences": 1,
"event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/8?event_time=2019-08-27",
"detection_id": "fc900ff8:30fbe7df:30fbe7df",
"action": "LOG",
"dst_ip": "52.5.237.96",
"device_id": "3053322414:602745899",
"event_url": "http://test.lastline.com",
"incident_id": 13,
"incident_impact": 1,
"incident_malware": "Lastline test",
"incident_malware_class": "Lastline test",
"src_mac": "08:00:27:00:c9:7a",
"end_timestamp": "2019-08-27 13:38:44+00:00"

Example of a notification triggered by a suspicious DNS resolution.

"impact": 1,
"transport_protocol": "UDP",
"malware": "Lastline test",
"resolved_domain": "test.lastline.com",
"description": "Suspicious DNS Resolution",
"format_version": "9.0",
"event_id": 7,
"dst_port": 53,
"start_timestamp": "2019-08-27 13:38:44+00:00",
"src_ip": "192.168.1.57",
"detection_type": "dns-resolution",
"malware_class": "Lastline test",
"occurrences": 2,
"event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/7?event_time=2019-08-27",
"detection_id": "fc900ff8:30fbe7df:30fbe7df",
"action": "LOG",
"dst_ip": "192.168.1.1",
"device_id": "3053322414:602745899",
"event_url": "http://test.lastline.com",
"incident_id": 14,
"incident_impact": 1,
"incident_malware": "Lastline test",
"incident_malware_class": "Lastline test",
"src_mac": "08:00:27:00:c9:7a",
"end_timestamp": "2019-08-27 13:38:44+00:00"

Example of a notification for a network event containing information about the related PCAP. The PCAP body has been truncated for brevity.

"event_url": "http://example.com",
"detection_type": "dns-resolution",
"occurrences": 1,
"detection_id": "c90de0dd:d0051f96:d0051f96",
"appliance_name": "sensor01",
"impact": 70,
"malware": "Test Threat",
"src_dns_domain": "",
"format_version": "9.0",
"event_id": 1785,
"src_ip": "192.168.0.1",
"event_detail_link": "https://do.no.connect/event#/3287884757/3459119816/1785?event_time=2012-12-12",
"end_timestamp": "2012-12-12 00:20:00+00:00",
"transport_protocol": "TCP",
"description": "Suspicious DNS Resolution",
"dst_ip": "10.0.0.1",
"device_id": "3287884757:3459119816",
"start_timestamp": "2012-12-12 00:00:00+00:00",
"malware_class": "Testing Threat Class",
"dst_port": 80,
"action": "LOG",
"pcap_id": 866,
"pcap_src_ip": "192.168.0.1",
"pcap_threats": ["UserDefinedThreat"],
"pcap_dst_port": 80,
"pcap_failed_connections": 1,
"pcap_in_bytes": 1,
"pcap_start_time": "2012-12-12 00:00:00",
"pcap_src_port": 23456,
"pcap_protocols": ["TCP"],
"pcap_urls": ["http://example.com"],
"pcap_hosts": ["www.lastline.com"],
"pcap_out_bytes": 1,
"pcap_dst_ip": "10.0.0.1",
"pcap_successful_connections": 1,
"pcap_body": "1MOyoQIABAAAAAAAAAAAAP//AAABAAAAI0ujQLi/BAA+AAAAPgAAAP7/IAABAAAAAQAAAAgARQAAMA9BQACABpHrkf6g7UHQ5N8NLABQOK"

Network IoC event notification

Example of a notification triggered by a network IoC event.

"additional_threats": [
  "Mebroot"
],
"detection_detail_link": "https://do.no.connect/portal#/event/3637006069/1189538789/100?event_time=2019-10-10",
"detection_id": "100",
"detection_time": "2019-10-10 11:52:47",
"detection_type": "network-event",
"dns_name": "evil.com",
"impact": 80,
"ip": "8.8.8.8",
"last_update": "2019-09-03 12:07:11",
"license": "AAAAAAAAAAAAAAAAAAAA:sensor01",
"main_threat": "Murofet",
"metadata": [
  {"network_class": "enterprise"},
  {"organisation": "Google"}
],
"sensor": "Previct Sensor 01",
"trigger_type": "network-ioc-ip"

Test event notification

Example of a notification triggered for testing.

"format_version": "9.0",
"description": "User triggered test event",
"impact": 10,
"trigger_type": "test-notification",
"timestamp": "2019-08-27 14:16:06+00:00",
"test_uuid": "3dc144bdb3434b1abf7a465de3f57948",
"notification_config_id": 37

Appendices

Appliance trigger fields

Possible values for appliance trigger fields:

component_name source.key detail_name
Analysis appliance_update.analysis.anonvpn Traffic Routing
Analysis appliance_update.analysis.lladoc Document Analyzer
Analysis appliance_update.analysis.llama Windows Sandbox
Analysis appliance_update.analysis.llweb URL/PDF Sandbox
Analysis appliance_update.analysis.processing Processing
Database appliance_update.db.server Database Server
Disk Usage sys.disk.usage Disk Usage
Email Analysis appliance_update.mail.llmail Email Analysis Service
Email Analysis Service llmail.receiver Email receiver
Email Analysis Service llmail.sharduploader.upload Email metadata uploader
Email Analysis Service llmail.smtpsender-dsn.message SMTP bounce sender message status
Email Analysis Service llmail.smtpsender-dsn.server SMTP bounce sender server status
Email Analysis Service llmail.smtpsender.message SMTP sender message status
Email Analysis Service llmail.smtpsender.server SMTP sender server status
ICAP appliance_update.icap.cicap ICAP Server
IDS Service llsnifflogmon.suricata.ruleparsing.customer Customer Rule
Integrations appliance_update.integration.session_tracker Session Tracker Service
Integrations appliance_update.integrations.notification-proxy_status Notification Delivery Service
Integrations appliance_update.integrations.session_tracker Session Tracker Service
Management appliance_update.mgmt.appliance_update Lastline Update Service
Management appliance_update.mgmt.lload Load Monitoring Service
Management appliance_update.mgmt.version Version Update Service
Message Processing appliance_update.mq.broker Message Broker
Message Processing appliance_update.mq.queue_workers Message Processors
Monitoring appliance_update.monitoring.llpsv Sniffer Service
Monitoring appliance_update.monitoring.suricata IDS Service
Notification Delivery Service notification.server.checkpoint Checkpoint Server Status
Notification Delivery Service notification.server.email Email Server Status
Notification Delivery Service notification.server.httppost HTTP Server Status
Notification Delivery Service notification.server.siem SIEM Server Status
Notification Delivery Service notification.server.tipping_point TippingPoint SMS Server Status
Queue Status analyst_scheduler.status.capacity_percent Analysis Queue - Load
Queue Status analyst_scheduler.status.pickup_delay Analysis Queue - Analysis Delay
Queue Status analyst_scheduler.status.tasks_queued Analysis Queue - Pending Tasks
Session Tracker Service session-tracker.wmi_query Session Tracker Query Status
System appliance_update.action.configure Configuration
System Status appliance_update.appliance_clock Appliance Clock
Threat Intelligence Replication db.monitor_slave.io Threat Intelligence Replication IO
Threat Intelligence Replication db.monitor_slave.sql Threat Intelligence Replication SQL
Traffic Routing anonymity_provider.status Traffic Routing Check
Windows Sandbox analyst_daemon.llama.configuration Sandbox Configuration Data

Audit action field

Possible values for the "audit_action_type" field:

Action type Description
account_blocked An account was blocked.
account_created An account was created.
account_deleted An account was deleted.
account_permission_granted A permission was granted to an account.
account_permission_revoked A permission was revoked from an account.
account_unblocked An account was unblocked.
account_updated An account's details were updated.
api_token_reset A license API token was reset.
appliance_delete_quarantined_mail_requested A quarantined mail message was deleted.
appliance_deregistered An appliance was deregistered.
appliance_disabled An appliance was disabled.
appliance_enabled An appliance was enabled.
appliance_rebooted An appliance was rebooted.
appliance_reconfigured An appliance was reconfigured.
appliance_registered An appliance was registered.
appliance_release_quarantined_mail_requested A quarantined mail message was released.
appliance_upgraded The software version of an appliance was upgraded.
customer_updated A customer's details were updated.
email_changed An account's email was updated.
failed_login A user failed to log in to an account.
homenet_updated The homenet was updated.
httppost_notification_created An HTTP POST notification configuration was created.
httppost_notification_updated An HTTP POST notification configuration was updated.
intrusion_assignee_updated The assignee of an intrusion was updated.
intrusion_state_updated The state of an intrusion was updated.
invalid_credentials A user provided invalid credentials for an account.
license_created A new license was granted.
license_updated A license's details were updated.
mail_assignee_updated The assignee of a mail message was updated.
mail_notification_created A mail notification configuration was created.
mail_notification_updated A mail notification configuration was updated.
mail_state_updated The state of a mail message was updated.
notification_deleted A notification configuration was deleted.
password_changed An account's password was updated.
password_removed An account's password was removed.
password_reset An account's password was reset.
password_reset_request A request was made to reset an account's password.
report_created A report was created.
report_deleted A report was deleted.
report_updated A report was updated.
role_created A custom role was created.
role_granted A custom role was granted to an account.
role_permission_granted A permission was granted for a custom role.
role_permission_revoked A permission was removed from a custom role.
role_revoked A role was revoked from an account.
role_updated A custom role was updated.
sensor_added A sensor was added.
sensor_updated A sensor was updated.
siem_notification_created A SIEM notification configuration was created.
siem_notification_updated A SIEM notification configuration was updated.
streaming_notification_created A streaming API notification configuration was created.
streaming_notification_updated A streaming API notification configuration was updated.
successful_login A successful login was performed for an account.
successful_logout A successful logout was performed for an account.
test_notification_sent A test notification was sent.
wmi_source_configured A WMI source was configured for session management.
wmi_source_deleted A WMI source configuration was deleted.

Mail event action

Possible values for the mail event action field:

action Description
BLOCK_ATTACHMENT The attachment contained in the mail message was blocked.
BLOCK_EMAIL The entire mail message was blocked.
BLOCK_URL The URL contained in the mail message was blocked.
LOG The mail event was only logged.
UNKNOWN An unknown action was taken in response to this event.
WARN A warning was issued about the content of the mail that triggered this mail event.