VMware NSX Network Detection and Response Streaming API Integration

The Streaming API Integration allows On-Premises appliances to automatically create and send a notification stream that contains information about specific events selected based on trigger configurations. These triggers can be tailored by frequency, quantity per day, and specific types of alerts.

About Streaming API Integration

Some of the terms used in this document are defined here:

Trigger category

A trigger category represents a type of event for which notifications should be sent.

Notifications can be triggered by different classes of events. When configuring a notification, you must specify for which trigger notifications should be sent.

Appliance trigger

A trigger category related to events concerning appliances status. These can be either appliance-checkin (an occurrence of an appliance check-in) or appliance-message (status messages from the components of an appliance).

Audit trigger

A trigger category related to audit events (relevant actions performed by a user account on the User Portal). The following are audit event categories:

Authentication — Authentication related actions (for example, a user logged in to the User Portal).
Configuration — Appliance related (for example, the reconfiguration of an appliance).
Registration — Customer/account/license related actions (for example, the creation of a new customer).

Intrusion trigger

A trigger category related to intrusion events.

Mail trigger

A trigger category for email detection events. Suspicious or malicious emails can be detected because of attachments, URLs, or other characteristics of the message.

Network trigger

A trigger category related to network events. The following are network events:

Malware Command and Control traffic.
Drive-by download.
Fake anti-virus software activity.
Malicious file download.
Suspicious network activity.
Suspicious URL activity.
System network test.
Unwanted software activity (for example, adware).
Network traffic rule matches.
Network anomalies: DNS, HTTP, kerberos, netflow, SMB, and TLS.

Network IoC trigger

A trigger category related to indicators of compromise (IoC) events. The following are network IoC events:

A domain name was identified as a potential IoC.
An IP address was identified as a potential IoC.

Test trigger

A trigger category for testing events. A notification can be triggered from the User Portal to verify that the integration was successfully configured. A notification can be verified for:

Email
HTTP Post
Slack
Streaming
Syslog

Architecture

The Streaming API Integration is based on a publish-subscribe architecture, where notifications about specific events are pushed onto an event stream and a user, after subscribing to the stream, is then able to consume them. The event stream consists of a sequence of messages encoded in a simple newline-terminated JSON format, where each new line of text is a self-contained event.

The content of the notifications differs depending on the event that has been triggered.

Appliance trigger fields

appliance_detail_link: A URL to the status page of the appliance on the User Portal.
appliance_fqdn: The fully qualified domain name of the appliance.
appliance_private_ip: The private IP address of the appliance.
appliance_public_ip: The public IP address of the appliance.
appliance_type: The type of the appliance.
appliance_uuid: The unique identifier of the appliance.
format_version: The version of the notification format.
impact: The impact of this event, ranging from 0-100.
timestamp: The timestamp of the event as reported by the appliance.
trigger_type: The type of event that triggered this notification. Possible values are appliance-checkin or appliance-message.
Special fields:
- component_name: The name of the component that sent the message (appliance-message event only). Possible values are shown in the Appliance trigger fields list.
- detail_name: The name of the sub-component (appliance-message event only). Possible values are shown in the Appliance trigger fields list.
- is_online: The appliance status (appliance-checkin event only).
- key; The source and key together provide an identifier of what is being reported (appliance-message event only). Possible values for source.key are shown in the Appliance trigger fields list.
- last_checkin_timestamp: (appliance-checkin event only)
- message: A text string describing the notification (appliance-message event only).
- source: The source and key together provide an identifier of what is being reported (appliance-message event only). Possible values for source.key are shown in the Appliance trigger fields list.

Audit trigger fields

account: Account of the user that performed the logged action.
affected_entity_id: Identifier of the object affected by this action (for example, license key, name of the account, UUID of the appliance).
affected_entity_type: The type of the object affected by this action (for example, "license", "account", "appliance").
audit_action_type: The type of the audit action, some possible values are described in the Audit action field list.
audit_event_category: Category of the audit action, currently one of:
- configuration: Appliance related actions.
- registration: Account/customer/license related actions.
audit_event_id: ID of the audit event.
configured_software_version: The version of the software that has been reconfigured (appliance_upgraded events).
customer: Customer to which the action refers.
description: An extended description of the action.
device_id: The unique identifier of the Manager appliance (On-Premises only).
event_detail_link: Link to details about this action on the User Portal.
event_type: The type of event. audit-event is the only valid value.
format_version: The version of the notification format.
impact: The impact of this event, ranging from 0-100.
source_ip: IP address of the user that performed this action.
timestamp: The timestamp of the event.

Intrusion trigger fields

correlation_rule: The correlation rule that caused the event, if any.
description: A short description of the event (for example, "Detected intrusion").
device_id: Obfuscated identifier of the appliance.
end_timestamp: Ending timestamp of the event.
extended_description: Detailed information about the intrusion event (for example, "Correlated 3 incidents into an intrusion").
format_version: The version of the notification format.
hosts_affected: A sequence of each host with the threats and attack stages associated with it.
intrusion_details_link: A URL that links directly to the intrusion in the User Portal.
intrusion_name: The name of the intrusion.
intrusion_uuid: Unique identifier of the intrusion.
last_modified: The last modification time of this entry.
most_advanced_stage: The most advanced attack stage.
nr_affected_hosts: Number of affected hosts in the intrusion.
nr_malware: Number of distinct threats in the intrusion.
reason: The reason behind the intrusion event.
start_timestamp: Starting timestamp of the event.
trigger_type: The type of event that triggered this notification. Valid value is intrusion-event.

Mail trigger fields

action: Action taken in response to this event. Some of the possible values are described in the Mail event action list.
description: Description of the event (for example, "Suspicious Email Attachment").
detection_type: The type of detection (for example, email-attachment, email-message, or email-url).
detectors: The detectors that flagged this message as malicious (email-message only).
device_id: obfuscated identifier of the appliance.
event_detail_link: link to details about this event on the user website .
file_detail_link: Link to details about the malicious attachment on the User Portal (email-attachment only).
file_md5: MD5 hash of the malicious attachment (email-attachment only).
file_name: Name of the malicious attachment (email-attachment only).
file_sha1: SHA-1 hash of the malicious attachment (email-attachment only).
file_size: Size of the malicious attachment (email-attachment only).
file_type: Type of the malicious attachment (email-attachment only).
format_version: The version of the notification format.
impact: The impact of this event, ranging from 0-100.
mail_url: Malicious URL found in the mail message (email-url only).
mail_url_md5: MD5 hash of the malicious URL (email-url only).
recipients: Recipients of the email message.
sender: Sender of the email message.
subject: Subject of the email message.
threat: The threat that was detected (email-message only).
threat_class: The class of the detected threat (email-message only).
timestamp: The timestamp of the event.

Network trigger fields

A notification can include information about PCAPs related to the network event. If multiple PCAPs are available for a single event, multiple notifications are sent for the event, each with different PCAP information.

action: Action taken in response to this event.
description: Description of the event (for example, "Suspicious DNS Resolution").
destination_host: Destination hostname of the event.
destination_ip: Destination IP address of the event.
destination_port: Destination port of the event.
detection_type: The type of detection (for example, dns-resolution, file-download, or network-connection).
detection_id: Obfuscated string representing the concatenation of threat, activity, and detector id.
device_id: Obfuscated identifier of the appliance.
end_timestamp: Ending timestamp of the event.
event_detail_link: Link to details about this event on the User Portal.
event_id: Identifier of the event.
event_url: URL of the network event. In case of a file download this will be the URL the file was downloaded from. Otherwise it will be the URL directly associated with the network event.
format_version: The version of the notification format.
impact: The impact of this event, ranging from 0-100.
logged_users: String representation of the list of users that were logged on at the time of the event.
malware_class: The class of the detected threat.
malware: The name of the detected threat.
occurrences: The number of occurrences of this event.
resolved_domain: Resolved destination domain.
source_dns_domain: Hostname of the source.
source_ip: Source IP address of the event.
source_mac: Source MAC address of the event.
start_timestamp: Starting timestamp of the event.
transport_protocol: Transport layer protocol used by the event.
Incident information:
- incident_id: Identifier of the incident related to this event.
- incident_impact: Impact of the incident related to this event.
- incident_malware_class: Name of the threat family involved in the incident.
- incident_malware: Name of the threat related to the incident.
Malicious file information:
- file_detail_link: Link to details about the malicious file on the User Portal.
- file_md5: MD5 hash of the malicious file.
- file_name: Name of the malicious file.
- file_sha1: SHA-1 hash of the malicious file.
- file_size: Size of the malicious file.
- file_type: Type of the malicious file.
Suspicious URL information:
- url_detail_link: Link to details about the suspicious URL on the User Portal.
Custom intelligence fields:
- comment: Comment on the Intelligence entry.
- detection_id: String representing the concatenation of group rule and revision id (IDS rules only).
- last_modified: last modification time of this entry.
- message: Rule message (IDS rules only).
- source: Name of the source.
PCAP fields:
- pcap_body: Raw binary content of the traffic capture, base64 encoded (might be truncated if too long).
- pcap_dst_ip: Destination IPV4 address of the PCAP.
- pcap_dst_port: Destination port of the PCAP.
- pcap_failed_connections: Number of failed connections from the PCAP.
- pcap_hosts: List of contacted hostnames from the PCAP.
- pcap_in_bytes: Number of bytes received.
- pcap_id: Identifier of the PCAP related to this event.
- pcap_out_bytes: Number of bytes sent.
- pcap_protocols: Llist of protocols.
- pcap_src_ip: Source IPV4 address of the PCAP.
- pcap_src_port: Source port of the PCAP.
- pcap_start_time: Start time of the PCAP.
- pcap_successful_connections: Number of successful connections from the PCAP.
- pcap_threats: List of threats involved in this PCAP.
- pcap_urls: List of URLs associated with this PCAP.

Network IoC trigger fields

additional_threats: Additional threats associated with the network IoC.
detection_detail_link: Link to the origin of the network IoC in the User Portal.
detection_id: Unique identifier of the network IoC.
detection_time: Origin time of the network IoC.
detection_type: Origin of the network IoC.
dns_name: Domain name of the resolved network IoC. The presence of a domain name together with an IP address is used to keep track of whether the IP comes from a DNS resolution.
domain: Domain name of the resolved network IoC.
impact: Impact of the network IoC.
ip: IP address of the network IoC.
last_update: Last time reputation information was updated.
license: Unique identifier of the appliance associated with the origin of the network IoC.
main_threat: Main threat associated with the network IoC.
metadata: Additional attributes associated with the network IoC.
sensor: Name of the sensor associated with the origin of the network IoC.
trigger_type: Type of trigger.

Test trigger fields

description: Description of the event (for example, "User triggered test event").
format_version: The version of the notification format.
impact: The impact of this event, currently 10 for tests.
notification_config_id: Unique identifier for the notification configuration.
test_uuid: Unique identifier for the test.
timestamp: The timestamp of the event.
trigger_type: The type of event that triggered this notification. Valid value is test-notification.

Configure the Streaming API

To be able to consume from the stream of events, you must first configure the stream itself. An event stream can be configured either through the configuration UI or by using the notification API. Either way, at the end of the configuration you will have the URL needed to subscribe to the event stream and receive updates about events.

Configure the User Portal

Configure the event stream using the User Portal.

Login to the Web UI

Using your Web browser, login to the User Portal at https://user.lastline.com/ (for EMEA customers https://user.emea.lastline.com/) for a hosted deployment or the Manager Web UI for an On-Premises installation.
Navigate to the Streaming API notification tab

From the Main navigation menu, click Admin. On the Admin page, select Notifications from left sidebar menu. Then on the Notifications page, click Streaming API.
Create a Streaming API notification

Click the icon to add a notification.
Configure the notification
The Create Streaming API Notification form is comprised of three sections:
1. Common settings: select the appliance, limits, and timezone.
2. Streaming API settings: stream name and other options.
3. Triggers: the events that send notifications.
1. Select an appliance
  
  In the Appliance block, select a License from the pull-down menu. Choose from All licenses (selects all sensors), All sensors, or select a specific license. Then from the Sensor pull-down menu, select All sensors for the chosen license or any specific sensor.
2. Select a daily limit
  
  In the Daily limit box, select the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.
3. Set the timezone
  
  In the Timezone box, set the timezone by which daily limits are computed. The selected timezone does not need to be the same as the system timezone.
4. Enable the notification
  
  By default, the notification is enabled when you save. Click the Enabled button to toggle this setting.
5. Define the stream name
  
  In the Stream name block, enter a unique name for the stream.
6. Optional: Select packet capture data
  
  If the Include PCAP toggle is Enabled, PCAP information will be included with the notification for network events. This is a base-64-encoded dump of the packet capture associated with the event. This is Disabled by default.
7. Select the triggers
  
  Select the appropriate triggers for the notification. These are the default settings:
  
  Appliance triggers
  
  Appliance triggers are set to Enabled.
  
  Audit triggers
  
  Audit triggers are set to Disabled.
  
  Network triggers
  
  Network triggers are set to Enabled.
  
  Intrusion triggers
  
  Intrusion triggers are set to Disabled.
  
  Mail triggers
  
  Mail triggers are set to Enabled.
  
  Network IoC triggers
  
  Network IoC triggers are set to Enabled.
  
  Intelligence triggers
  
  Intelligence triggers are set to Disabled. These triggers are only available when All licenses is selected.
  
  See the topic About notification triggers in the User Portal on-line help for further details.
Save the notification

Once the notification is properly configured, click the Save button to apply the changes. The Streaming API notification configuration summary pop-up is displayed. When you close the pop-up, the Streaming API notifications list is displayed.

The URL for the stream is found in the Stream URL column of the Streaming API notifications list. For example:

https://log.lastline.com/streaming_event/subscribe?channel_key=7accbfad1a1b4beea405a38b33c1d066

Configure using the notification API

You can use the Notification API to configure a new stream. Send a POST request to /papi/notification/add/streaming. See the API documentation for the required parameters.

A successful response will contain a notification_config_id (an integer value) and the stream_url to access the stream.

Consume the stream

The stream can be accessed at the URL returned by the User Portal or the POST request. Authentication is based on username and password. To consume from the stream and receive the sequence of messages (if any), send an HTTPS GET request, using the standard If-Modified-Since and If-None-Match HTTP headers to control which messages you are interested in receiving.

The push-based stream is implemented using long-polling. This means that if the server has no new events for the client, it will not return a response until new data arrives. Therefore the request will hang. If new events arrive, they are sent to the client with a response containing the Last-Modified and ETag headers. Upon reception, the client should make a new HTTP request with updated If-Modified-Since header (based on Last-Modified response header) and If-None-Match header (based on ETag response header) to receive new messages.

Events in the stream have a maximum time-to-live (typically 2 hours). After this time, events will be discarded and will no longer be served regardless of If-Modified-Since header values. Also, there are a maximum number of messages that can be maintained for each stream at the same time. If this number is exceeded oldest messages are removed.

Sample client

The following is an example long-polling Python client to consume messages from the configured stream

import time
import sys
import requests
from urllib.parse import urlencode

def main():
if len(sys.argv) != 2:
        print("Usage: %s <url>" % sys.argv[0], file=sys.stderr)
        return 1

    # url of the stream obtained from the configuration step
    url = sys.argv[1]
    headers = {}
    s = requests.Session()

    params = {
        "username": "lluser",
        "password": "llpassword",
    }

    while True:
        response = s.get(
            url,
            params=urlencode(params),
            headers={k: v for k, v in headers.items() if v})
        sc = response.status_code
        if sc != 200:
            print("Unexpected status code (%s)..." % sc, file=sys.stderr)
            time.sleep(5.0)
            continue

        headers = {
            "If-Modified-Since": response.headers.get("Last-Modified", None),
            "If-None-Match": response.headers.get("Etag", None),
        }
        lines = response.content.splitlines()
        print("Lines: %d (%d bytes)" % (len(lines), len(response.content)))
        for i, l in enumerate(lines):
            print("%03d: %s" % (i + 1, repr(l)))


if __name__ == "__main__":
    sys.exit(main())

NSX PAPI client

The VMware NSX Network Detection and Response provides a client implementation for the NSX PAPI, the papi-client, that you can download from the User Portal.

The NSX PAPI client requires:

python 3.8.
The python requests module (version 3 or above).
To use the interactive shell scripts/papi_shell.py, the ipython module is also required.

The NSX PAPI implementation provides a more structured and polished implementation of a sample long-polling client. It can be used to subscribe to a push stream channel to retrieve notifications. The client is located in "scripts/streaming_api_client.py".

Create a configuration file (config.ini) with the following structure:

[streaming]
username = user@example.com
password = portal_password
url = https://log.example.com/streaming_event/subscribe
verify_ssl = true|false
headers_storage_file = filename

The following parameters are required:

username — User Portal account username.
password — User Portal account password.
url — URL returned by the User Portal or the POST request.
verify_ssl — Defines whether to perform SSL certificate validation. Set this to "false" if you are using a self-signed certificate.
headers_storage_file — Name of the file where the response Last-Modified and ETag header values will be stored. The client will provide these as If-Modified-Since and If-None-Match header values in subsequent requests.

Execute the script specifying its configuration file with the "-c" argument:

host# python3 scripts/streaming_api_client.py -c config.ini

Test the Streaming API Integration

Test that the Streaming API Integration on the User Portal has been correctly configured.

Generate a trigger request
On the User Portal, navigate to the Streaming API tab. Click the icon in the appropriate row of the Streaming API notifications list to send a test notification.

Alternatively, you can manually generate a request that will trigger one of the configured events. For example:
```
$ curl test.lastline.com
```
Check the destination server

On the destination server, check that the request was correctly received.
Check the User Portal

On the User Portal, an entry for the Streaming API notification will be displayed regardless of success or failure.

Navigate to Admin → Appliances → Logs → Monitoring Logs.

Click to expand the Filters widget. Select "Component" from the pull-down menu to add the Component item. Select "Notification Delivery Service" from its pull-down menu.

In the monitoring log, look for "Streaming Server Status" in the Type column. It will contain details about the notification delivery.

Notifications examples

Some examples of the content of Streaming API notifications (after deserializing the received JSON strings) from event streams for each trigger category.

Appliance event notifications

Example of a notification reporting that an appliance is online.

{
  "impact": 10,
  "appliance_detail_link": "https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7",
  "format_version": "9.0",
  "appliance_type": "SENSOR",
  "trigger_type": "appliance−checkin",
  "timestamp": "2015−08−27 13:34:14",
  "appliance_fqdn": "lastline−sensor.lastline.local",
  "last_checkin_timestamp": "2015−08−27 13:34:14",
  "is_online": true,
  "appliance_public_ip": "192.168.1.57",
  "appliance_private_ip": "192.168.1.57",
  "appliance_uuid": "0284f6fcf42f4e859499f00bc00c19a7"
}

Example of a notification reporting the successful upload of email metadata.

{
  "impact": 10,
  "detail_name": "Email metadata uploader",
  "appliance_detail_link": "https://user.lastline.local/appliance#/config/status/0284f6fcf42f4e859499f00bc00c19a7",
  "format_version ": "9.0",
  "appliance_type": "SENSOR",
  "trigger_type": "appliance−message",
  "timestamp": "2015−08−27 13:46:36",
  "source": "llmail",
  "appliance_uuid": "0284f6fcf42f4e859499f00bc00c19a7",
  "key": "sharduploader.upload",
  "appliance_fqdn": "lastline−sensor.lastline.local",
  "appliance_public_ip": "192.168.1.57",
  "appliance_private_ip": "192.168.1.57",
  "message": "Successful upload of email metadata",
  "component_name": "Email Analysis Service"
}

Audit event notifications

Example of a notification reporting that the software version of an appliance has been upgraded.

{
  "affected_entity_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
  "customer": "test@fake.bet",
  "account": "fake@test.bet",
  "description": "The software version of the appliance has been upgraded",
  "format_version": "9.0",
  "configured_software_version": "2.2.2",
  "impact": 40,
  "timestamp": "2019-11-25 14:25:45+00:00",
  "source_ip": "192.168.0.1",
  "event_type": "audit-event",
  "audit_action_type": "appliance_upgraded",
  "event_detail_link": "https://user.lastline.local/settings#/audit/a/2019-11-24/2019-11-26?audit_event_id=17",
  "affected_entity_type": "appliance",
  "audit_event_id": 17,
  "audit_event_category": "configuration"
}

Intrusion event notifications

Example of a notification triggered by a intrusion event.

{
  "hosts_affected": [
    {
      "host": "1.2.3.4",
      "attack_stages": ["Command and Control"],
      "malware": ["Upatre Public IP Check"]
    }
  ],
  "correlation_rule": "C&C Rule",
  "device_id": "3287884757:3459119816",
  "device_id": "3287884757:3459119816",
  "end_timestamp": "2018-02-01 15:16:17",
  "format_version": "onpremiseVersion{}",
  "impact": 90,
  "intrusion_details_link": "https://do.no.connect/portal#/campaigns/details/d5ec0e2e01cb49d993a0c4d7dbee968c?customer=mannimarco@oblivion.bet",
  "intrusion_name": "intrusion",
  "intrusion_uuid": "d5ec0e2e01cb49d993a0c4d7dbee968c",
  "last_modified": "2018-01-12 03:15:20",
  "most_advanced_stage": "Command and Control",
  "nr_affected_hosts": 1,
  "nr_malware": 1,
  "reason": "Detected Command&Control traffic indicating that 2 hosts are infected with malware Upatre Public IP Check",
  "start_timestamp": "2018-01-07 20:01:02",
  "trigger_type": "intrusion-event",
  "extended_description": "Added detection information: hosts: 1.2.3.4; malware: Upatre Public IP Check"
}

Mail event notifications

Example of a notification body after the detection of mail based on an attachment.

{
  "impact": 100,
  "file_detail_link": "https://user.lastline.local/malscape/#/task/613de0cc17534adbb0f046b88e1f70f7",
  "start_timestamp": "2019-08-27 14:16:06+00:00",
  "sender": "fake@example.com",
  "description": "Suspicious Email Attachment",
  "format_version": "9.0",
  "recipients": ["<test@example.com>"],
  "file_type": "Rich Text Format data, unknown version",
  "file_name": "f0b3f8277c884d4be2397bb05cd102f3",
  "file_sha1": "b4be2633ac9ca6ff6670d67473b042123a0a7644",
  "subject": "Test",
  "file_md5": "f0b3f8277c884d4be2397bb05cd102f3",
  "detection_type": "email-attachment",
  "file_size": 163699,
  "device_id": "3053322414:602745899",
  "end_timestamp": "2019-08-27 14:16:06+00:00",
  "event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9561?mail_time=2016-03-21"
}

Example of a notification body after the detection of mail based on a URL.

{
  "end_timestamp": "2019-11-25 14:28:05+00:00",
  "impact": 99,
  "start_timestamp": "2019-11-25 14:28:05+00:00",
  "sender": "test@lastline.com",
  "description": "Suspicious Email Url",
  "format_version": "9.0",
  "recipients": ["fake@lastline.com"],
  "mail_url_md5": "2be456f055282b7dc6d6b0f002a52dad",
  "detection_type": "email-url",
  "device_id": "3287884757:3459119816",
  "appliance_name": "sensor01",
  "mail_url": "http://www.evil.fake",
  "subject": "TEST EMAIL!",
  "event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9561?mail_time=2016-03-21"
}

Example of a notification body after the detection of mail based on a mail message characteristic.

{
  "end_timestamp": "2019-09-09 22:17:17+00:00",
  "impact": 80,
  "start_timestamp": "2019-09-09 22:17:17+00:00",
  "sender": "test@lastline.com",
  "description": "Suspicious Email Message",
  "format_version": "9.1",
  "recipients": ["fake@lastline.com"],
  "detectors": [
    "email_anomaly:spam_domain",
    "email_anomaly:spam_ip"
  ],
  "threat": "Mebroot",
  "threat_class": "drive-by",
  "detection_type": "email-message",
  "device_id": "3287884757:3459119816",
  "appliance_name": "sensor01",
  "subject": "TEST EMAIL!",
  "event_detail_link": "https://user.lastline.local/mail/message#/3287884757/3459119816/9359?date=2019-09-09"
}

Network event notifications

Example of a notification triggered by the detection of a malicious file download.

{
  "file_detail_link": "https://user.lastline.local/malscape/#/task/6ad71b9ddc554d1eac73ce27f55e2abb",
  "file_type": "PDF document",
  "file_name": "/5e2eceec69c9ef5435298abc1d10624b.pdf",
  "file_size": 5984,
  "detection_type": "file-download",
  "occurrences": 1,
  "detection_id": "2535ec71:30fbe7df:e52cff2b",
  "end_timestamp": "2019-08-27 13:46:13+00:00",
  "transport_protocol": "TCP",
  "malware": "Malicious Document Download",
  "event_id": 9,
  "src_ip": "127.0.0.1",
  "event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/9?event_time=2019-08-27",
  "impact": 100,
  "description": "Suspicious File Download",
  "format_version": "9.0",
  "file_md5": "5e2eceec69c9ef5435298abc1d10624b",
  "http_host": "127.0.0.2",
  "device_id": "3053322414:602745899",
  "event_url": "http://127.0.0.2/5e2eceec69c9ef5435298abc1d10624b.pdf",
  "incident_id": 12,
  "incident_impact": 100,
  "incident_malware": "Malicious Document Download",
  "incident_malware_class": "Malicious File Download",
  "start_timestamp": "2019-08-27 13:46:13+00:00",
  "malware_class": "Malicious File Download",
  "file_sha1": "e1a1dcfefa8c96723d5f7816f0e991a0a01b5f0a",
  "dst_port": 80,
  "action": "LOG",
  "dst_ip": "127.0.0.2"
}

Example of a notification reporting the detection of a suspicious network connection.

{
  "impact": 1,
  "transport_protocol": "TCP",
  "malware": "Lastline test",
  "description": "Suspicious Network Connection",
  "format_version": "9.0",
  "event_id": 8,
  "dst_port": 80,
  "start_timestamp": "2019-08-27 13:38:44+00:00",
  "dst_host": "test.lastline.com",
  "src_ip": "192.168.1.57",
  "detection_type": "network-connection",
  "malware_class": "Lastline test",
  "occurrences": 1,
  "event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/8?event_time=2019-08-27",
  "detection_id": "fc900ff8:30fbe7df:30fbe7df",
  "action": "LOG",
  "dst_ip": "52.5.237.96",
  "device_id": "3053322414:602745899",
  "event_url": "http://test.lastline.com",
  "incident_id": 13,
  "incident_impact": 1,
  "incident_malware": "Lastline test",
  "incident_malware_class": "Lastline test",
  "src_mac": "08:00:27:00:c9:7a",
  "end_timestamp": "2019-08-27 13:38:44+00:00"
}

Example of a notification triggered by a suspicious DNS resolution.

{
  "impact": 1,
  "transport_protocol": "UDP",
  "malware": "Lastline test",
  "resolved_domain": "test.lastline.com",
  "description": "Suspicious DNS Resolution",
  "format_version": "9.0",
  "event_id": 7,
  "dst_port": 53,
  "start_timestamp": "2019-08-27 13:38:44+00:00",
  "src_ip": "192.168.1.57",
  "detection_type": "dns-resolution",
  "malware_class": "Lastline test",
  "occurrences": 2,
  "event_detail_link": "https://user.lastline.local/event#/3053322414/602745899/7?event_time=2019-08-27",
  "detection_id": "fc900ff8:30fbe7df:30fbe7df",
  "action": "LOG",
  "dst_ip": "192.168.1.1",
  "device_id": "3053322414:602745899",
  "event_url": "http://test.lastline.com",
  "incident_id": 14,
  "incident_impact": 1,
  "incident_malware": "Lastline test",
  "incident_malware_class": "Lastline test",
  "src_mac": "08:00:27:00:c9:7a",
  "end_timestamp": "2019-08-27 13:38:44+00:00"
}

Example of a notification for a network event containing information about the related PCAP. The PCAP body has been truncated for brevity.

{
  "event_url": "http://example.com",
  "detection_type": "dns-resolution",
  "occurrences": 1,
  "detection_id": "c90de0dd:d0051f96:d0051f96",
  "appliance_name": "sensor01",
  "impact": 70,
  "malware": "Test Threat",
  "src_dns_domain": "",
  "format_version": "7.2",
  "event_id": 1785,
  "src_ip": "192.168.0.1",
  "event_detail_link": "https://do.no.connect/event#/3287884757/3459119816/1785?event_time=2012-12-12",
  "end_timestamp": "2012-12-12 00:20:00+00:00",
  "transport_protocol": "TCP",
  "description": "Suspicious DNS Resolution",
  "dst_ip": "10.0.0.1",
  "device_id": "3287884757:3459119816",
  "start_timestamp": "2012-12-12 00:00:00+00:00",
  "malware_class": "Testing Threat Class",
  "dst_port": 80,
  "action": "LOG",
  "pcap_id": 866,
  "pcap_src_ip": "192.168.0.1",
  "pcap_threats": ["UserDefinedThreat"],
  "pcap_dst_port": 80,
  "pcap_failed_connections": 1,
  "pcap_in_bytes": 1,
  "pcap_start_time": "2012-12-12 00:00:00",
  "pcap_src_port": 23456,
  "pcap_protocols": ["TCP"],
  "pcap_urls": ["http://example.com"],
  "pcap_hosts": ["www.lastline.com"],
  "pcap_out_bytes": 1,
  "pcap_dst_ip": "10.0.0.1",
  "pcap_successful_connections": 1,
  "pcap_body": "1MOyoQIABAAAAAAAAAAAAP//AAABAAAAI0ujQLi/BAA+AAAAPgAAAP7/IAABAAAAAQAAAAgARQAAMA9BQACABpHrkf6g7UHQ5N8NLABQOK"
}

Network IoC event notification

Example of a notification triggered by a network IoC event.

{
  "additional_threats": [
    "Mebroot"
  ],
  "detection_detail_link": "https://do.no.connect/portal#/event/3637006069/1189538789/100?event_time=2019-10-10",
  "detection_id": "100",
  "detection_time": "2019-10-10 11:52:47",
  "detection_type": "network-event",
  "dns_name": "evil.com",
  "impact": 80,
  "ip": "8.8.8.8",
  "last_update": "2019-09-03 12:07:11",
  "license": "AAAAAAAAAAAAAAAAAAAA:sensor01",
  "main_threat": "Murofet",
  "metadata": [
    {"network_class": "enterprise"},
    {"organisation": "Google"}
  ],
  "sensor": "Previct Sensor 01",
  "trigger_type": "network-ioc-ip"
}

Test event notification

Example of a notification triggered for testing.

{
  "format_version": "9.0",
  "description": "User triggered test event",
  "impact": 10,
  "trigger_type": "test-notification",
  "timestamp": "2019-08-27 14:16:06+00:00",
  "test_uuid": "3dc144bdb3434b1abf7a465de3f57948",
  "notification_config_id": 37
}

Appendices

Appliance trigger fields

Possible values for appliance trigger fields:


component_name	source.key	detail_name
Analysis	appliance_update.analysis.anonvpn	Traffic Routing
Analysis	appliance_update.analysis.lladoc	Document Analyzer
Analysis	appliance_update.analysis.llama	Windows Sandbox
Analysis	appliance_update.analysis.llweb	URL/PDF Sandbox
Analysis	appliance_update.analysis.processing	Processing
Database	appliance_update.db.server	Database Server
Disk Usage	sys.disk.usage	Disk Usage
Email Analysis	appliance_update.mail.llmail	Email Analysis Service
Email Analysis Service	llmail.receiver	Email receiver
Email Analysis Service	llmail.sharduploader.upload	Email metadata uploader
Email Analysis Service	llmail.smtpsender-dsn.message	SMTP bounce sender message status
Email Analysis Service	llmail.smtpsender-dsn.server	SMTP bounce sender server status
Email Analysis Service	llmail.smtpsender.message	SMTP sender message status
Email Analysis Service	llmail.smtpsender.server	SMTP sender server status
ICAP	appliance_update.icap.cicap	ICAP Server
IDS Service	llsnifflogmon.suricata.ruleparsing.customer	Customer Rule
Integrations	appliance_update.integration.session_tracker	Session Tracker Service
Integrations	appliance_update.integrations.notification-proxy_status	Notification Delivery Service
Integrations	appliance_update.integrations.session_tracker	Session Tracker Service
Management	appliance_update.mgmt.appliance_update	Lastline Update Service
Management	appliance_update.mgmt.lload	Load Monitoring Service
Management	appliance_update.mgmt.version	Version Update Service
Message Processing	appliance_update.mq.broker	Message Broker
Message Processing	appliance_update.mq.queue_workers	Message Processors
Monitoring	appliance_update.monitoring.llpsv	Sniffer Service
Monitoring	appliance_update.monitoring.suricata	IDS Service
Notification Delivery Service	notification.server.checkpoint	Checkpoint Server Status
Notification Delivery Service	notification.server.email	Email Server Status
Notification Delivery Service	notification.server.httppost	HTTP Server Status
Notification Delivery Service	notification.server.siem	SIEM Server Status
Notification Delivery Service	notification.server.tipping_point	TippingPoint SMS Server Status
Queue Status	analyst_scheduler.status.capacity_percent	Analysis Queue - Load
Queue Status	analyst_scheduler.status.pickup_delay	Analysis Queue - Analysis Delay
Queue Status	analyst_scheduler.status.tasks_queued	Analysis Queue - Pending Tasks
Session Tracker Service	session-tracker.wmi_query	Session Tracker Query Status
System	appliance_update.action.configure	Configuration
System Status	appliance_update.appliance_clock	Appliance Clock
Threat Intelligence Replication	db.monitor_slave.io	Threat Intelligence Replication IO
Threat Intelligence Replication	db.monitor_slave.sql	Threat Intelligence Replication SQL
Traffic Routing	anonymity_provider.status	Traffic Routing Check
Windows Sandbox	analyst_daemon.llama.configuration	Sandbox Configuration Data

Audit action field

Possible values for the "audit_action_type" field:


Action type	Description
account_blocked	An account was blocked.
account_created	An account was created.
account_deleted	An account was deleted.
account_permission_granted	A permission was granted to an account.
account_permission_revoked	A permission was revoked from an account.
account_unblocked	An account was unblocked.
account_updated	An account's details were updated.
api_token_reset	A license API token was reset.
appliance_delete_quarantined_mail_requested	A quarantined mail message was deleted.
appliance_deregistered	An appliance was deregistered.
appliance_disabled	An appliance was disabled.
appliance_enabled	An appliance was enabled.
appliance_rebooted	An appliance was rebooted.
appliance_reconfigured	An appliance was reconfigured.
appliance_registered	An appliance was registered.
appliance_release_quarantined_mail_requested	A quarantined mail message was released.
appliance_upgraded	The software version of an appliance was upgraded.
customer_updated	A customer's details were updated.
email_changed	An account's email was updated.
failed_login	A user failed to log in to an account.
homenet_updated	The homenet was updated.
httppost_notification_created	An HTTP POST notification configuration was created.
httppost_notification_updated	An HTTP POST notification configuration was updated.
intrusion_assignee_updated	The assignee of an intrusion was updated.
intrusion_state_updated	The state of an intrusion was updated.
invalid_credentials	A user provided invalid credentials for an account.
license_created	A new license was granted.
license_updated	A license's details were updated.
mail_assignee_updated	The assignee of a mail message was updated.
mail_notification_created	A mail notification configuration was created.
mail_notification_updated	A mail notification configuration was updated.
mail_state_updated	The state of a mail message was updated.
notification_deleted	A notification configuration was deleted.
password_changed	An account's password was updated.
password_removed	An account's password was removed.
password_reset	An account's password was reset.
password_reset_request	A request was made to reset an account's password.
report_created	A report was created.
report_deleted	A report was deleted.
report_updated	A report was updated.
role_created	A custom role was created.
role_granted	A custom role was granted to an account.
role_permission_granted	A permission was granted for a custom role.
role_permission_revoked	A permission was removed from a custom role.
role_revoked	A role was revoked from an account.
role_updated	A custom role was updated.
sensor_added	A sensor was added.
sensor_updated	A sensor was updated.
siem_notification_created	A SIEM notification configuration was created.
siem_notification_updated	A SIEM notification configuration was updated.
streaming_notification_created	A streaming API notification configuration was created.
streaming_notification_updated	A streaming API notification configuration was updated.
successful_login	A successful login was performed for an account.
successful_logout	A successful logout was performed for an account.
test_notification_sent	A test notification was sent.
wmi_source_configured	A WMI source was configured for session management.
wmi_source_deleted	A WMI source configuration was deleted.

Mail event action

Possible values for the mail event action field:


action	Description
BLOCK_ATTACHMENT	The attachment contained in the mail message was blocked.
BLOCK_EMAIL	The entire mail message was blocked.
BLOCK_URL	The URL contained in the mail message was blocked.
LOG	The mail event was only logged.
UNKNOWN	An unknown action was taken in response to this event.
WARN	A warning was issued about the content of the mail that triggered this mail event.

VMware NSX Network Detection and Response
Home
Legal
Support

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304