Expected Log Samples¶

SELECT * FROM [db_ControlManager].[dbo].[v_Virus_HostDetail]
SELECT v.ActionGroup as action_group, v.ActionResult as action_result, v.DetectionCount as detection_count, v.DetectionTime as detection_ts, v.EntityID as entity_id, v.EntityName as entity_name, v.FileCompressed as file_compressed, v.FileName as file_name, v.FilePath as file_path, v.FirstAction as first_action, v.FirstActionResult as first_action_result, v.ID as event_id, v.IPAddressList as source_address, v.InfectionDestination as infection_destination, v.InfectionSource as infection_source, v.LoginUserName as user_name, v.MACAddressList as hardware_address, v.ProductType as product_type, v.ReceivedTime as received_ts, v.ScanType as scan_type, v.SecondAction as second_action, v.SecondActionResult as second_action_result, v.ServerID as server_id, v.ServerName as server_name, v.ThreatType as threat_type, v.VirusName as virus, tb.EventId as description, tb.ScanResult as scan_result FROM v_Virus_HostDetail as v LEFT JOIN tb_ScanResultToEventID as tb ON v.ActionResult=tb.ScanResult

"111";"1111111AA1111-1A1A1AA1-11A1-1A1A-1111";"1111";"1";"7A11A1111A11-1111AA1A-1A11-1111-A111";"111111AA1111-1A111A11-11AA-AAA1-1111";"0";"46";"1.1";"1111111";"2018-08-20 11:52:54";"-60";"2018-08-20 11:54:48";"2018-08-20 09:54:48";"-60";"2";"10";"False";"ext-webav03";"8";"1";"";"1";"3";"HEUR_JS.CRE";"False";"11";"1";"1";"11";"11";"anonymous-object";"http://https://xyz.com/s3-build/28168-rc2018-08-15_16.04-5d91351/django/js/require_built/require/apps/contact_organizer/xyz.js";"";"http://https://xyz.com/s3-build/28168-rc2018-08-15_16.04-5d91351/django/js/require_built/require/apps/contact_organizer/xyz.js";"1.1.1.11";"1";"10.0001040";"None";"1111111";"";"0";"1900-01-01 00:00:00";"";"";"";"0";"";"0";"";"xxx.xxx.x.xxx";"";"0";"0";"3";"0";"";" ";"1";"1900-01-01 00:00:00";"1900-01-01 00:00:00";"";"";"";"None";"None";"None";"None";"None";

SELECT * FROM tb_AVVirusLog

"111";"1111111AA1111-1A1A1AA1-11A1-1A1A-1111";"1111";"1";"7A11A1111A11-1111AA1A-1A11-1111-A111";"111111AA1111-1A111A11-11AA-AAA1-1111";"0";"46";"1.1";"1111111";"2018-08-20 11:52:54";"-60";"2018-08-20 11:54:48";"2018-08-20 09:54:48";"-60";"2";"10";"False";"ext-webav03";"8";"1";"";"1";"3";"HEUR_JS.CRE";"False";"11";"1";"1";"11";"11";"anonymous-object";"http://https://xyz.com/s3-build/28168-rc2018-08-15_16.04-5d91351/django/js/require_built/require/apps/contact_organizer/xyz.js";"";"http://https://xyz.com/s3-build/28168-rc2018-08-15_16.04-5d91351/django/js/require_built/require/apps/contact_organizer/xyz.js";"1.1.1.11";"1";"10.0001040";"None";"1111111";"";"0";"1900-01-0100:00:00";"";"";"";"0";"";"0";"";"192.168.3.213";"";"0";"0";"3";"0";"";" ";"1";"1900-01-01 00:00:00";"1900-01-01 00:00:00";"";"";"";"None";"None";"None";"None";"None";

<133>Oct 24 17:04:03 TMCM:SLF_INCIDENT_EVT_VIRUS_FOUND_DELETE_SUCCESS Security product="xyz" Security product node ="AAAAAAA111" Security product IP="1.1.1.1" Event time="24-10-2013 14:00:05" Virus="Eicar_test_file" Action taken="Delete" Result="File deleted" Infection destination="randomHost" Infection destination IP="1.1.1.1" Infection source="N/A" Infection source IP="1.1.1.1" Destination IP="1.1.1.1" Source IP="111.111.1.111" Domain="N/A"

<134\>logpoint: \<Thu, 08 Oct 2015 13:31:45,CEST\> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=1.1.1.111,tk_url=http:///,tk_size=11,tk_date_field=2015-10-08 13:31:45+0200,tk_protocol=http,tk_mime_content=text/html,tk_server=logpoint,tk_client_ip=1.1.1.1,tk_server_ip=,tk_domain=,tk_path=/,tk_file_name=,tk_operation=,tk_uid=0111111111-aa1a111aa1a1aaa111a1,tk_category=0,tk_category_type=0

2021/02/15 10:29:20 log_ts=2021/02/15 10:29:20 | device_ip=1.1.1.1 | device_name=IWSVA | col_type=syslog | repo_name=IWSVA | severity=6 | facility=16 | col_ts=2021/02/15 10:29:20 | collected_at=LogPoint | logpoint_name=LogPoint |
<134>ae-e-iwsva-test: <Mon, 15 Feb 2021 10:29:20,CET> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log -|1.1.1.1|-|15/Feb/2021:10:29:20.038 +0100|www.abc.com|GET /discover/adiscover.xml HTTP/1.1|301|253|613|http://www.abc.com/discover/adiscover.xml|12|ALLOW|-|81|-|21|HyperText Transfer Protocol|OC/1.1.1.4 (Skype for Business)|1.1.1.7

<183>Aug 30 12:29:34 clos1097 xyz[25676]: 2016/08/30 12:29:08 GMT+02:00 [9404:157633392] [NORMAL]LOG_LEVEL_INFO: [RequestHandler.cpp][51][processScoreResult] Rate result from xyz is URL=http://www.com, Score=1, Category=1-1-1, soType=-1, soAction=-1, isSmart=0

2014/01/27 00:02:01 GMT+08:00 1A111AA1-111A-1A11-11A1-1AA1A1A1111A [email protected] [email protected] New Year Reduce Programs! 2 Default spam rule 0100000000000 3.341797 01000000000000 22.770000 31 2 1 15 0 0 <[email protected]> 0 0 0 0

CEF:0|Trend Micro|Deep Security Agent|11|4000000|TROJ_KOVTER|6|cn1=1 cn1Label=Host ID dvchost=CB-SENSOR-04 cn2=1111 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\user_vdc1\\AppData\\Local\\Temp\\xyz.exe act=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/A TrendMicroDsFileMD5=71B6A493388E7D0B4xxxE903BC6B04 TrendMicroDsFileSHA1=xxx17AABA5684FBE56D3C57D48EF2A1AA7CF06D TrendMicroDsFileSHA256=xxxF653329641EC1FED91F694E0D229928963B30F6B0D7D3A745 TrendMicroDsDetectionConfidence=90 TrendMicroDsRelevantDetectionNames=Ransom_PETYA.TH627

<156>CEF:0|Trend Micro|Deep Discovery Email Inspector|2.5.1300|100132|URL_DETECTION|6|rt=Oct 18 2016 07:26:45 GMT-02:45 src=111.111.1.1 cs3Label=messageId cs3=<609.21864595.201610180530421595401.0007403615@e.logpoint.com> cn1Label=emailSeverity cn1=6 mailMsgSubject=C'est le moment de préparer votre maison au! urlCat=75 request=http://l.enews.lin=14339&tp\=i-hl-1c-561u-1c-1tgkd-teqle act=quarantined dvchost=AAA-AAA-AAAAA dvc=192.168.10.17 deviceGUID=942c05a9-dae7-4fe7-84fa-872187e658b8 [email protected] cn2Label=msgSize cn2=87381 cn3Label=emailThreatType cn3=3 [email protected] dvcmac=xx:xx:xx:xx:f9:73 cs1Label=emailThreats cs1=FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS|FRAUD_PHISHING.WRS threatName=FRAUD_PHISHING.WRS cs2Label=msgUuid cs2=10A0BAF8-3F1C-xxxx-A1AA111111A1

<12>Sep 8 10:55:15 trend.logpoint.kb.local Trend_Micro_OfficeScan_Server[0]:{"EventTime":"2017-09-08 10:45:30","Hostname":"trend.logpoint.kb.local","Keywords":11111111111,"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":111,"SourceName":"Trend Micro OfficeScan Server","Task":5,"RecordNumber":1111111,"ProcessID":0,"ThreadID":0,"Channel":"Application","Domain":"AUTORITE NT","AccountName":"System","UserID":"S-1-5-18","AccountType":"User","Message":"Virus/programme malveillant : JS_NEMUCOD.XYAB\r\nEndpoint : A1A-AA-111-111\r\nDomaine trend.logpoint.kb.local\\Vdi\\xyz\\abc\\\r\nFichier : L:\\Users\\dbg\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\AAAAAA\\info[1].zip (info.js)\r\nDate et heure : 08/09/2017 10:54:23\r\nRésultat : Encrypted \r\n","Category":"System","EventData":"<Data>Virus/programme malveillant : JS_NEMUCOD.XYAB\r\nEndpoint : A1A-AA-111-111\r\nDomaine trend.logpoint.kb.local\\Vdi\\Clones_lies\\Templates\\\r\nFichier : L:\\Users\\dbg\abc\\xyz\\def\\ghi\\Temporary Internet Files\\Content.AA1\\1A1AAAAA\\info[1].zip (info.js)\r\nDate et heure : 08/09/2017 10:54:23\r\nRésultat : Encrypted \r\n</Data>","EventReceivedTime":"2017-09-08 10:55:15","SourceModuleName":"zyx","SourceModuleType":"im_msvistalog"}