Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Trust Center Alert and Audit Logging

            Modified on Thu, 31 Oct at 4:27 PM


            TABLE OF CONTENTS


            Overview

            The Trust Center Emits its Audit Logs via Syslog in CEF format. The following description describes fields present in the CEF payload.


            Syslog + CEF Headers – 

            AZT Syslog Headers:

            2024-08-07T15:21:24.887577+00:00 aria-azt-trustcenter AZT - - - 
2024-08-08T15:36:59.613080+00:00 aria-azt-trustcenter AZT - - -

            This is the basic Syslog Header containing the date and time, the source hostname, and the source application. 


            AZT CEF Headers: 

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info| 
CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Audit|info|

            Our Syslog Messages are formatted in CEF format. A breakdown of the CEF header is as follows:


            ItemExample
            CEF Version
            CEF:0
            Device Vendor
            ARIA

            Device Product
            AZT

            Device Version
            1.15.0.4822
            Signature ID
            TrustCenter

            Name
            [Alert, Audit]
            Severity
            info


            CEF Payload (Alert) –

            Example Messages: (Separate Countermeasures)

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-09 20:32:28.737041+00:00" countermeasure__name="SHELLCODE" countermeasure__display_name="Malicious Shellcode" filename="c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" message="Malicious Shellcode detected for c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" blocked="False" payload__alert_type="ALERT_TYPE_SHELLCODE" payload__binary_id="d833b9523e3813950065f6979ea59edcc3366d20d997b68933cca59387f32d85" payload__cmdLine="" payload__filename="c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="True" application__version="4.8.9037.0" application_architecture="None" 

CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-09 20:20:51.324187+00:00" countermeasure__name="WRITE_BUF" countermeasure__display_name="Write Buffer" filename="c:\windows\explorer.exe" message="No TrustID was found for a buffer in c:\windows\explorer.exe" blocked="False" payload__alert_type="ALERT_TYPE_WRITE_BUF" payload__binary_id="0dd5c564ca75e2bf273340b113c90db222f685f50b27d901e9795bc1d30fd376" payload__cmdLine="explorer.exe" payload__filename="c:\windows\explorer.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="\Users\aria\Desktop\Attacks\Attacks\vcrun140dx64\vcruntime140d.dll" application__trusted="True" application__version="10.0.19041.4648" application_architecture="None" 

CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Alert|info|time="2024-08-07 15:21:24.830187+00:00" countermeasure__name="NO_TRUST" countermeasure__display_name="No Trust" filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" message="No TrustID found for c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" blocked="False" payload__alert_type="ALERT_TYPE_NO_TRUST" payload__binary_id="aed57423999265d5d14b2a04d89a00f115e9e54a583b5057828b409e64ed8d21" payload__cmdLine="" payload__filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="False" application__version="" application_architecture="None"

            CEF Payload (Alert Events)

            time="2024-08-07 15:21:24.830187+00:00" countermeasure__name="NO_TRUST" countermeasure__display_name="No Trust" filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" message="No TrustID found for c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" blocked="False" payload__alert_type="ALERT_TYPE_NO_TRUST" payload__binary_id="aed57423999265d5d14b2a04d89a00f115e9e54a583b5057828b409e64ed8d21" payload__cmdLine="" payload__filename="c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe" payload__policy_type="POLICY_TYPE_DETECT" payload__targetFileName="" application__trusted="False" application__version="" application_architecture="None"


            KeyDescriptionExample
            timeTime of Alert
            2024-08-07 15:21:24.830187+00:00
            countermeasure nameCountermeasure type
            NO_TRUST

            filenameFilename associated with alert
            c:\users\aria\desktop\aztprograms\azt programs\3d_pinball_for_windows_space_cadet.exe

            messageThe Audit Message
            WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe

            blockedWhether AZT blocked the binary from executing
            False


            Splunk Output (Alert Event)


            CEF Payload (Audit) –


            Example Message:

            CEF:0|ARIA|AZT|1.15.0.4822|TrustCenter|Audit|info|id="187872" category="ALERT" acknowledged="False" message="WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" user="None" ip_addr="10.6.10.29" data__pk="4727" data__id="4727" data__created_at="2024-08-08 15:36:59.570382" data__created_by="None" data__created_ip="10.6.10.29" data__updated_at="2024-08-08 15:36:59.570415" data__updated_by="None" data__updated_ip="10.6.10.29" data__time="2024-08-08 15:36:59.569978" data__device="WIN10-22H2-64 (10.6.10.29)" data__trustcenter="None" data__recorded="2024-08-08 15:36:59.570078" data__timestamp="2024-08-08 15:36:59.570453" data__user="aria" data__facility="alert" data__severity="4" data__message="No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__payload="{" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None" data__audits="audit.Audit.None" source_model="alert.Alert" action="create"


            CEF Payload (Audit Events)

            id="187872" category="ALERT" acknowledged="False" message="WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" user="None" ip_addr="10.6.10.29" data__pk="4727" data__id="4727" data__created_at="2024-08-08 15:36:59.570382" data__created_by="None" data__created_ip="10.6.10.29" data__updated_at="2024-08-08 15:36:59.570415" data__updated_by="None" data__updated_ip="10.6.10.29" data__time="2024-08-08 15:36:59.569978" data__device="WIN10-22H2-64 (10.6.10.29)" data__trustcenter="None" data__recorded="2024-08-08 15:36:59.570078" data__timestamp="2024-08-08 15:36:59.570453" data__user="aria" data__facility="alert" data__severity="4" data__message="No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__payload="{" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None" data__audits="audit.Audit.None" source_model="alert.Alert" action="create"


            For Audit Events, the CEF payload is a combination of key value pairs which is automatically groked. Here are the current keys, their descriptions:


            KeyDescriptionExample
            idUnique ID for the Audit Message
            187872

            categoryCategory String for the Audit Message
            ALERT



            acknowledgedWhether the Audit Message has been acknowledged by the Trust Center
            False



            messageThe Audit Message
            WIN10-22H2-64 (10.6.10.29): No TrustID found for c:\users\aria\desktop\attacks\attacks\poolparty.exe



            userThe User who generated the Audit Message
            None

            ip_addrThe IP Address which caused the audit message to be generated.
            10.6.10.29

            payloadAdditional information about the audit message in JSON format.
            {" data__filename="c:\users\aria\desktop\attacks\attacks\poolparty.exe" data__application_name="poolparty.exe" data__status="1" data__countermeasure="NO_TRUST" data__blocked="False" data__binary_id="ed6dee4445c3c316011c602b01c04b06a730f5b75e489c69ca064e5644c3edda" data__file_digest="" data__resolved_by="None" data__resolved_at="None" data__restored_by="None" data__restored_at="None"


            source_modelThe Trust Center component which invoked the audit log message.
            alert.Alert


            Splunk Output (Audit Event)





            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0