MISP SecOps Rules issues with Time Matches

Forum|Forum|9 months ago
June 2, 2025
32 replies
200 views

jeffbezos42
New Member

Hi All,

I am having issues with MISP rules in SecOps. We have integrated via the documentation here using a Webhook: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/misp

The parser itself whilst it does extract some fields is still raw and doesn't correlate timeframes. We aren't interested in the time the IoC was ingested from MISP but rather the time ti was published from the third party threat provider in a field known as

extracted.fields["Event.date"])

Using this field we can concatenate '00:00:00' to it to convert it into UTC:

strings.concat($g.extracted.fields["Event.date"], " 00:00:00")

The issue is that it is supposed to look for all fields of this value within the past 6 months and then correlate these to new events of other log sources with field 'IP'. The date of ingestion for MISP events really isn't important here. You can see the code snippet for this below:

  events:
    $ip = $e.principal.ip
    $userid = $e.target.user.userid

    // MISP IOC data (joined via IP)
    $e.principal.ip = $g.extracted.fields["Event._AttributeFlattened[0].value"]

    $g.metadata.log_type = "MISP_IOC"
    $g.extracted.fields["Event.Attribute[0].category"] = "Network activity"
    $ioc_event_date = ($g.extracted.fields["Event.date"])
    $ioc_event_timestamp = strings.concat($g.extracted.fields["Event.date"], " 00:00:00")
  match:
    $userid over 1m

  outcome:
    // Parse timestamp
    $event_time = max($e.metadata.event_timestamp.seconds)

    // Parse MISP date
    $misp_time = max(timestamp.as_unix_seconds($ioc_event_timestamp, "GMT"))


    // Calculate delta in days
    $ioc_delta = ($event_time - $misp_time) / 86400

    // Risk scoring
    $risk_score = max(35)
        + if($ioc_delta <= 1, 45, 0)
        + if($ioc_delta <= 7 and $ioc_delta > 1, 30, 0)
        + if($ioc_delta <= 30.44 and $ioc_delta > 7, 10, 0)
        + if($ioc_delta <= 60 and $ioc_delta > 30.44, 0, 0)
        - if($ioc_delta > 60, 10, 0)

  condition:
    $e and $g and $ioc_delta < 180

}

If someone has had any experience with authoring rules from webhook methodology that could help resolve this issue that would be greatly appreciated. I am not interested in importing CSVs as this is a very static approach and we want to keep things as automated as possible.

Thank you in advance.

Show first post

Forum|pagination.label 2 / 2

+12

AbdElHafez
Staff
Forum|Forum|8 months ago
June 24, 2025

Hi @AbdElHafez thanks for your response. We did try your response above but have had no luck.

Thanks we've taken some time to look within the various objects. We are ingesting all kinds of IOCs from our list not just restricted to the ones in the screenshot for future use although for now we can limit it to:

SHA256
Domain
URL
MD5
Email-src
Hostname
Ip-src
Ip-dst

There are over 359 objects default within MISP, I do not think this is what you are looking for here but here is a snippet of two objects that should be relevant.

Domain-IP:

{
  "attributes": {
    "domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Domain name",
      "misp-attribute": "domain",
      "multiple": true,
      "ui-priority": 1
    },
    "first-seen": {
      "description": "First time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "hostname": {
      "description": "Hostname related to the IP",
      "misp-attribute": "hostname",
      "ui-priority": 1
    },
    "ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "IP Address",
      "misp-attribute": "ip-dst",
      "multiple": true,
      "ui-priority": 1
    },
    "last-seen": {
      "description": "Last time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "port": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Associated TCP port with the domain",
      "misp-attribute": "port",
      "multiple": true,
      "ui-priority": 1
    },
    "registration-date": {
      "description": "Registration date of domain",
      "disable_correlation": false,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "text": {
      "description": "A description of the tuple",
      "disable_correlation": true,
      "misp-attribute": "text",
      "recommended": false,
      "ui-priority": 1
    }
  },
  "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
  "meta-category": "network",
  "name": "domain-ip",
  "requiredOneOf": [
    "ip",
    "domain",
    "hostname"
  ],
  "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
  "version": 11

URL:

{
  "attributes": {
    "credential": {
      "description": "Credential (username, password)",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "dom-hash": {
      "description": "Dom-hash of the URL",
      "misp-attribute": "dom-hash",
      "ui-priority": 0
    },
    "domain": {
      "description": "Full domain",
      "misp-attribute": "domain",
      "ui-priority": 0
    },
    "domain_without_tld": {
      "description": "Domain without Top-Level Domain",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "first-seen": {
      "description": "First time this URL has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "fragment": {
      "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "host": {
      "description": "Full hostname",
      "misp-attribute": "hostname",
      "ui-priority": 0
    },
    "ip": {
      "description": "Better type when the host is an IP.",
      "misp-attribute": "ip-dst",
      "multiple": true,
      "ui-priority": 0
    },
    "last-seen": {
      "description": "Last time this URL has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "port": {
      "description": "Port number",
      "disable_correlation": true,
      "misp-attribute": "port",
      "ui-priority": 0
    },
    "query_string": {
      "description": "Query (after path, preceded by '?')",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "resource_path": {
      "description": "Path (between hostname:port and query)",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "scheme": {
      "description": "Scheme",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "http",
        "https",
        "ftp",
        "gopher",
        "sip"
      ],
      "ui-priority": 0
    },
    "subdomain": {
      "description": "Subdomain",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "text": {
      "description": "Description of the URL ",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "tld": {
      "description": "Top-Level Domain",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "url": {
      "description": "Full URL",
      "misp-attribute": "url",
      "ui-priority": 1
    }
  },
  "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
  "meta-category": "network",
  "name": "url",
  "requiredOneOf": [
    "url",
    "resource_path"
  ],
  "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
  "version": 10

Got it.
In that case I think a ticket is the best option.
Also since even my last iteration failed, could you share some specific samples that failed the validation ?
I initially thought you are ingesting only samples like the one you shared earlier, so I might need to add some more conditions to only do the replacement when the ingested IOC is related to phishing.

jeffbezos42
Author
New Member
Forum|Forum|8 months ago
June 24, 2025

i'm ingesting IOCs from events in MISP where the events themselves are grouped under the same ID although the types of IOCs are split up into singular events within SecOps. They all failed validiation as the parameters dropped

jeffbezos42
Author
New Member
Forum|Forum|8 months ago
June 24, 2025

{
  "Event": {
    "id": "58446",
    "org_id": "1",
    "date": "2025-06-12",
    "info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
    "uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
    "published": true,
    "analysis": "0",
    "attribute_count": "62",
    "orgc_id": "31",
    "timestamp": "1749763867",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749772836",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327102",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://rvzdm.cn/ketnai",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2218",
        "name": "malware:Vidar",
        "colour": "#3d5116",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2082",
        "name": "audience-industry:Retail Banking",
        "colour": "#185dda",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2207",
        "name": "malware:VHD",
        "colour": "#b1f090",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2256",
        "name": "malware:AutoIT",
        "colour": "#c4cb5f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2095",
        "name": "malware:Lumma Stealer",
        "colour": "#897c44",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2160",
        "name": "malware:XWorm",
        "colour": "#43e90c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2175",
        "name": "malware:HijackLoader",
        "colour": "#25c516",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2133",
        "name": "malware:Snake Keylogger",
        "colour": "#13739f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2102",
        "name": "tactic:Impact",
        "colour": "#ea268e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2150",
        "name": "attack-pattern:VBS",
        "colour": "#6f2df7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2702",
        "name": "malware:DarkCloud",
        "colour": "#7b4f6d",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327102",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://rvzdm.cn/ketnai",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

jeffbezos42
Author
New Member
Forum|Forum|8 months ago
June 24, 2025

{
  "Event": {
    "id": "58446",
    "org_id": "1",
    "date": "2025-06-12",
    "info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
    "uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
    "published": true,
    "analysis": "0",
    "attribute_count": "62",
    "orgc_id": "31",
    "timestamp": "1749763867",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749772836",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327102",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://rvzdm.cn/ketnai",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2218",
        "name": "malware:Vidar",
        "colour": "#3d5116",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2082",
        "name": "audience-industry:Retail Banking",
        "colour": "#185dda",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2207",
        "name": "malware:VHD",
        "colour": "#b1f090",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2256",
        "name": "malware:AutoIT",
        "colour": "#c4cb5f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2095",
        "name": "malware:Lumma Stealer",
        "colour": "#897c44",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2160",
        "name": "malware:XWorm",
        "colour": "#43e90c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2175",
        "name": "malware:HijackLoader",
        "colour": "#25c516",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2133",
        "name": "malware:Snake Keylogger",
        "colour": "#13739f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2102",
        "name": "tactic:Impact",
        "colour": "#ea268e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2150",
        "name": "attack-pattern:VBS",
        "colour": "#6f2df7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2702",
        "name": "malware:DarkCloud",
        "colour": "#7b4f6d",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327102",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "2098fe70-1d81-43fc-8bfe-b469fc80533e",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://rvzdm.cn/ketnai",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

{
  "Event": {
    "id": "58446",
    "org_id": "1",
    "date": "2025-06-12",
    "info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
    "uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
    "published": true,
    "analysis": "0",
    "attribute_count": "62",
    "orgc_id": "31",
    "timestamp": "1749763867",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749772836",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327118",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "605f7208-2813-4ca6-971b-c849197900dc",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://fxlao.cn/ctaoie",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2218",
        "name": "malware:Vidar",
        "colour": "#3d5116",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2082",
        "name": "audience-industry:Retail Banking",
        "colour": "#185dda",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2207",
        "name": "malware:VHD",
        "colour": "#b1f090",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2256",
        "name": "malware:AutoIT",
        "colour": "#c4cb5f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2095",
        "name": "malware:Lumma Stealer",
        "colour": "#897c44",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2160",
        "name": "malware:XWorm",
        "colour": "#43e90c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2175",
        "name": "malware:HijackLoader",
        "colour": "#25c516",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2133",
        "name": "malware:Snake Keylogger",
        "colour": "#13739f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2102",
        "name": "tactic:Impact",
        "colour": "#ea268e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2150",
        "name": "attack-pattern:VBS",
        "colour": "#6f2df7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2702",
        "name": "malware:DarkCloud",
        "colour": "#7b4f6d",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327118",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "605f7208-2813-4ca6-971b-c849197900dc",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://fxlao.cn/ctaoie",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

jeffbezos42
Author
New Member
Forum|Forum|8 months ago
June 24, 2025

{
  "Event": {
    "id": "58446",
    "org_id": "1",
    "date": "2025-06-12",
    "info": "Member Submission: Phishing, VBS, malspam, Credential pharming activity potentially associated with VHD, Vidar, AutoIT, Snake Keylogger, XWorm (Alert ID: 518fcc31)",
    "uuid": "8b48b32d-c4bb-48e0-9ebc-8b21f3d0c1d0",
    "published": true,
    "analysis": "0",
    "attribute_count": "62",
    "orgc_id": "31",
    "timestamp": "1749763867",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749772836",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1327118",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "605f7208-2813-4ca6-971b-c849197900dc",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://fxlao.cn/ctaoie",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2218",
        "name": "malware:Vidar",
        "colour": "#3d5116",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2082",
        "name": "audience-industry:Retail Banking",
        "colour": "#185dda",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2207",
        "name": "malware:VHD",
        "colour": "#b1f090",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2088",
        "name": "attack-pattern:malspam",
        "colour": "#8d99c8",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2256",
        "name": "malware:AutoIT",
        "colour": "#c4cb5f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2077",
        "name": "attack-pattern:Phishing",
        "colour": "#2976dc",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2095",
        "name": "malware:Lumma Stealer",
        "colour": "#897c44",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2160",
        "name": "malware:XWorm",
        "colour": "#43e90c",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2175",
        "name": "malware:HijackLoader",
        "colour": "#25c516",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2133",
        "name": "malware:Snake Keylogger",
        "colour": "#13739f",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2102",
        "name": "tactic:Impact",
        "colour": "#ea268e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2150",
        "name": "attack-pattern:VBS",
        "colour": "#6f2df7",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2702",
        "name": "malware:DarkCloud",
        "colour": "#7b4f6d",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2084",
        "name": "attack-pattern:Credential pharming",
        "colour": "#25961b",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1327118",
        "event_id": "58446",
        "object_id": "0",
        "object_relation": null,
        "category": "Network activity",
        "type": "url",
        "to_ids": true,
        "uuid": "605f7208-2813-4ca6-971b-c849197900dc",
        "timestamp": "1749763867",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "https://fxlao.cn/ctaoie",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2218",
            "name": "malware:Vidar",
            "colour": "#3d5116",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2082",
            "name": "audience-industry:Retail Banking",
            "colour": "#185dda",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2207",
            "name": "malware:VHD",
            "colour": "#b1f090",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2088",
            "name": "attack-pattern:malspam",
            "colour": "#8d99c8",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2256",
            "name": "malware:AutoIT",
            "colour": "#c4cb5f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2077",
            "name": "attack-pattern:Phishing",
            "colour": "#2976dc",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2095",
            "name": "malware:Lumma Stealer",
            "colour": "#897c44",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2160",
            "name": "malware:XWorm",
            "colour": "#43e90c",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2175",
            "name": "malware:HijackLoader",
            "colour": "#25c516",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2133",
            "name": "malware:Snake Keylogger",
            "colour": "#13739f",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2102",
            "name": "tactic:Impact",
            "colour": "#ea268e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2150",
            "name": "attack-pattern:VBS",
            "colour": "#6f2df7",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2702",
            "name": "malware:DarkCloud",
            "colour": "#7b4f6d",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2084",
            "name": "attack-pattern:Credential pharming",
            "colour": "#25961b",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

{
  "Event": {
    "id": "58436",
    "org_id": "1",
    "date": "2025-06-11",
    "info": "Member Submission: Unidentified activity (Alert ID: 456dd77f)",
    "uuid": "bb44d78e-edb1-4220-99e3-b980c1103876",
    "published": true,
    "analysis": "0",
    "attribute_count": "36",
    "orgc_id": "31",
    "timestamp": "1749657767",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749686436",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1326789",
        "event_id": "58436",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
        "timestamp": "1749657768",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2097",
        "name": "audience-industry:Payments",
        "colour": "#3eb067",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1326789",
        "event_id": "58436",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
        "timestamp": "1749657768",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

+12

AbdElHafez
Staff
Forum|Forum|8 months ago
June 30, 2025

{
  "Event": {
    "id": "58436",
    "org_id": "1",
    "date": "2025-06-11",
    "info": "Member Submission: Unidentified activity (Alert ID: 456dd77f)",
    "uuid": "bb44d78e-edb1-4220-99e3-b980c1103876",
    "published": true,
    "analysis": "0",
    "attribute_count": "36",
    "orgc_id": "31",
    "timestamp": "1749657767",
    "distribution": "0",
    "sharing_group_id": "0",
    "proposal_email_lock": false,
    "locked": true,
    "threat_level_id": "4",
    "publish_timestamp": "1749686436",
    "sighting_timestamp": "0",
    "disable_correlation": false,
    "extends_uuid": "",
    "protected": null,
    "Attribute": [
      {
        "id": "1326789",
        "event_id": "58436",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
        "timestamp": "1749657768",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ],
    "Tag": [
      {
        "id": "10",
        "name": "tlp:green",
        "colour": "#33FF00",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2083",
        "name": "audience-region:Americas",
        "colour": "#d0832e",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      },
      {
        "id": "2097",
        "name": "audience-industry:Payments",
        "colour": "#3eb067",
        "exportable": true,
        "user_id": "0",
        "hide_tag": false,
        "numerical_value": null,
        "is_galaxy": false,
        "is_custom_galaxy": false,
        "local_only": false
      }
    ],
    "_AttributeFlattened": [
      {
        "id": "1326789",
        "event_id": "58436",
        "object_id": "0",
        "object_relation": null,
        "category": "Payload delivery",
        "type": "sha256",
        "to_ids": true,
        "uuid": "4db3818a-245a-4dad-bf87-a065591a203c",
        "timestamp": "1749657768",
        "distribution": "5",
        "sharing_group_id": "0",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "first_seen": null,
        "last_seen": null,
        "value": "267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3",
        "Sighting": [],
        "_allTags": [
          {
            "id": "10",
            "name": "tlp:green",
            "colour": "#33FF00",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2083",
            "name": "audience-region:Americas",
            "colour": "#d0832e",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          },
          {
            "id": "2097",
            "name": "audience-industry:Payments",
            "colour": "#3eb067",
            "exportable": true,
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "is_galaxy": false,
            "is_custom_galaxy": false,
            "local_only": false,
            "inherited": true
          }
        ]
      }
    ]
  }
}

Ok I modified the parser regex to match the new samples, just FYI you would need to be accurate in providing the end tail of the JSON logs as having different spaces/new lines pattern can mess with the few lines I added. Again the main fix will be to remove the "Event" level from the json objects.

  mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} 
  mutate { gsub => [ "message","\\\\n*\\s*\\\\}\\\\n*\\\\}\\\\s*\\\\n*$","}"]}

As in

For the other IOCs you shared (Domain-IP and URL) ; Their JSON structure is entirely different, with or without my modifications the default parser won't capture them, if you cannot control or unify the formats then you would need to pass 2 different streams or have a different parser written from scratch, both will require a case.

jeffbezos42
Author
New Member
Forum|Forum|8 months ago
July 1, 2025

  mutate { gsub => [ "message"," \\"Event\\": \\\\{\\\\n ",""]} 
  mutate { gsub => [ "message","\\\\n*\\s*\\\\}\\\\n*\\\\}\\\\s*\\\\n*$","}"]}

As in

This unfortunately has not been able to solve this and no entities are appearing when searching this - this will likely mean we will need further assistance via a Google ticket. We haven't changed anything outside of MISP's default settings so its very surprising it hasn't been parsed by your default parser here.

Forum|pagination.label 2 / 2

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded