diff --git a/.github/coverage/badge.svg b/.github/coverage/badge.svg
index 69e6dd8..0d2c18a 100644
--- a/.github/coverage/badge.svg
+++ b/.github/coverage/badge.svg
@@ -1 +1 @@
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt
index f95c289..d4bb175 100644
--- a/.github/coverage/coverage.txt
+++ b/.github/coverage/coverage.txt
@@ -1,12 +1,12 @@
-ok github.com/0xrawsec/whids/api 167.841s coverage: 66.8% of statements
-ok github.com/0xrawsec/whids/event 43.388s coverage: 75.3% of statements
-ok github.com/0xrawsec/whids/hids 39.421s coverage: 52.5% of statements
-ok github.com/0xrawsec/whids/hids/sysinfo 0.457s coverage: 95.2% of statements
-ok github.com/0xrawsec/whids/ioc 26.004s coverage: 73.3% of statements
-ok github.com/0xrawsec/whids/logger 43.282s coverage: 76.7% of statements
-ok github.com/0xrawsec/whids/sysmon 6.222s coverage: 83.1% of statements
-ok github.com/0xrawsec/whids/utils 11.752s coverage: 18.1% of statements
-ok github.com/0xrawsec/whids/utils/command 0.541s coverage: 100.0% of statements
+ok github.com/0xrawsec/whids/api 221.707s coverage: 66.8% of statements
+ok github.com/0xrawsec/whids/event 83.783s coverage: 75.3% of statements
+ok github.com/0xrawsec/whids/hids 72.862s coverage: 49.0% of statements
+ok github.com/0xrawsec/whids/hids/sysinfo 0.722s coverage: 95.2% of statements
+ok github.com/0xrawsec/whids/ioc 50.828s coverage: 73.3% of statements
+ok github.com/0xrawsec/whids/logger 73.084s coverage: 76.7% of statements
+ok github.com/0xrawsec/whids/sysmon 18.651s coverage: 83.1% of statements
+ok github.com/0xrawsec/whids/utils 22.620s coverage: 18.1% of statements
+ok github.com/0xrawsec/whids/utils/command 1.303s coverage: 100.0% of statements
github.com/0xrawsec/whids/api/api_client.go:36: ValidateRespStatus 75.0%
github.com/0xrawsec/whids/api/api_client.go:61: ManagerIP 60.0%
github.com/0xrawsec/whids/api/api_client.go:73: DialContext 0.0%
@@ -53,20 +53,20 @@ github.com/0xrawsec/whids/api/endpoint.go:30: NewEndpoint 100.0%
github.com/0xrawsec/whids/api/endpoint.go:37: Validate 66.7%
github.com/0xrawsec/whids/api/endpoint.go:45: Copy 100.0%
github.com/0xrawsec/whids/api/endpoint.go:51: UpdateLastConnection 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:63: NewForwarder 72.7%
-github.com/0xrawsec/whids/api/forwarder.go:103: LogfilePath 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:111: ArchiveLogs 0.0%
-github.com/0xrawsec/whids/api/forwarder.go:128: PipeEvent 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:137: Save 84.6%
-github.com/0xrawsec/whids/api/forwarder.go:164: HasQueuedEvents 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:174: CleanOlderQueued 94.4%
-github.com/0xrawsec/whids/api/forwarder.go:204: DiskSpaceQueue 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:217: listLogfiles 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:230: ProcessQueue 61.8%
-github.com/0xrawsec/whids/api/forwarder.go:300: Reset 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:306: Collect 90.0%
-github.com/0xrawsec/whids/api/forwarder.go:332: Run 100.0%
-github.com/0xrawsec/whids/api/forwarder.go:366: Close 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:64: NewForwarder 75.0%
+github.com/0xrawsec/whids/api/forwarder.go:106: LogfilePath 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:114: ArchiveLogs 0.0%
+github.com/0xrawsec/whids/api/forwarder.go:131: PipeEvent 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:140: Save 84.6%
+github.com/0xrawsec/whids/api/forwarder.go:167: HasQueuedEvents 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:177: CleanOlderQueued 94.4%
+github.com/0xrawsec/whids/api/forwarder.go:207: DiskSpaceQueue 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:220: listLogfiles 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:233: ProcessQueue 61.8%
+github.com/0xrawsec/whids/api/forwarder.go:303: Reset 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:309: Collect 90.0%
+github.com/0xrawsec/whids/api/forwarder.go:335: Run 100.0%
+github.com/0xrawsec/whids/api/forwarder.go:365: Close 100.0%
github.com/0xrawsec/whids/api/log_streamer.go:18: Queue 75.0%
github.com/0xrawsec/whids/api/log_streamer.go:26: Stream 100.0%
github.com/0xrawsec/whids/api/log_streamer.go:40: Close 0.0%
@@ -208,12 +208,12 @@ github.com/0xrawsec/whids/hids/actions.go:94: shouldDump 100.0%
github.com/0xrawsec/whids/hids/actions.go:99: writeReader 100.0%
github.com/0xrawsec/whids/hids/actions.go:104: dumpAsJson 66.7%
github.com/0xrawsec/whids/hids/actions.go:117: dumpBinFile 100.0%
-github.com/0xrawsec/whids/hids/actions.go:121: dumpFile 77.8%
-github.com/0xrawsec/whids/hids/actions.go:156: listFilesFromCommandLine 100.0%
-github.com/0xrawsec/whids/hids/actions.go:179: filedumpSet 55.6%
+github.com/0xrawsec/whids/hids/actions.go:121: dumpFile 72.2%
+github.com/0xrawsec/whids/hids/actions.go:156: listFilesFromCommandLine 81.8%
+github.com/0xrawsec/whids/hids/actions.go:179: filedumpSet 44.4%
github.com/0xrawsec/whids/hids/actions.go:232: filedump 80.0%
github.com/0xrawsec/whids/hids/actions.go:242: memdump 0.0%
-github.com/0xrawsec/whids/hids/actions.go:271: regdump 93.3%
+github.com/0xrawsec/whids/hids/actions.go:271: regdump 26.7%
github.com/0xrawsec/whids/hids/actions.go:302: suspend_process 0.0%
github.com/0xrawsec/whids/hids/actions.go:312: kill_process 0.0%
github.com/0xrawsec/whids/hids/actions.go:325: Queue 100.0%
@@ -280,26 +280,26 @@ github.com/0xrawsec/whids/hids/hids.go:516: updateSystemInfo 0.0%
github.com/0xrawsec/whids/hids/hids.go:544: updateSysmon 0.0%
github.com/0xrawsec/whids/hids/hids.go:590: updateSysmonConfig 0.0%
github.com/0xrawsec/whids/hids/hids.go:650: cleanup 33.3%
-github.com/0xrawsec/whids/hids/hids.go:666: IsHIDSEvent 93.8%
+github.com/0xrawsec/whids/hids/hids.go:666: IsHIDSEvent 87.5%
github.com/0xrawsec/whids/hids/hids.go:700: Report 0.0%
-github.com/0xrawsec/whids/hids/hids.go:727: Run 58.8%
-github.com/0xrawsec/whids/hids/hids.go:850: LogStats 0.0%
-github.com/0xrawsec/whids/hids/hids.go:859: Stop 68.8%
-github.com/0xrawsec/whids/hids/hids.go:895: Wait 0.0%
-github.com/0xrawsec/whids/hids/hids.go:900: WaitWithTimeout 0.0%
-github.com/0xrawsec/whids/hids/hookdefs.go:39: hookSetImageSize 94.1%
+github.com/0xrawsec/whids/hids/hids.go:727: Run 64.7%
+github.com/0xrawsec/whids/hids/hids.go:847: LogStats 0.0%
+github.com/0xrawsec/whids/hids/hids.go:856: Stop 68.8%
+github.com/0xrawsec/whids/hids/hids.go:892: Wait 0.0%
+github.com/0xrawsec/whids/hids/hids.go:897: WaitWithTimeout 0.0%
+github.com/0xrawsec/whids/hids/hookdefs.go:39: hookSetImageSize 82.4%
github.com/0xrawsec/whids/hids/hookdefs.go:71: hookImageLoad 95.0%
-github.com/0xrawsec/whids/hids/hookdefs.go:108: trackSysmonProcessCreate 76.1%
+github.com/0xrawsec/whids/hids/hookdefs.go:108: trackSysmonProcessCreate 62.7%
github.com/0xrawsec/whids/hids/hookdefs.go:229: hookTrack 50.0%
-github.com/0xrawsec/whids/hids/hookdefs.go:242: hookStats 76.4%
+github.com/0xrawsec/whids/hids/hookdefs.go:242: hookStats 21.8%
github.com/0xrawsec/whids/hids/hookdefs.go:353: hookUpdateGeneScore 0.0%
-github.com/0xrawsec/whids/hids/hookdefs.go:370: hookTerminator 76.9%
+github.com/0xrawsec/whids/hids/hookdefs.go:370: hookTerminator 53.8%
github.com/0xrawsec/whids/hids/hookdefs.go:398: hookProcTerm 87.5%
github.com/0xrawsec/whids/hids/hookdefs.go:414: hookSelfGUID 75.0%
github.com/0xrawsec/whids/hids/hookdefs.go:448: hookFileSystemAudit 0.0%
github.com/0xrawsec/whids/hids/hookdefs.go:478: hookProcessIntegrityProcTamp 0.0%
-github.com/0xrawsec/whids/hids/hookdefs.go:554: hookEnrichServices 80.6%
-github.com/0xrawsec/whids/hids/hookdefs.go:632: hookEnrichAnySysmon 100.0%
+github.com/0xrawsec/whids/hids/hookdefs.go:554: hookEnrichServices 77.8%
+github.com/0xrawsec/whids/hids/hookdefs.go:632: hookEnrichAnySysmon 86.7%
github.com/0xrawsec/whids/hids/hookdefs.go:754: hookClipboardEvents 0.0%
github.com/0xrawsec/whids/hids/hookdefs.go:781: hookKernelFiles 0.0%
github.com/0xrawsec/whids/hids/hooks.go:23: newHookCache 100.0%
@@ -311,7 +311,7 @@ github.com/0xrawsec/whids/hids/hooks.go:84: RunHooksOn 93.8%
github.com/0xrawsec/whids/hids/hooks.go:123: getFunctionName 0.0%
github.com/0xrawsec/whids/hids/hookutils.go:13: toString 100.0%
github.com/0xrawsec/whids/hids/hookutils.go:17: toHex 66.7%
-github.com/0xrawsec/whids/hids/hookutils.go:25: terminate 100.0%
+github.com/0xrawsec/whids/hids/hookutils.go:25: terminate 0.0%
github.com/0xrawsec/whids/hids/hookutils.go:41: isSysmonProcessTerminate 100.0%
github.com/0xrawsec/whids/hids/hookutils.go:45: srcPIDFromEvent 0.0%
github.com/0xrawsec/whids/hids/hookutils.go:58: hasAction 0.0%
@@ -320,9 +320,9 @@ github.com/0xrawsec/whids/hids/iocs.go:17: ruleHashIoC 100.0%
github.com/0xrawsec/whids/hids/iocs.go:32: ruleDomainIoC 100.0%
github.com/0xrawsec/whids/hids/paths.go:11: EventDataPath 100.0%
github.com/0xrawsec/whids/hids/ptrack.go:41: NewProcStats 100.0%
-github.com/0xrawsec/whids/hids/ptrack.go:52: UpdateNetResolve 0.0%
+github.com/0xrawsec/whids/hids/ptrack.go:52: UpdateNetResolve 100.0%
github.com/0xrawsec/whids/hids/ptrack.go:61: UpdateCon 0.0%
-github.com/0xrawsec/whids/hids/ptrack.go:71: ConStat 0.0%
+github.com/0xrawsec/whids/hids/ptrack.go:71: ConStat 100.0%
github.com/0xrawsec/whids/hids/ptrack.go:83: NewGeneScore 100.0%
github.com/0xrawsec/whids/hids/ptrack.go:87: Update 0.0%
github.com/0xrawsec/whids/hids/ptrack.go:96: sysmonHashesToMap 100.0%
@@ -339,10 +339,10 @@ github.com/0xrawsec/whids/hids/ptrack.go:301: KernelFileFromEvent 0.0%
github.com/0xrawsec/whids/hids/ptrack.go:313: sourceGUIDFromEvent 88.9%
github.com/0xrawsec/whids/hids/ptrack.go:334: targetGUIDFromEvent 70.0%
github.com/0xrawsec/whids/hids/ptrack.go:376: NewActivityTracker 100.0%
-github.com/0xrawsec/whids/hids/ptrack.go:393: delete 100.0%
+github.com/0xrawsec/whids/hids/ptrack.go:393: delete 83.3%
github.com/0xrawsec/whids/hids/ptrack.go:406: freeRtn 80.0%
github.com/0xrawsec/whids/hids/ptrack.go:444: CheckDumpCountOrInc 100.0%
-github.com/0xrawsec/whids/hids/ptrack.go:458: Add 100.0%
+github.com/0xrawsec/whids/hids/ptrack.go:458: Add 83.3%
github.com/0xrawsec/whids/hids/ptrack.go:469: PS 0.0%
github.com/0xrawsec/whids/hids/ptrack.go:480: Blacklist 100.0%
github.com/0xrawsec/whids/hids/ptrack.go:484: IsBlacklisted 100.0%
@@ -367,16 +367,16 @@ github.com/0xrawsec/whids/hids/reports.go:104: PrepareCommands 0.0%
github.com/0xrawsec/whids/hids/stats.go:29: NewEventStats 100.0%
github.com/0xrawsec/whids/hids/stats.go:39: SinceStart 0.0%
github.com/0xrawsec/whids/hids/stats.go:43: Start 100.0%
-github.com/0xrawsec/whids/hids/stats.go:48: Threshold 0.0%
-github.com/0xrawsec/whids/hids/stats.go:52: Duration 0.0%
+github.com/0xrawsec/whids/hids/stats.go:48: Threshold 100.0%
+github.com/0xrawsec/whids/hids/stats.go:52: Duration 100.0%
github.com/0xrawsec/whids/hids/stats.go:56: Update 75.0%
github.com/0xrawsec/whids/hids/stats.go:65: Events 100.0%
github.com/0xrawsec/whids/hids/stats.go:69: Detections 0.0%
github.com/0xrawsec/whids/hids/stats.go:73: EPS 0.0%
-github.com/0xrawsec/whids/hids/stats.go:81: CriticalEPS 0.0%
+github.com/0xrawsec/whids/hids/stats.go:81: CriticalEPS 100.0%
github.com/0xrawsec/whids/hids/stats.go:85: DynEPS 75.0%
-github.com/0xrawsec/whids/hids/stats.go:93: HasPerfIssue 38.5%
-github.com/0xrawsec/whids/hids/stats.go:113: HasCriticalPerfIssue 0.0%
+github.com/0xrawsec/whids/hids/stats.go:93: HasPerfIssue 69.2%
+github.com/0xrawsec/whids/hids/stats.go:113: HasCriticalPerfIssue 100.0%
github.com/0xrawsec/whids/hids/sysinfo/sysinfo.go:15: RegisterEdrInfo 0.0%
github.com/0xrawsec/whids/hids/sysinfo/windows_sysinfo.go:31: NewSystemInfo 100.0%
github.com/0xrawsec/whids/ioc/ioc.go:24: FromObjects 0.0%
@@ -526,4 +526,4 @@ github.com/0xrawsec/whids/utils/windows.go:53: ResolveCDrive 0.0%
github.com/0xrawsec/whids/utils/windows.go:76: RegValue 0.0%
github.com/0xrawsec/whids/utils/windows.go:91: RegJoin 0.0%
github.com/0xrawsec/whids/utils/windows.go:98: RegValueToString 0.0%
-total: (statements) 60.2%
+total: (statements) 58.8%
diff --git a/api/forwarder.go b/api/forwarder.go
index cd84583..f80c355 100644
--- a/api/forwarder.go
+++ b/api/forwarder.go
@@ -3,6 +3,7 @@ package api
import (
"bytes"
"compress/gzip"
+ "context"
"fmt"
"os"
"path/filepath"
@@ -43,12 +44,12 @@ type ForwarderConfig struct {
// Forwarder structure definition
type Forwarder struct {
sync.Mutex
+ sync.WaitGroup
+ ctx context.Context
+ cancel context.CancelFunc
fwdConfig *ForwarderConfig
- stop chan bool
- done chan bool
logfile logfile.LogFile
sleep time.Duration
- closed bool
Client *ManagerClient
TimeTresh time.Duration
@@ -60,15 +61,17 @@ type Forwarder struct {
// NewForwarder creates a new Forwarder structure
// Todo: needs update with client
-func NewForwarder(c *ForwarderConfig) (*Forwarder, error) {
+func NewForwarder(ctx context.Context, c *ForwarderConfig) (*Forwarder, error) {
var err error
+ cctx, cancel := context.WithCancel(ctx)
+
// Initialize the Forwarder
// TODO: better organize forwarder configuration
co := Forwarder{
+ ctx: cctx,
+ cancel: cancel,
fwdConfig: c,
- stop: make(chan bool),
- done: make(chan bool),
sleep: time.Second,
TimeTresh: time.Second * 10,
// Writing events too quickly has a perf impact
@@ -330,17 +333,13 @@ func (f *Forwarder) Collect() {
// Run starts the Forwarder worker function
func (f *Forwarder) Run() {
+ f.Add(1)
// Process Piped Events
go func() {
- // defer signal that we are done
- defer func() { f.done <- true }()
+ defer f.Done()
+
timer := time.Now()
- for {
- select {
- case <-f.stop:
- return
- default:
- }
+ for f.ctx.Err() == nil {
// We have queued events so we try to send them before sending pending events
// We check if server is up not to close the current logfile if not needed
if f.HasQueuedEvents() {
@@ -364,23 +363,29 @@ func (f *Forwarder) Run() {
// Close closes the forwarder properly
func (f *Forwarder) Close() {
- if f.closed {
+
+ // forwarder is already closed -> nothing to do
+ if f.ctx.Err() != nil {
return
}
- // Close idle connections if not local
- if !f.Local {
- defer f.Client.Close()
- }
- f.stop <- true
- // Waiting forwarder stopped routine is done
- <-f.done
+ // we cancel forwarder's context
+ f.cancel()
+ // we wait for forwarding routine to terminate
+ f.Wait()
+
+ // we collect last events if needed
if f.EventsPiped > 0 {
f.Collect()
}
+
+ // we close logfile
if f.logfile != nil {
f.logfile.Close()
}
- f.closed = true
+ // Close idle connections if not local
+ if !f.Local {
+ defer f.Client.Close()
+ }
}
diff --git a/api/forwarder_test.go b/api/forwarder_test.go
index d7d49a3..8723ccd 100644
--- a/api/forwarder_test.go
+++ b/api/forwarder_test.go
@@ -2,6 +2,7 @@ package api
import (
"bytes"
+ "context"
"encoding/json"
"fmt"
"io"
@@ -25,7 +26,6 @@ import (
)
var (
-
eventFile = "./data/events.json"
events = make([]event.EdrEvent, 0)
)
@@ -162,7 +162,10 @@ func TestForwarderBasic(t *testing.T) {
r.Run()
fconf.Client.Key = key
- f, err := NewForwarder(&fconf)
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ f, err := NewForwarder(ctx, &fconf)
if err != nil {
t.Errorf("Failed to create collector: %s", err)
t.FailNow()
@@ -210,7 +213,11 @@ func TestCollectorAuthFailure(t *testing.T) {
fconf.Client.Key = key
fconf.Client.ServerKey = utils.UnsafeKeyGen(DefaultKeySize)
- f, err := NewForwarder(&fconf)
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ f, err := NewForwarder(ctx, &fconf)
if err != nil {
t.Errorf("Failed to create collector: %s", err)
t.FailNow()
@@ -255,7 +262,11 @@ func TestCollectorAuthSuccess(t *testing.T) {
fconf.Client.Key = key
fconf.Client.ServerKey = serverKey
- f, err := NewForwarder(&fconf)
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ f, err := NewForwarder(ctx, &fconf)
if err != nil {
t.Errorf("Failed to create collector: %s", err)
t.FailNow()
@@ -310,7 +321,11 @@ func TestForwarderParallel(t *testing.T) {
defer jobs.Release()
defer wg.Done()
fconf.Client.Key = key
- c, err := NewForwarder(&fconf)
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ c, err := NewForwarder(ctx, &fconf)
if err != nil {
t.Errorf("Failed to create collector: %s", err)
t.FailNow()
@@ -355,7 +370,11 @@ func TestForwarderQueueBasic(t *testing.T) {
// Inititialize the forwarder
fconf.Client.Key = key
- f, err := NewForwarder(&fconf)
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ f, err := NewForwarder(ctx, &fconf)
if err != nil {
t.Errorf("Failed to create collector: %s", err)
t.FailNow()
@@ -412,8 +431,12 @@ func TestForwarderCleanup(t *testing.T) {
// Change rotation interval not to create unexpected number of files
fconf.Logging.RotationInterval = time.Hour
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
// Inititialize the forwarder
- f, err := NewForwarder(&fconf)
+ f, err := NewForwarder(ctx, &fconf)
tt.CheckErr(err)
// decreases sleep time to speed up test
f.sleep = time.Millisecond * 500
diff --git a/api/openapi_def.go b/api/openapi_def.go
index cde08a2..626a6c7 100644
--- a/api/openapi_def.go
+++ b/api/openapi_def.go
@@ -74,10 +74,10 @@ var OpenAPIDefinition = `
"group": "",
"hostname": "OpenHappy",
"ip": "127.0.0.1",
- "key": "RPOhWvEturgTrjTQ0aTilihWtxqKSUU1o4jiwc4ygL5BuSNnm5zEbejzCQdGLXyo",
- "last-connection": "2022-07-13T13:47:48.845453448Z",
- "last-detection": "2022-07-13T15:47:47.776403298+02:00",
- "last-event": "2022-07-13T15:47:47.776403298+02:00",
+ "key": "dXHz2UV7fKwYBGUxzupEk5j4R6yCcEHfJRtgvdB9RLHVyFMbe8RjIypX7buIieQ2",
+ "last-connection": "2022-07-25T08:23:56.681486304Z",
+ "last-detection": "2022-07-25T10:23:55.619902205+02:00",
+ "last-event": "2022-07-25T10:23:55.619902205+02:00",
"score": 0,
"status": "",
"system-info": {
@@ -154,13 +154,13 @@ var OpenAPIDefinition = `
"group": "",
"hostname": "",
"ip": "",
- "key": "cWDJcpS2OlP4s8LpkwMTMKedOjomVVISEQOV8ly3EyU5U38rDXbxru2XO0s17V6t",
+ "key": "keqm7y288JfhzIV2wdDegmgPOvsDfP7sG54tq73FhRe6M1Tngd4jMvOSJ3slWIl6",
"last-connection": "0001-01-01T00:00:00Z",
"last-detection": "0001-01-01T00:00:00Z",
"last-event": "0001-01-01T00:00:00Z",
"score": 0,
"status": "",
- "uuid": "068d28b7-5e36-cc66-d2fc-6e5da6eb2972"
+ "uuid": "e89cd234-31e7-7055-8202-f3c277d06c66"
},
"error": "",
"message": "OK"
@@ -200,21 +200,21 @@ var OpenAPIDefinition = `
"5a92baeb-9384-47d3-92b4-a0db6f9b8c6d": [
{
"base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/",
- "creation": "2022-07-13T13:47:53.215455767Z",
+ "creation": "2022-07-25T08:24:00.233207512Z",
"event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c",
"files": [
{
"name": "bar.txt",
"size": 4,
- "timestamp": "2022-07-13T13:47:53.215455767Z"
+ "timestamp": "2022-07-25T08:24:00.253207775Z"
},
{
"name": "foo.txt",
"size": 4,
- "timestamp": "2022-07-13T13:47:53.215455767Z"
+ "timestamp": "2022-07-25T08:24:00.233207512Z"
}
],
- "modification": "2022-07-13T13:47:53.215455767Z",
+ "modification": "2022-07-25T08:24:00.253207775Z",
"process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d"
}
]
@@ -248,30 +248,30 @@ var OpenAPIDefinition = `
"avg-signature-criticality": 0,
"bounded-score": 0,
"count-by-signature": {
- "DefenderConfigChanged": 6,
- "NewAutorun": 23,
- "SuspiciousService": 3,
- "UnknownServices": 5,
- "UntrustedDriverLoaded": 13
+ "DefenderConfigChanged": 9,
+ "NewAutorun": 16,
+ "SuspiciousService": 7,
+ "UnknownServices": 8,
+ "UntrustedDriverLoaded": 10
},
"count-uniq-signatures": 5,
"identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d",
- "median-time": "2022-07-13T15:47:51.039398197+02:00",
+ "median-time": "2022-07-25T10:23:57.921247536+02:00",
"score": 0,
"signature-count": 50,
"signature-criticality-metric": 0,
"signature-diversity": 100,
"signatures": [
"SuspiciousService",
- "DefenderConfigChanged",
"UnknownServices",
- "NewAutorun",
- "UntrustedDriverLoaded"
+ "UntrustedDriverLoaded",
+ "DefenderConfigChanged",
+ "NewAutorun"
],
- "start-time": "2022-07-13T15:47:51.03797421+02:00",
+ "start-time": "2022-07-25T10:23:57.918944198+02:00",
"std-dev-alert-criticality": 0,
"std-dev-signature-criticality": -92233720368547760,
- "stop-time": "2022-07-13T15:47:51.040822185+02:00",
+ "stop-time": "2022-07-25T10:23:57.923550875+02:00",
"sum-alert-criticality": 0,
"sum-rule-criticality": 0,
"tactics": null,
@@ -332,7 +332,7 @@ var OpenAPIDefinition = `
},
"name": "osqueryi",
"os": "windows",
- "uuid": "a1110aa5-34d4-3b15-0b45-654d0f800238"
+ "uuid": "557737cb-6152-0c82-2732-a22079c45388"
},
"error": "",
"message": "OK"
@@ -399,7 +399,7 @@ var OpenAPIDefinition = `
},
"name": "osqueryi",
"os": "windows",
- "uuid": "a1110aa5-34d4-3b15-0b45-654d0f800238"
+ "uuid": "557737cb-6152-0c82-2732-a22079c45388"
},
"error": "",
"message": "OK"
@@ -453,7 +453,7 @@ var OpenAPIDefinition = `
},
"name": "osqueryi",
"os": "windows",
- "uuid": "a1110aa5-34d4-3b15-0b45-654d0f800238"
+ "uuid": "557737cb-6152-0c82-2732-a22079c45388"
},
"error": "",
"message": "OK"
@@ -509,7 +509,7 @@ var OpenAPIDefinition = `
},
"name": "sysmon",
"os": "windows",
- "uuid": "b499f510-e5cb-0704-7f98-8bd1664421e8"
+ "uuid": "f0d9d8ce-f10e-d377-3048-ad2e496f6f44"
},
"error": "",
"message": "OK"
@@ -576,7 +576,7 @@ var OpenAPIDefinition = `
},
"name": "sysmon",
"os": "windows",
- "uuid": "b499f510-e5cb-0704-7f98-8bd1664421e8"
+ "uuid": "f0d9d8ce-f10e-d377-3048-ad2e496f6f44"
},
"error": "",
"message": "OK"
@@ -630,7 +630,7 @@ var OpenAPIDefinition = `
},
"name": "sysmon",
"os": "windows",
- "uuid": "b499f510-e5cb-0704-7f98-8bd1664421e8"
+ "uuid": "f0d9d8ce-f10e-d377-3048-ad2e496f6f44"
},
"error": "",
"message": "OK"
@@ -1896,15 +1896,15 @@ var OpenAPIDefinition = `
"command": {
"args": [],
"background": false,
- "completed": true,
+ "completed": false,
"drop": [],
"error": "",
"expect-json": false,
"fetch": {},
"json": null,
"name": "",
- "sent": true,
- "sent-time": "2022-07-13T15:47:48.844626333+02:00",
+ "sent": false,
+ "sent-time": "0001-01-01T00:00:00Z",
"stderr": "",
"stdout": "",
"timeout": 0,
@@ -1914,9 +1914,9 @@ var OpenAPIDefinition = `
"group": "",
"hostname": "OpenHappy",
"ip": "127.0.0.1",
- "last-connection": "2022-07-13T13:47:48.845453448Z",
- "last-detection": "2022-07-13T15:47:47.776403298+02:00",
- "last-event": "2022-07-13T15:47:47.776403298+02:00",
+ "last-connection": "2022-07-25T08:23:56.706034558Z",
+ "last-detection": "2022-07-25T10:23:55.619902205+02:00",
+ "last-event": "2022-07-25T10:23:55.619902205+02:00",
"score": 0,
"status": "",
"system-info": {
@@ -2315,15 +2315,15 @@ var OpenAPIDefinition = `
"command": {
"args": [],
"background": false,
- "completed": true,
+ "completed": false,
"drop": [],
"error": "",
"expect-json": false,
"fetch": {},
"json": null,
"name": "",
- "sent": true,
- "sent-time": "2022-07-13T15:47:48.844626333+02:00",
+ "sent": false,
+ "sent-time": "0001-01-01T00:00:00Z",
"stderr": "",
"stdout": "",
"timeout": 0,
@@ -2333,9 +2333,9 @@ var OpenAPIDefinition = `
"group": "New Group",
"hostname": "OpenHappy",
"ip": "127.0.0.1",
- "last-connection": "2022-07-13T13:47:48.845453448Z",
- "last-detection": "2022-07-13T15:47:47.776403298+02:00",
- "last-event": "2022-07-13T15:47:47.776403298+02:00",
+ "last-connection": "2022-07-25T08:23:56.706034558Z",
+ "last-detection": "2022-07-25T10:23:55.619902205+02:00",
+ "last-event": "2022-07-25T10:23:55.619902205+02:00",
"score": 0,
"status": "New Status",
"system-info": {
@@ -2422,15 +2422,15 @@ var OpenAPIDefinition = `
"command": {
"args": [],
"background": false,
- "completed": true,
+ "completed": false,
"drop": [],
"error": "",
"expect-json": false,
"fetch": {},
"json": null,
"name": "",
- "sent": true,
- "sent-time": "2022-07-13T15:47:48.844626333+02:00",
+ "sent": false,
+ "sent-time": "0001-01-01T00:00:00Z",
"stderr": "",
"stdout": "",
"timeout": 0,
@@ -2440,9 +2440,9 @@ var OpenAPIDefinition = `
"group": "New Group",
"hostname": "OpenHappy",
"ip": "127.0.0.1",
- "last-connection": "2022-07-13T13:47:48.845453448Z",
- "last-detection": "2022-07-13T15:47:47.776403298+02:00",
- "last-event": "2022-07-13T15:47:47.776403298+02:00",
+ "last-connection": "2022-07-25T08:23:56.706034558Z",
+ "last-detection": "2022-07-25T10:23:55.619902205+02:00",
+ "last-event": "2022-07-25T10:23:55.619902205+02:00",
"score": 0,
"status": "New Status",
"system-info": {
@@ -2541,21 +2541,21 @@ var OpenAPIDefinition = `
"data": [
{
"base-url": "/endpoints/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/artifacts/5a92baeb-9384-47d3-92b4-a0db6f9b8c6d/3d8441643c204ba9b9dcb5c414b25a3129f66f6c/",
- "creation": "2022-07-13T13:47:53.215455767Z",
+ "creation": "2022-07-25T08:24:00.233207512Z",
"event-hash": "3d8441643c204ba9b9dcb5c414b25a3129f66f6c",
"files": [
{
"name": "bar.txt",
"size": 4,
- "timestamp": "2022-07-13T13:47:53.215455767Z"
+ "timestamp": "2022-07-25T08:24:00.253207775Z"
},
{
"name": "foo.txt",
"size": 4,
- "timestamp": "2022-07-13T13:47:53.215455767Z"
+ "timestamp": "2022-07-25T08:24:00.233207512Z"
}
],
- "modification": "2022-07-13T13:47:53.215455767Z",
+ "modification": "2022-07-25T08:24:00.253207775Z",
"process-guid": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d"
}
],
@@ -2700,11 +2700,11 @@ var OpenAPIDefinition = `
"json": null,
"name": "/usr/bin/printf",
"sent": true,
- "sent-time": "2022-07-13T15:47:50.955176373+02:00",
+ "sent-time": "2022-07-25T10:23:57.851082404+02:00",
"stderr": "",
"stdout": "SGVsbG8gV29ybGQ=",
"timeout": 0,
- "uuid": "87843bef-a92e-9f2f-0629-9cca3bd08588"
+ "uuid": "4a90ec0f-8f85-6741-4c25-ada5bfe5a116"
},
"error": "",
"message": "OK"
@@ -2792,16 +2792,16 @@ var OpenAPIDefinition = `
"stderr": null,
"stdout": null,
"timeout": 0,
- "uuid": "87843bef-a92e-9f2f-0629-9cca3bd08588"
+ "uuid": "4a90ec0f-8f85-6741-4c25-ada5bfe5a116"
},
"criticality": 0,
"group": "",
"hostname": "OpenHappy",
"ip": "127.0.0.1",
- "key": "hl8Oo1yEsmu334SqqRG2lrsURLW2CoO1ovq9ruivUGFfNEeRzoQBnab5FkFOxsiE",
- "last-connection": "2022-07-13T13:47:49.952426638Z",
- "last-detection": "2022-07-13T15:47:48.896927383+02:00",
- "last-event": "2022-07-13T15:47:48.896927383+02:00",
+ "key": "dWzvXXxdRhxlcNBDQI31VpvSwBvVgwTd55IiLoV7FOSL7tDwUotkkkVwOTpzwRkJ",
+ "last-connection": "2022-07-25T08:23:57.833479358Z",
+ "last-detection": "2022-07-25T10:23:56.76685432+02:00",
+ "last-event": "2022-07-25T10:23:56.76685432+02:00",
"score": 0,
"status": "",
"system-info": {
@@ -3022,7 +3022,7 @@ var OpenAPIDefinition = `
"Actions": [],
"Criticality": 8,
"Signature": [
- "NewAutorun"
+ "DefenderConfigChanged"
]
},
"EdrData": {
@@ -3034,41 +3034,27 @@ var OpenAPIDefinition = `
},
"Event": {
"Detection": true,
- "Hash": "bec6df9986005778219f4dd1ba2074d281e287a4",
- "ReceiptTime": "2022-07-13T07:46:13.999323625Z"
+ "Hash": "562aa60885616010abe91223f6d4e10c623d6f8f",
+ "ReceiptTime": "2022-07-25T08:23:55.54365977Z"
}
},
"EventData": {
- "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"",
- "CurrentDirectory": "C:\\Windows\\system32\\",
- "Details": "Both",
- "EventType": "SetValue",
- "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe",
- "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D",
- "ImageSignature": "?",
- "ImageSignatureStatus": "?",
- "ImageSigned": "false",
- "IntegrityLevel": "System",
- "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}",
- "ProcessId": "3276",
- "ProcessThreatScore": "16",
- "RuleName": "-",
- "Services": "WinDefend",
- "TargetObject": "HKCR\\CLSID\\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\\InprocServer32\\ThreadingModel",
- "User": "NT AUTHORITY\\SYSTEM",
- "UtcTime": "2021-08-23 10:20:25.878"
+ "New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceStartStates = 0x1",
+ "Old Value": "Default\\ServiceStartStates = 0x0",
+ "Product Name": "Windows Defender Antivirus",
+ "Product Version": "4.18.2106.6"
},
"System": {
- "Channel": "Microsoft-Windows-Sysmon/Operational",
+ "Channel": "Microsoft-Windows-Windows Defender/Operational",
"Computer": "DESKTOP-LJRVE06",
"Correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
- "EventID": 13,
+ "EventID": 5007,
"Execution": {
- "ProcessID": 3220,
- "ThreadID": 3848
+ "ProcessID": 3276,
+ "ThreadID": 3592
},
"Keywords": {
"Name": "",
@@ -3079,19 +3065,19 @@ var OpenAPIDefinition = `
"Value": 4
},
"Opcode": {
- "Name": "Info",
+ "Name": "",
"Value": 0
},
"Provider": {
- "Guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
- "Name": "Microsoft-Windows-Sysmon"
+ "Guid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
+ "Name": "Microsoft-Windows-Windows Defender"
},
"Task": {
"Name": "",
"Value": 0
},
"TimeCreated": {
- "SystemTime": "2022-07-13T09:46:12.972699856+02:00"
+ "SystemTime": "2022-07-25T10:23:54.519668919+02:00"
}
}
}
@@ -3100,9 +3086,9 @@ var OpenAPIDefinition = `
"Event": {
"Detection": {
"Actions": [],
- "Criticality": 10,
+ "Criticality": 8,
"Signature": [
- "UntrustedDriverLoaded"
+ "NewAutorun"
]
},
"EdrData": {
@@ -3114,19 +3100,29 @@ var OpenAPIDefinition = `
},
"Event": {
"Detection": true,
- "Hash": "524029a50d6385d3262723673f983059ecb34860",
- "ReceiptTime": "2022-07-13T07:46:14.000237988Z"
+ "Hash": "909b584a8913262c358b8b1f187d424446624717",
+ "ReceiptTime": "2022-07-25T08:23:55.544257013Z"
}
},
"EventData": {
- "Hashes": "SHA1=E9AC7F28883867C91CD940E6F2EC6E98AA2197AF,MD5=1E683E20DDD61ECBDD0D046DB7FB6027,SHA256=374FF85925CBDD75D64180E7D2B20A13F6EF2ABD248E6CB7D4FF2B7A42DBE5C8,IMPHASH=D6B88475B1759078DD0B119777B66A37",
- "ImageLoaded": "C:\\Windows\\System32\\drivers\\VBoxMouse.sys",
- "ImageLoadedSize": "186528",
+ "CommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe\"",
+ "CurrentDirectory": "C:\\Windows\\system32\\",
+ "Details": "PSFactoryBuffer",
+ "EventType": "SetValue",
+ "Image": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2106.6-0\\MsMpEng.exe",
+ "ImageHashes": "SHA1=FBF03B5D6DC1A7EDAB0BA8D4DD27291C739E5813,MD5=B1C15F9DB942B373B2FC468B7048E63F,SHA256=1DC05B6DD6281840CEB822604B0E403E499180D636D02EC08AD77B4EB56F1B9C,IMPHASH=8AA2B8727E6858A3557A4C09970B9A5D",
+ "ImageSignature": "?",
+ "ImageSignatureStatus": "?",
+ "ImageSigned": "false",
+ "IntegrityLevel": "System",
+ "ProcessGuid": "{515cd0d1-7669-6123-4e00-000000007300}",
+ "ProcessId": "3276",
+ "ProcessThreatScore": "48",
"RuleName": "-",
- "Signature": "Oracle Corporation",
- "SignatureStatus": "Valid",
- "Signed": "true",
- "UtcTime": "2021-08-23 10:20:18.860"
+ "Services": "WinDefend",
+ "TargetObject": "HKCR\\CLSID\\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\\(Default)",
+ "User": "NT AUTHORITY\\SYSTEM",
+ "UtcTime": "2021-08-23 10:20:25.878"
},
"System": {
"Channel": "Microsoft-Windows-Sysmon/Operational",
@@ -3135,10 +3131,10 @@ var OpenAPIDefinition = `
"ActivityID": "",
"RelatedActivityID": ""
},
- "EventID": 6,
+ "EventID": 13,
"Execution": {
"ProcessID": 3220,
- "ThreadID": 3584
+ "ThreadID": 3848
},
"Keywords": {
"Name": "",
@@ -3161,7 +3157,7 @@ var OpenAPIDefinition = `
"Value": 0
},
"TimeCreated": {
- "SystemTime": "2022-07-13T09:46:12.972867762+02:00"
+ "SystemTime": "2022-07-25T10:23:54.519748584+02:00"
}
}
}
@@ -3287,14 +3283,14 @@ var OpenAPIDefinition = `
},
"Event": {
"Detection": false,
- "Hash": "d0bcb5739dd98b9e3b20db0211ae62d73d86080b",
- "ReceiptTime": "2022-07-13T07:46:13.986733458Z"
+ "Hash": "b7036733987e0fca2fcd7e70a6618535759368b2",
+ "ReceiptTime": "2022-07-25T08:23:55.538493994Z"
}
},
"EventData": {
"CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository",
"CurrentDirectory": "C:\\Windows\\system32\\",
- "Details": "DWORD (0x00000001)",
+ "Details": "DWORD (0x00000004)",
"EventType": "SetValue",
"Image": "C:\\Windows\\system32\\svchost.exe",
"ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69",
@@ -3307,9 +3303,9 @@ var OpenAPIDefinition = `
"ProcessThreatScore": "0",
"RuleName": "-",
"Services": "StateRepository",
- "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\c\\PackageType",
+ "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\17f\\PackageType",
"User": "NT AUTHORITY\\SYSTEM",
- "UtcTime": "2021-08-23 10:20:29.729"
+ "UtcTime": "2021-08-23 10:20:29.849"
},
"System": {
"Channel": "Microsoft-Windows-Sysmon/Operational",
@@ -3344,7 +3340,7 @@ var OpenAPIDefinition = `
"Value": 0
},
"TimeCreated": {
- "SystemTime": "2022-07-13T09:46:12.97147703+02:00"
+ "SystemTime": "2022-07-25T10:23:54.517373741+02:00"
}
}
}
@@ -3360,29 +3356,29 @@ var OpenAPIDefinition = `
},
"Event": {
"Detection": false,
- "Hash": "46d9fac447e45100270412eda6d800850e1dd923",
- "ReceiptTime": "2022-07-13T07:46:13.99563071Z"
+ "Hash": "12f7448b40da2936fb9f38048829a89681767cae",
+ "ReceiptTime": "2022-07-25T08:23:55.538969946Z"
}
},
"EventData": {
- "CommandLine": "C:\\Windows\\System32\\svchost.exe -k utcsvc -p",
+ "CommandLine": "C:\\Windows\\system32\\svchost.exe -k appmodel -p -s StateRepository",
"CurrentDirectory": "C:\\Windows\\system32\\",
- "Details": "DWORD (0x00000000)",
+ "Details": "DWORD (0x00000001)",
"EventType": "SetValue",
- "Image": "C:\\Windows\\System32\\svchost.exe",
+ "Image": "C:\\Windows\\system32\\svchost.exe",
"ImageHashes": "SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69",
"ImageSignature": "?",
"ImageSignatureStatus": "?",
"ImageSigned": "false",
"IntegrityLevel": "System",
- "ProcessGuid": "{515cd0d1-7669-6123-4500-000000007300}",
- "ProcessId": "2364",
+ "ProcessGuid": "{515cd0d1-7668-6123-3c00-000000007300}",
+ "ProcessId": "2556",
"ProcessThreatScore": "0",
"RuleName": "-",
- "Services": "DiagTrack",
- "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Aria\\EventStoreReset",
+ "Services": "StateRepository",
+ "TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\283\\Volume",
"User": "NT AUTHORITY\\SYSTEM",
- "UtcTime": "2021-08-23 10:20:30.011"
+ "UtcTime": "2021-08-23 10:20:30.116"
},
"System": {
"Channel": "Microsoft-Windows-Sysmon/Operational",
@@ -3417,7 +3413,7 @@ var OpenAPIDefinition = `
"Value": 0
},
"TimeCreated": {
- "SystemTime": "2022-07-13T09:46:12.971477393+02:00"
+ "SystemTime": "2022-07-25T10:23:54.517374685+02:00"
}
}
}
@@ -3463,30 +3459,30 @@ var OpenAPIDefinition = `
"avg-signature-criticality": 0,
"bounded-score": 0,
"count-by-signature": {
- "DefenderConfigChanged": 6,
- "NewAutorun": 23,
- "SuspiciousService": 3,
- "UnknownServices": 5,
- "UntrustedDriverLoaded": 13
+ "DefenderConfigChanged": 9,
+ "NewAutorun": 16,
+ "SuspiciousService": 7,
+ "UnknownServices": 8,
+ "UntrustedDriverLoaded": 10
},
"count-uniq-signatures": 5,
"identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d",
- "median-time": "2022-07-13T15:47:51.039398197+02:00",
+ "median-time": "2022-07-25T10:23:57.921247536+02:00",
"score": 0,
"signature-count": 50,
"signature-criticality-metric": 0,
"signature-diversity": 100,
"signatures": [
- "NewAutorun",
- "UntrustedDriverLoaded",
"SuspiciousService",
+ "UnknownServices",
+ "UntrustedDriverLoaded",
"DefenderConfigChanged",
- "UnknownServices"
+ "NewAutorun"
],
- "start-time": "2022-07-13T15:47:51.03797421+02:00",
+ "start-time": "2022-07-25T10:23:57.918944198+02:00",
"std-dev-alert-criticality": 0,
"std-dev-signature-criticality": -92233720368547760,
- "stop-time": "2022-07-13T15:47:51.040822185+02:00",
+ "stop-time": "2022-07-25T10:23:57.923550875+02:00",
"sum-alert-criticality": 0,
"sum-rule-criticality": 0,
"tactics": null,
@@ -3530,30 +3526,30 @@ var OpenAPIDefinition = `
"avg-signature-criticality": 0,
"bounded-score": 0,
"count-by-signature": {
- "DefenderConfigChanged": 6,
- "NewAutorun": 23,
- "SuspiciousService": 3,
- "UnknownServices": 5,
- "UntrustedDriverLoaded": 13
+ "DefenderConfigChanged": 9,
+ "NewAutorun": 16,
+ "SuspiciousService": 7,
+ "UnknownServices": 8,
+ "UntrustedDriverLoaded": 10
},
"count-uniq-signatures": 5,
"identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d",
- "median-time": "2022-07-13T15:47:51.039398197+02:00",
+ "median-time": "2022-07-25T10:23:57.921247536+02:00",
"score": 0,
"signature-count": 50,
"signature-criticality-metric": 0,
"signature-diversity": 100,
"signatures": [
"UntrustedDriverLoaded",
- "SuspiciousService",
"DefenderConfigChanged",
- "UnknownServices",
- "NewAutorun"
+ "NewAutorun",
+ "SuspiciousService",
+ "UnknownServices"
],
- "start-time": "2022-07-13T15:47:51.03797421+02:00",
+ "start-time": "2022-07-25T10:23:57.918944198+02:00",
"std-dev-alert-criticality": 0,
"std-dev-signature-criticality": -92233720368547760,
- "stop-time": "2022-07-13T15:47:51.040822185+02:00",
+ "stop-time": "2022-07-25T10:23:57.923550875+02:00",
"sum-alert-criticality": 0,
"sum-rule-criticality": 0,
"tactics": null,
@@ -3639,35 +3635,35 @@ var OpenAPIDefinition = `
{
"alert-count": 50,
"alert-criticality-metric": 0,
- "archived-time": "2022-07-13T15:47:52.100370576+02:00",
+ "archived-time": "2022-07-25T10:23:59.007202192+02:00",
"avg-alert-criticality": 0,
"avg-signature-criticality": 0,
"bounded-score": 0,
"count-by-signature": {
- "DefenderConfigChanged": 6,
- "NewAutorun": 23,
- "SuspiciousService": 3,
- "UnknownServices": 5,
- "UntrustedDriverLoaded": 13
+ "DefenderConfigChanged": 9,
+ "NewAutorun": 16,
+ "SuspiciousService": 7,
+ "UnknownServices": 8,
+ "UntrustedDriverLoaded": 10
},
"count-uniq-signatures": 5,
"identifier": "5a92baeb-9384-47d3-92b4-a0db6f9b8c6d",
- "median-time": "2022-07-13T15:47:51.039398197+02:00",
+ "median-time": "2022-07-25T10:23:57.921247536+02:00",
"score": 0,
"signature-count": 50,
"signature-criticality-metric": 0,
"signature-diversity": 100,
"signatures": [
"UntrustedDriverLoaded",
- "SuspiciousService",
"DefenderConfigChanged",
- "UnknownServices",
- "NewAutorun"
+ "NewAutorun",
+ "SuspiciousService",
+ "UnknownServices"
],
- "start-time": "2022-07-13T15:47:51.03797421+02:00",
+ "start-time": "2022-07-25T10:23:57.918944198+02:00",
"std-dev-alert-criticality": 0,
"std-dev-signature-criticality": -92233720368547760,
- "stop-time": "2022-07-13T15:47:51.040822185+02:00",
+ "stop-time": "2022-07-25T10:23:57.923550875+02:00",
"sum-alert-criticality": 0,
"sum-rule-criticality": 0,
"tactics": null,
@@ -3749,10 +3745,10 @@ var OpenAPIDefinition = `
"example": {
"data": [
{
- "guuid": "4731dcb5-6612-2e14-0f33-a7072f660ee7",
+ "guuid": "c62b591f-a807-1510-20e4-95d47a90a2e7",
"source": "XyzTIProvider",
"type": "domain",
- "uuid": "ffffa1b8-d710-5919-b763-2ceacb3d54ab",
+ "uuid": "46a58174-2ab5-9ad6-746b-bfe815030293",
"value": "some.random.domain"
}
],
@@ -3800,8 +3796,8 @@ var OpenAPIDefinition = `
},
"example": [
{
- "uuid": "ffffa1b8-d710-5919-b763-2ceacb3d54ab",
- "guuid": "4731dcb5-6612-2e14-0f33-a7072f660ee7",
+ "uuid": "46a58174-2ab5-9ad6-746b-bfe815030293",
+ "guuid": "c62b591f-a807-1510-20e4-95d47a90a2e7",
"source": "XyzTIProvider",
"value": "some.random.domain",
"type": "domain"
@@ -3819,10 +3815,10 @@ var OpenAPIDefinition = `
"example": {
"data": [
{
- "guuid": "4731dcb5-6612-2e14-0f33-a7072f660ee7",
+ "guuid": "c62b591f-a807-1510-20e4-95d47a90a2e7",
"source": "XyzTIProvider",
"type": "domain",
- "uuid": "ffffa1b8-d710-5919-b763-2ceacb3d54ab",
+ "uuid": "46a58174-2ab5-9ad6-746b-bfe815030293",
"value": "some.random.domain"
}
],
@@ -4319,8 +4315,8 @@ var OpenAPIDefinition = `
"description": "",
"group": "",
"identifier": "TestAdminUser",
- "key": "OcB7kg14f5SwH06lMDsqO6yTBd0tiYqEulOVjyNGoWvpkNPdHfVUN6gtcrJJhYEn",
- "uuid": "aeb16c82-0d8f-d431-1b9e-a0aa9a63222e"
+ "key": "OacvQ1oEihy69VQvHokQJFEm6Twh43bXSNLNc0uc5RwMNRnKhJspXMIUD5heTsPG",
+ "uuid": "30064bc2-4e87-917a-4657-70203f19a188"
},
"error": "",
"message": "OK"
@@ -4363,7 +4359,7 @@ var OpenAPIDefinition = `
}
},
"example": {
- "uuid": "ae57bff8-cff2-046e-7227-0edde35bcc7c",
+ "uuid": "beff914c-9d97-a043-b205-b73cdc00afca",
"identifier": "SecondTestAdmin",
"key": "ChangeMe",
"group": "CSIRT",
@@ -4384,7 +4380,7 @@ var OpenAPIDefinition = `
"group": "CSIRT",
"identifier": "SecondTestAdmin",
"key": "ChangeMe",
- "uuid": "ae57bff8-cff2-046e-7227-0edde35bcc7c"
+ "uuid": "beff914c-9d97-a043-b205-b73cdc00afca"
},
"error": "",
"message": "OK"
@@ -4472,7 +4468,7 @@ var OpenAPIDefinition = `
"group": "SOC",
"identifier": "SecondTestAdmin",
"key": "NewWeakKey",
- "uuid": "ae57bff8-cff2-046e-7227-0edde35bcc7c"
+ "uuid": "beff914c-9d97-a043-b205-b73cdc00afca"
},
"error": "",
"message": "OK"
@@ -4510,7 +4506,7 @@ var OpenAPIDefinition = `
"group": "SOC",
"identifier": "SecondTestAdmin",
"key": "NewWeakKey",
- "uuid": "ae57bff8-cff2-046e-7227-0edde35bcc7c"
+ "uuid": "beff914c-9d97-a043-b205-b73cdc00afca"
},
"error": "",
"message": "OK"
diff --git a/api/openapi_test.go b/api/openapi_test.go
index 3bd7dae..5048960 100644
--- a/api/openapi_test.go
+++ b/api/openapi_test.go
@@ -215,8 +215,11 @@ func prep() (m *Manager, c *ManagerClient) {
}
fconf.Client.Key = key
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
// sending logs to manager
- f, err := NewForwarder(&fconf)
+ f, err := NewForwarder(ctx, &fconf)
if err != nil {
panic(err)
}
diff --git a/hids/cron.go b/hids/cron.go
index 3dedbdd..b798c66 100644
--- a/hids/cron.go
+++ b/hids/cron.go
@@ -592,6 +592,7 @@ func (h *HIDS) scheduleTasks() {
}
}).Schedule(time.Now()), crony.PrioHigh)
+ // Action handler scheduling
h.scheduler.Schedule(crony.NewAsyncTask("Action Handler").Func(func() {
h.actionHandler.handleActionsLoop()
}).Schedule(time.Now()), crony.PrioHigh)
@@ -600,5 +601,6 @@ func (h *HIDS) scheduleTasks() {
h.actionHandler.compressionLoop()
}).Schedule(time.Now()), crony.PrioHigh)
+ // start scheduler
h.scheduler.Start()
}
diff --git a/hids/hids.go b/hids/hids.go
index 74103d3..fe4b15a 100644
--- a/hids/hids.go
+++ b/hids/hids.go
@@ -167,7 +167,7 @@ func NewHIDS(c *Config) (h *HIDS, err error) {
}
// loading forwarder config
- if h.forwarder, err = api.NewForwarder(c.FwdConfig); err != nil {
+ if h.forwarder, err = api.NewForwarder(h.ctx, h.config.FwdConfig); err != nil {
return
}
@@ -729,9 +729,6 @@ func (h *HIDS) Run() {
// Runs the forwarder
h.forwarder.Run()
- // Running action manager
- //h.actionHandler.handleActionsLoop()
-
// Start scheduler
h.scheduleTasks()