-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathreporter.cfg
executable file
·73 lines (67 loc) · 4.01 KB
/
reporter.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
########################################################################
# This is the configuration file for the Carbon Black Reporter script
# designed to provide customizable output in the form of a customizable
# Excel Spreadsheet. The script allows you to customize the tab names
# and fields that you wish to display for binary, process and alerts.
########################################################################
# Format:
#
# [Tab Name]
# Type = binary|process|alert
# Fields = <query output fields to display per column>
# Query = <the Carbon Black query you want to run>
########################################################################
# Available Fields:
#
# Binary Search:
#
# digsig_result,observed_filename,product_version,legal_copyright,
# alliance_link_virustotal,private_build,is_executable_image,orig_mod_len,
# is_64bit,alliance_score_virustotal,group,file_version,comments,
# company_name,internal_name,product_name,alliance_data_virustotal,
# digsig_result_code,timestamp,alliance_updated_virustotal,copied_mod_len,
# server_added_timestamp,md5,endpoint,watchlists,signed,original_filename,
# cb_version,os_type,file_desc,last_seen
#
# Process Search:
#
# process_md5,sensor_id,modload_count,cmdline,last_update,id,parent_name,
# parent_md5,group,hostname,filemod_count,start,comms_ip,netconn_count,
# interface_ip,process_pid,username,process_name,path,regmod_count,parent_pid,
# crossproc_count,segment_id,host_type,os_type,childproc_count,unique_id
#
# Alert Search:
#
# modload_count,alert_type,sensor_criticality,report_score,watchlist_id,
# sensor_id,feed_name,created_time,report_ignored,ioc_type,crossproc_count,
# ioc_confidence,alert_severity,watchlist_name,group,hostname,filemod_count,
# comms_ip,netconn_count,interface_ip,username,process_path,description,
# process_name,process_id,link,ioc_value,regmod_count,md5,segment_id,
# total_hosts,feed_id,status,os_type,childproc_count,unique_id,feed_rating,
# status,username,hostname,feed_name,assigned_to,watchlist_name
########################################################################
# For a full description of the fields listed above please visit
# our developer website at https://developer.carbonblack.com/reference/enterprise-response/5.1/rest-api/#process-data:ec3e4958451e5256ed16afd222059e6d
# on the Carbon Black homepage. In the future fields may be added and
# available for use on this site.
########################################################################
[VT Score Greater than 3 All]
Type = binary
Fields = digsig_result,observed_filename,product_version,legal_copyright,alliance_link_virustotal,private_build,is_executable_image,orig_mod_len,is_64bit,alliance_score_virustotal,group,file_version,comments,company_name,internal_name,product_name,alliance_data_virustotal,digsig_result_code,timestamp,alliance_updated_virustotal,copied_mod_len,server_added_timestamp,md5,endpoint,watchlists,signed,original_filename,cb_version,os_type,file_desc,last_seen
Query = alliance_score_virustotal:[3 TO *]
[VT Process Score Greater than 3]
Type = process
Fields = hostname,process_md5,path
Query = alliance_score_virustotal:[3 TO *]
[CMD Started by Cscript Process]
Type = process
Fields = modload,filemod,path,regmod,md5,cmdline,hostname,group,process_name,parent_name,process_md5,filewrite_md5,parent_md5,username,host_type
Query = process_name:wscript.exe AND childproc_name:cmd.exe
[CMD]
Type = process
Fields = path,cmdline,hostname,group,process_name,parent_name,process_md5,username,host_type
Query = childproc_name:cmd.exe
[Port 22]
Type = process
Fields = modload_count,alert_type,sensor_criticality,report_score,watchlist_id,sensor_id,feed_name,created_time,report_ignored,ioc_type,crossproc_count,ioc_confidence,alert_severity,watchlist_name,group,hostname,filemod_count,comms_ip,netconn_count,interface_ip,username,process_path,description,process_name,process_id,link,ioc_value,regmod_count,md5,segment_id,total_hosts,feed_id,status,os_type,childproc_count,unique_id,feed_rating,status,username,hostname,feed_name,assigned_to,watchlist_name
Query = ipport:22