Hi Experts,
I need your help to create query to show output when a system is infected with any malware\virus (**Source anti virus**)and same is generating traffic (**strong text**source firewall)
Challenge I am facing is that in Antivirus log infected host is dest_ip and in firewall logs source is src_ip.
Other thing is I am unable to find any common field between two logs (Anti virus and Firewall)
Sample logs for Anti virus :
"2016-12-29 12:43:26" Type="SecurityIncident", RowID="AACDE705-F0A9-46B0-BE27-C0ECF81554A7", Name="MalwareInfection", Description="NotImplemented", Timestamp=1451418206600, SchemaVersion="1.0", ObserverHost="hostname", ObserverUser=0, ObserverProductName="SystemCenterEndpointProtection", ObserverProductversion="4.8.0204.0", ObserverProtectionType="AM", ObserverProtectionVersion=0, ObserverProtectionSignatureVersion=0, ObserverDetection="Realtime", ObserverDetectionTime=1451418206600, ActorHost=0, ActorUser=0, ActorProcess=0, ActorResource=0, ActionType="MalwareInfection", TargetHost="Thost", TargetUser="Tuser", TargetProcess="C:\Windows\explorer.exe", TargetResource="file:_E:\O F F I C E\PDFCreatorWebSetup.exe", ClassificationID=2147697638, ClassificationType="Trojan:Win32/Dorv.B!rfn", ClassificationSeverity="Severe", ClassificationCategory="Trojan", RemediationType="Quarantine", RemediationResult="True", RemediationErrorCode=0, RemediationPendingAction="NoActionRequired", IsActiveMalware="False"
Sample logs of Firewall
Dec 29 15:18:38 FHost 1,2015/12/29 15:18:38,007701001134,TRAFFIC,drop,1,2015/12/29 15:18:32,80.82.79.104,10.X.X.X,0.0.0.0,0.0.0.0,LOG-OUTSIDE,,,not-applicable,vs1,OUTSIDE,INSIDE,ethernet1/1,,Forward to Panorama,2015/12/29 15:18:32,0,1,41237,8080,0,0,0x0,tcp,deny,60,60,0,1,2015/12/29 15:16:06,0,any,0,7857899777,0x8000000000000000,china,UK,0,1,0,policy-deny
↧