[{"data":1,"prerenderedAt":226},["ShallowReactive",2],{"markdown-scenario-zh":3,"chat-scenes-zh":4,"chat-cases-zh":173},"",[5,19,33,43,51,61,72,82,91,98,105,112,119,126,133,140,147,160],{"agentName":6,"description":7,"displayOrder":8,"id":8,"isAgent":9,"longDescription":10,"promptTitle":11,"prompts":12,"title":6},"威胁查询速译员","自然语言转查询语句,支持 SQL/ES/SPL 三种格式",1,true,"面向 SOC/SOAR 运营场景,根据您提供的威胁检测需求,自动转化为适配 SIEM/SOAR 平台、威胁狩猎工具的标准化专业查询语句,精准覆盖异常行为检测、跨平台 IOC 匹配等核心场景","能把你的自然语言需求转成 SQL/ES/SPL 查询语句,",[13,15,17],{"text":14,"html":14},"帮我把 \"检测近一周的异常登录行为\" 转成 ES 查询语句",{"text":16,"html":16},"要查已知的勒索软件 IOC,生成对应的 SPL 查询",{"text":18,"html":18},"如何用SQL语句筛选APT攻击告警数据",{"agentName":20,"description":21,"displayOrder":22,"id":22,"isAgent":23,"longDescription":20,"promptTitle":24,"prompts":25,"title":32},null,"数据质量自动分析校验,确保安全分析数据靠谱可用",2,false,"专门检查安全数据质量,确保数据能用、准确,请提供你的数据样本,",[26,29],{"text":27,"html":28},"帮我检查下这份安全数据的关键分析字段是否有遗漏?{{DATA}}{\"eventCount\":\"1\",\"srcPort\":\"60763\",\"deviceReceiptTime\":\"2025-12-22 23:11:33\",\"deviceName\":\"XXX防火墙TGFW\",\"destAddress\":\"10.50.1.1\",\"srcGeoLongitude\":\"-95.71289\",\"srcGeoLatitude\":\"37.09024\",\"eventId\":\"6876678387820761089\",\"srcGeoCity\":\"未知\",\"machineCode\":\"b359dfd0-b5fc-4c06-b5c1-ad2ab9223fe5-171071009\",\"srcAddress\":\"100.20.1.1\",\"srcGeoCountry\":\"美国\",\"productVendorName\":\"XX信息\",\"transProtocol\":\"TCP\",\"deviceSendProductName\":\"XXX防火墙TGFW\",\"destGeoAddress\":\"局域网\",\"name\":\"访问控制\",\"destGeoRegion\":\"局域网\",\"catOutcome\":\"OK\",\"collectorReceiptTime\":\"2025-12-23 00:12:25\",\"appProtocol\":\"https\",\"deviceAddress\":\"10.50.1.2\",\"destPort\":\"443\",\"destGeoCountry\":\"局域网\",\"startTime\":\"2025-12-22 23:11:33\",\"srcGeoAddress\":\"美国verizon.com\",\"bytesIn\":\"878\",\"bytesOut\":\"1491\",\"direction\":\"10\",\"severity\":\"2\",\"message\":\"访问控制:来源地址/端口:100.20.1.1/60763,目的地址/端口:10.50.1.1/443,设备动作:permit。\",\"deviceAssetSubTypeId\":\"12\",\"endTime\":\"2025-12-22 23:11:33\",\"srcGeoRegion\":\"未知\"}{{/DATA}}","帮我检查下这份安全数据的关键分析字段是否有遗漏?",{"text":30,"html":31},"当前校验数据中枚举值映射是否准确?{{DATA}}{\"eventCount\":\"1\",\"srcPort\":\"60763\",\"deviceReceiptTime\":\"2025-12-22 23:11:33\",\"deviceName\":\"XXX防火墙TGFW\",\"destAddress\":\"10.50.1.1\",\"srcGeoLongitude\":\"-95.71289\",\"srcGeoLatitude\":\"37.09024\",\"eventId\":\"6876678387820761089\",\"srcGeoCity\":\"未知\",\"machineCode\":\"b359dfd0-b5fc-4c06-b5c1-ad2ab9223fe5-171071009\",\"srcAddress\":\"100.20.1.1\",\"srcGeoCountry\":\"美国\",\"productVendorName\":\"XX信息\",\"transProtocol\":\"TCP\",\"deviceSendProductName\":\"XXX防火墙TGFW\",\"destGeoAddress\":\"局域网\",\"name\":\"访问控制\",\"destGeoRegion\":\"局域网\",\"catOutcome\":\"OK\",\"collectorReceiptTime\":\"2025-12-23 00:12:25\",\"appProtocol\":\"https\",\"deviceAddress\":\"10.50.1.2\",\"destPort\":\"443\",\"destGeoCountry\":\"局域网\",\"startTime\":\"2025-12-22 23:11:33\",\"srcGeoAddress\":\"美国verizon.com\",\"bytesIn\":\"878\",\"bytesOut\":\"1491\",\"direction\":\"10\",\"severity\":\"2\",\"message\":\"访问控制:来源地址/端口:100.20.1.1/60763,目的地址/端口:10.50.1.1/443,设备动作:permit。\",\"deviceAssetSubTypeId\":\"12\",\"endTime\":\"2025-12-22 23:11:33\",\"srcGeoRegion\":\"未知\"}{{/DATA}}","当前校验数据中枚举值映射是否准确?","数据质量校验",{"agentName":20,"description":34,"displayOrder":35,"id":35,"isAgent":23,"longDescription":20,"promptTitle":36,"prompts":37,"title":42},"编排安全事件处置流程,实现标准化应急响应操作",3,"我可以帮你设计安全事件的标准化处置流程的逻辑,请说明事件类型,",[38,40],{"text":39,"html":39},"针对暴力破解事件,帮我设计一份应急响应剧本逻辑?",{"text":41,"html":41},"请为Webshell响应处置剧本设置触发条件","响应处置剧本设计",{"agentName":20,"description":44,"displayOrder":45,"id":45,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":47,"title":50},"对日志数据进行标准映射,转化为OSIM标准审计格式",4,"我可以帮你把字段统一成 OSIM 标准格式(支持SQL、SPL、ESQL等格式),请提供你的字段信息,",[48],{"text":49,"html":49},"帮我把这段非标准日志转成 OSIM 标准审计的SQL格式","日志数据映射",{"agentName":20,"description":52,"displayOrder":53,"id":53,"isAgent":23,"longDescription":20,"promptTitle":54,"prompts":55,"title":60},"围绕网端关联,梳理网络和终端安全事件的内在联系",5,"帮你理清网络和终端安全事件的关联关系,请提供相关事件数据,",[56,58],{"text":57,"html":57},"通过SMB投递恶意文件并添加注册表启动项,需要哪些日志数据进行关联分析",{"text":59,"html":59},"dnslog信息外带如何根据网络日志关联终端定位恶意进程","网端关联分析",{"agentName":20,"description":62,"displayOrder":63,"id":63,"isAgent":23,"longDescription":20,"promptTitle":64,"prompts":65,"title":71},"统计关联分析,让撞库、暴力破解等高危事件无处可藏",6,"分析撞库、暴力破解等高危事件,定位攻击源头,请提供事件数据,",[66,69],{"text":67,"html":68},"帮我分析下这段{{DATA}}本地提权{{/DATA}}事件的攻击源头?{{DATA}}{\"parentProcessName\":\"bash\",\"parentProcessMd5\":\"c432ba408abefb607ed0c1d3b64f08e0\",\"opType\":\"proc_operate\",\"eventCount\":\"1\",\"deviceReceiptTime\":\"2025-11-14 07:02:35\",\"deviceName\":\"XXXEDR\",\"processName\":\"sudo\",\"destAddress\":\"10.59.1.1\",\"parentImage\":\"/usr/bin/bash\",\"image\":\"/usr/bin/sudo\",\"eventId\":\"915633017756600393|17aa9e3e-202f-47c4-b0b7-95417cac4369\",\"machineCode\":\"1gzakdyuy4fcxj0y4al4b9jaj-171070995\",\"srcGeoCity\":\"局域网\",\"processMd5\":\"58b3a9fe0693abe40d2853d0c1b7f30e\",\"srcAddress\":\"10.59.1.1\",\"srcGeoCountry\":\"局域网\",\"productVendorName\":\"XXX信\",\"processUserName\":\"root\",\"attackerAddress\":\"10.59.1.1\",\"deviceSendProductName\":\"XXXEDR\",\"name\":\"本地提权\",\"destGeoRegion\":\"局域网\",\"catOutcome\":\"Attempt\",\"killChain\":\"KC_CommandControl\",\"logType\":\"alert\",\"hostName\":\"公共数据平台\",\"collectorReceiptTime\":\"2025-12-01 15:58:43\",\"deviceAddress\":\"172.16.0.1\",\"destGeoCountry\":\"局域网\",\"ruleType\":\"本地提权\",\"startTime\":\"2025-11-14 07:02:35\",\"destGeoCity\":\"局域网\",\"direction\":\"00\",\"severity\":\"7\",\"message\":\"威胁感知事件:本地提权 动作:用户sdm通过进程sudo进行本地提权\",\"hostAddress\":\"10.59.1.1\",\"endTime\":\"2025-11-14 07:02:35\",\"deviceAssetSubTypeId\":\"56\",\"srcGeoRegion\":\"局域网\",\"parentProcessUserName\":\"sdm\"}{{/DATA}}","帮我分析下这段本地提权事件的攻击源头?",{"text":70,"html":70},"针对勒索软件攻击,如何开展全链路溯源侦查?","高危事件智能侦查",{"agentName":20,"description":73,"displayOrder":74,"id":74,"isAgent":23,"longDescription":20,"promptTitle":75,"prompts":76,"title":81},"支持一键生成 Sigma/Yara 规则,快速检测安全威胁",7,"我能够一键生成 Sigma/Yara 规则,快速检测威胁,请提供你的威胁诉求,",[77,79],{"text":78,"html":78},"帮我生成一个检测挖矿木马的 Sigma 规则",{"text":80,"html":80},"针对钓鱼邮件攻击,如何生成对应的 Yara 检测规则?","威胁规则生成",{"agentName":20,"description":83,"displayOrder":84,"id":84,"isAgent":23,"longDescription":20,"promptTitle":85,"prompts":86,"title":90},"实现异构数据字段匹配,统一安全分析数据维度",8,"我可以帮你把字段统一成 OSIM 标准格式,请提供你的字段信息,",[87],{"text":88,"html":89},"帮我把这份字段,对应到 OSIM 的标准字段上,并输出标准的字段格式{{DATA}}\u003C46>2025-12-22T23:11:33+08:00 tgfw /opt/security/bin/vpp-agent[3436]: {\"type\":13,\"time_begin\":\"1766416231000000000\",\"sip\":\"100.20.1.1\",\"dip\":\"10.50.1.1\",\"sport\":\"60763\",\"dport\":\"443\",\"szone\":\"-\",\"dzone\":\"G3-1706776845\",\"action\":\"permit\",\"app_name\":\"TCP应用\",\"proto\":\"TCP\",\"rx_intf\":\"GE0_6\",\"tx_intf\":\"GE0_3\",\"up\":\"878\",\"down\":\"1491\",\"up_pkg\":\"6\",\"down_pkg\":\"4\",\"time_end\":\"1766416293064449624\"}{{/DATA}}","帮我把这份字段,对应到 OSIM 的标准字段上,并输出标准的字段格式","字段映射",{"agentName":20,"description":92,"displayOrder":93,"id":93,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":94,"title":97},"明确 OSIM 标准下恶意软件告警的核心必填字段,规范告警数据填报维度,确保告警信息符合行业标准且具备可分析性",9,[95],{"text":96,"html":96},"SOC(安全运营中心)分析师在处理一起安全事件时,需要填写标准化的工单或报告。新手分析师往往不知道需要收集哪些关键信息。我正在处理一起勒索软件感染事件,需要通过 API 上报给总部的态势感知平台。请问根据 OSIM 标准,‘恶意软件’类告警有哪些必填字段是我必须收集的?","OSIM标准恶意软件告警必填字段",{"agentName":20,"description":99,"displayOrder":100,"id":100,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":101,"title":104},"将 Nginx 原生访问日志,按 OSIM 审计日志格式完成字段映射与格式转换,实现日志数据的标准化治理与跨平台兼容",10,[102],{"text":103,"html":103},"请根据 OSIM 标准,帮我生成一份针对勒索软件感染事件的工单或报告,需要包含哪些关键信息?","Nginx日志转换为OSIM审计格式",{"agentName":20,"description":106,"displayOrder":107,"id":107,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":108,"title":111},"针对指定 IOC 特征,自动生成适配 Splunk、Elasticsearch、ClickHouse 的检索语句,支持多平台统一 IOC 排查",11,[109],{"text":110,"html":110},"我有一段 Nginx 的访问日志样例(附带日志内容)。请帮我写一个 Python 脚本,将其解析并映射为 OSIM 的 HTTP 审计日志格式","跨平台IOC检索查询语句生成",{"agentName":20,"description":113,"displayOrder":114,"id":114,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":115,"title":118},"在 SOAR 自动封禁剧本执行前,校验 IP 地址格式是否符合 OSIM 定义,拦截非法 IP 数据以避免剧本中断报错",12,[116],{"text":117,"html":117},"Threat Hunter发现了一个新的 IOC(例如某黑客团伙使用的特定 User-Agent 和端口)。他需要在 Splunk、Elasticsearch 和 ClickHouse 三个不同的系统中进行检索。我想查询所有内部主机发起的,目标端口为 445,且进程名为 'powershell.exe' 的网络连接记录。请根据 OSIM 标准字段生成对应的 SQL (ClickHouse) 、 SPL (Splunk) 、ES Query(Elasticsearch)查询语句。","SOAR剧本IP数据校验代码",{"agentName":20,"description":120,"displayOrder":121,"id":121,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":122,"title":125},"提取 APT29 攻击相关指标,并完成指标格式的标准化转换,适配威胁情报分析与检测规则构建的业务需求,提升攻击特征的可复用性",13,[123],{"text":124,"html":124},"在 SOAR(安全编排自动化响应)剧本中,一旦上游(如防火墙告警)传递给下游(如封禁 IP 接口)的数据格式不对(例如 IP 字段为空,或者包含了掩码),整个剧本就会报错中断。我正在编写一个‘自动封禁’剧本。请帮我写一段 Python 校验代码。在调用封禁 API 之前,检查传入的数据对象是否符合 asset.ip_address 的 OSIM 定义,特别是校验 IP 格式是否合法,如果不合法抛出具体错误。","APT29 攻击指标提取与转换",{"agentName":20,"description":127,"displayOrder":128,"id":128,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":129,"title":132},"按需构造蜜罐数据库的高逼真度审计表,模拟真实业务数据形态,增强蜜罐对攻击者的诱捕效果与攻击行为溯源能力",14,[130],{"text":131,"html":131},"这是一篇关于 APT29 最新活动的分析文章全文(https://www.10100.com/article/29746254)。请提取其中所有的攻击指标(IoC),并将其整理为符合 OSIM threat_intelligence 相关 schema 的 JSON 格式。","蜜罐数据库的逼真审计表构造",{"agentName":20,"description":134,"displayOrder":135,"id":135,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":136,"title":139},"设计符合威胁猎杀场景的图谱 Schema,规范威胁实体与关联关系的定义,支撑可视化威胁溯源与攻击链路分析",15,[137],{"text":138,"html":138},"背景: 部署蜜罐(Honeypot)或蜜标(Honeytoken)时,最大的痛点是“假得太明显”。如果攻击者入侵了一个数据库,发现里面的字段命名混乱或缺乏关键审计字段,他们会立刻意识到这是陷阱。为了欺骗高水平的攻击者,你需要生成极其逼真、符合工业标准的伪造数据结构。 我要在蜜罐数据库里伪造一张‘员工登录审计表’,用来诱捕尝试 dump 数据的攻击者。请利用 OSIM 标准生成建表语句,并生成 5 条看起来非常真实的虚假登录日志(包括成功的和失败的),字段要全,不仅要有 IP,还要有 session_id 和 login_type。","威胁猎杀图谱Schema设计",{"agentName":20,"description":141,"displayOrder":142,"id":142,"isAgent":23,"longDescription":20,"promptTitle":46,"prompts":143,"title":146},"提取凭证线索,助力身份类安全事件定责",16,[144],{"text":145,"html":145},"现代安全运营正在从“日志搜索”向“图谱分析”演进。但是,如何定义图谱中的节点(Node)和边(Edge)是一个巨大的难题。OSIM 天生就是一个完美的图数据库 Schema 定义书。我们正在用 Neo4j 构建威胁猎杀图谱。请读取 OSIM 的 asset 和 alert 相关定义,帮我设计图谱的 Schema(节点标签和关系)。例如,‘主机’和‘IP’是什么关系?‘进程’和‘文件’是什么关系?","SIEM 凭证转储取证分析",{"agentName":148,"description":149,"displayOrder":150,"id":150,"isAgent":9,"longDescription":151,"promptTitle":152,"prompts":153,"title":148},"Schema数据导师","通过自然、高效的对话交互,针对性的解答用户提出的问题,提供解决",17,"具备OSIM Schema(数据模式 / 架构) 为核心知识体系,集数据结构规划、Schema 设计指导、合规校验、问题诊断与知识赋能于一体的智能交互系统,答疑解惑,帮助您更好的理解OSIM数据","能帮你校验 Schema 相关问题、解答 Schema 知识,",[154,156,158],{"text":155,"html":155},"帮我检查这段 MySQL 建表 SQL 的语法有没有问题",{"text":157,"html":157},"我这组 JSON 数据和对应的 Schema 对不上,能自动校验并给对齐方案吗",{"text":159,"html":159},"前端请求参数和后端 Schema 的字段名不一致,怎么解决",{"agentName":161,"description":162,"displayOrder":163,"id":163,"isAgent":9,"longDescription":164,"promptTitle":165,"prompts":166,"title":161},"合规数据编排师","将用户提交的原始数据转化为符合不同行业上报规范的结构化数据",18,"根据您所提交的原始数据,通过数据格式标准化、指标口径对齐、行业规则映射,将其转化为符合金融、政务、医疗、能源等不同行业上报规范的结构化数据","能把原始数据转成符合行业上报规范的结构化数据,",[167,169,171],{"text":168,"html":168},"帮我把这份原始日志转换为金融行业的合规上报结构化数据",{"text":170,"html":170},"医疗行业的用户数据,怎么调整格式符合行业上报要求",{"text":172,"html":172},"政务领域的安全事件数据,合规化编排需要注意什么",[174,185,191,196,202,208,214,219],{"id":84,"title":175,"description":176,"tags":177,"viewCount":180,"useCount":180,"markdownContent":181,"markdownPath":182,"createdAt":183,"updatedAt":183,"creator":184},"SIEM凭证转储取证分析","红队(攻击方)在执行原子测试(例如 T1003 凭证转储)后,蓝队(防御方)往往不知道自己的 SIEM 是否成功记录了关键证据。这个场景是让 AI 充当\"裁判\"。我刚刚在测试机上模拟了 Mimikatz 的攻击行为。这是我从 SIEM 导出的最近 10 分钟的原始 JSON 日志。请根据 OSIM alert.credential_access 标准,检查这些日志中是否包含了完整的取证证据?缺了什么字段会导致我们无法定性攻击?",[178,179],"无文件上传","质量检查",123,"红队(攻击方)在执行原子测试(例如 T1003 凭证转储)后,蓝队(防御方)往往不知道自己的 SIEM 是否成功记录了关键证据。这个场景是让 AI 充当“裁判”。我刚刚在测试机上模拟了 Mimikatz 的攻击行为。这是我从 SIEM 导出的最近 10 分钟的原始 JSON 日志。请根据 OSIM alert.credential_access 标准,检查这些日志中是否包含了完整的取证证据?缺了什么字段会导致我们无法定性攻击?\n[\n {\n \"_index\": \"winlogbeat-7.10.0-2025.12.08\",\n \"_source\": {\n \"@timestamp\": \"2025-12-08T09:15:30.452Z\",\n \"event\": {\n \"code\": 4688,\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"action\": \"Process Creation (rule: ProcessCreate)\"\n },\n \"host\": {\n \"name\": \"WORKSTATION-HR-04\"\n },\n \"winlog\": {\n \"event_data\": {\n \"NewProcessName\": \"C:\\\\Users\\\\Public\\\\Downloads\\\\mimikatz.exe\",\n \"ParentProcessName\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"SubjectUserName\": \"admin_jdoe\",\n \"SubjectLogonId\": \"0x4a2f1\",\n \"CommandLine\": \"mimikatz.exe \\\"privilege::debug\\\" \\\"sekurlsa::logonpasswords\\\" \\\"exit\\\"\"\n }\n },\n \"message\": \"A new process has been created.\"\n }\n },\n {\n \"_index\": \"winlogbeat-7.10.0-2025.12.08\",\n \"_source\": {\n \"@timestamp\": \"2025-12-08T09:15:32.115Z\",\n \"event\": {\n \"code\": 10,\n \"provider\": \"Microsoft-Windows-Sysmon\",\n \"action\": \"ProcessAccess\"\n },\n \"host\": {\n \"name\": \"WORKSTATION-HR-04\"\n },\n \"winlog\": {\n \"event_data\": {\n \"RuleName\": \"LSASS_Access_Detected\",\n \"SourceImage\": \"C:\\\\Users\\\\Public\\\\Downloads\\\\mimikatz.exe\",\n \"SourceProcessId\": \"4120\",\n \"TargetImage\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"TargetProcessId\": \"688\",\n \"CallTrace\": \"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+9f3d0|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+2ec30|C:\\\\Users\\\\Public\\\\Downloads\\\\mimikatz.exe+1a2b3\"\n // 注意:此处缺少了 'GrantedAccess' 字段,或者该字段为空\n // 这是导致 OSIM 校验失败的关键缺失\n }\n },\n \"message\": \"Process accessed: Rule: LSASS_Access_Detected, Source: mimikatz.exe, Target: lsass.exe\"\n }\n }\n]\n根据对您提供的日志和 OSIM 标准的分析,您的 SIEM 日志**未能记录完整的取证证据**。虽然日志成功捕获了 Mimikatz 的执行和对 LSASS 进程的访问,但缺少了几个 OSIM 标准(特别是 `device_detection.edr_system.memory_backdoor` 和 `log.host_behavior_audit.process_operation`)中被标记为“RECOMMENDED”(推荐)或“REQUIRED”(必需)的关键字段。\n\n这些缺失的字段会严重影响蓝队对攻击的定性和后续的威胁狩猎。\n\n### 关键缺失字段及其影响\n\n1. **`GrantedAccess` (在 Sysmon ProcessAccess 事件中)**:\n * **日志现状**: 您在日志注释中已正确指出,`GrantedAccess` 字段缺失。\n * **缺失影响**: 这是**最关键的缺失**。该字段明确指出了 Mimikatz 对 `lsass.exe` 进程请求并获得了哪些具体权限(例如 `0x1FFFFF` 代表 `PROCESS_ALL_ACCESS`)。没有这个字段,我们只能推测 Mimikatz *可能* 读取了内存,但无法从日志上**确凿证明**它获得了执行凭证转储 (`sekurlsa::logonpasswords`) 所必需的 `PROCESS_VM_READ` 权限。这使得整个事件的恶意性证据链存在漏洞,可能被质疑为合法的调试行为。\n\n2. **`process_md5` / `parent_process_md5`**:\n * **日志现状**: 未包含 Mimikatz 可执行文件 (`mimikatz.exe`) 及其父进程 (`cmd.exe`) 的哈希值。\n * **缺失影响**: 无法验证可执行文件的唯一性。攻击者可以轻易重命名 Mimikatz 或其他工具,仅靠文件名无法准确识别恶意软件。哈希值是进行威胁情报匹配、确认恶意软件变种和进行 IOC (入侵指标) 调查的基础。\n\n3. **`parent_process_id`**:\n * **日志现状**: 日志1 (`Event ID 4688`) 包含了父进程名,但通常不包含父进程 ID (`ProcessId` of the parent)。日志2 (`Event ID 10`) 包含了 Mimikatz 的进程 ID,但没有其父进程 ID。\n * **缺失影响**: 完整的进程谱系 (`process_chain`) 对于理解攻击路径至关重要。知道父进程 ID 可以将 `cmd.exe` 和 `mimikatz.exe` 的事件精确地关联起来,构建完整的攻击链。缺少此信息会使得在复杂环境中关联事件变得困难。\n\n4. **`parent_process_command_line`**:\n * **日志现状**: 未记录启动 `cmd.exe` 的完整命令行。\n * **缺失影响**: 无法得知 `cmd.exe` 是如何被启动的(例如,是通过用户双击、PowerShell、还是一个恶意文档?)。这有助于判断初始感染向量和攻击的上下文。\n\n5. **标准化的 `op_type`, `log_type`, `outcome`**:\n * **日志现状**: Windows 原生日志使用自己的分类(如 `event.code`),而不是 OSIM 的标准化枚举值(如 `op_type: \"access\"`, `log_type: \"process\"`, `outcome: \"OK\"`)。\n * **缺失影响**: 这使得日志在安全编排、自动化和响应 (SOAR) 平台或统一的数据湖中难以被标准化处理和分析。自动化规则可能无法正确解析和分类这些事件。\n\n### 总结\n\n您的 SIEM 日志成功记录了**攻击的意图和行为**(运行 Mimikatz 并访问 LSASS),但未能提供**确凿的、可量化的、标准化的证据**来完全确认攻击的成功和恶意性。\n\n**核心问题**在于 **`GrantedAccess`** 字段的缺失,它直接关系到是否能证明攻击者获得了执行凭证转储所需的内存读取权限。其次是缺乏文件哈希 (`process_md5`),这使得无法进行精确的恶意软件识别。\n\n**建议**:\n1. **确保 Sysmon 配置正确**:检查您的 Sysmon 配置文件,确保 `ProcessAccess` 事件被正确记录,并包含 `GrantedAccess` 字段。\n2. **增强日志源**:如果可能,部署 EDR 解决方案,它们通常能提供更丰富、更标准化的字段,包括文件哈希和更详细的进程信息。\n3. **日志规范化**:在 SIEM 中建立强大的规范化(Normalization)管道,将 Windows 原生日志映射到如 OSIM 这样的通用数据模型 (CDM),以填充 `op_type`, `log_type` 等字段。\n\n通过补齐这些字段,您的日志将能够提供一条完整、无懈可击的证据链,从而成功定性此次凭证转储攻击。","cases/zh/Qwen_SIEM凭证转储取证分析.md","2026-04-07T09:10:11.300334","system",{"id":74,"title":132,"description":186,"tags":187,"viewCount":180,"useCount":180,"markdownContent":188,"markdownPath":189,"createdAt":190,"updatedAt":190,"creator":184},"背景: 部署蜜罐(Honeypot)或蜜标(Honeytoken)时,最大的痛点是\"假得太明显\"。如果攻击者入侵了一个数据库,发现里面的字段命名混乱或缺乏关键审计字段,他们会立刻意识到这是陷阱。为了欺骗高水平的攻击者,你需要生成极其逼真、符合工业标准的伪造数据结构。 我要在蜜罐数据库里伪造一张'员工登录审计表',用来诱捕尝试 dump 数据的攻击者。请利用 OSIM 标准生成建表语句,并生成 5 条看起来非常真实的虚假登录日志(包括成功的和失败的),字段要全,不仅要有 IP,还要有 session_id 和 login_type。",[178,179],"背景: 部署蜜罐(Honeypot)或蜜标(Honeytoken)时,最大的痛点是“假得太明显”。如果攻击者入侵了一个数据库,发现里面的字段命名混乱或缺乏关键审计字段,他们会立刻意识到这是陷阱。为了欺骗高水平的攻击者,你需要生成极其逼真、符合工业标准的伪造数据结构。\n我要在蜜罐数据库里伪造一张‘员工登录审计表’,用来诱捕尝试 dump 数据的攻击者。请利用 OSIM 标准生成建表语句,并生成 5 条看起来非常真实的虚假登录日志(包括成功的和失败的),字段要全,不仅要有 IP,还要有 session_id 和 login_type。\n\n我来帮你基于 OSIM 标准生成一个高度逼真的员工登录审计表。首先让我查询相关的 schema 定义。\n\nO\n\nlist_schema_names\n\n现在让我查看几个最相关的登录审计相关 schema:\n\nO\n\ndescribe_schemas\n\n完美!让我获取最适合的主机登录认证 schema 详细定义:\n\nO\n\nget_schema\n\n完美!现在我有了完整的 OSIM 标准字段定义。让我创建一个极其逼真的员工登录审计表,包含所有必要的字段和高度真实的测试数据。\n\n员工登录审计表 - 蜜罐数据库\nCode \n完美! 我已经为你生成了一个极其逼真、符合 OSIM 工业标准的员工登录审计表,专门用于蜜罐诱捕。\n\n🎯 关键设计亮点\n1. 100% 符合 OSIM 标准\n所有字段都严格遵循 log.authentication_and_access.host_login_authentication schema\n包含所有 REQUIRED 和 RECOMMENDED 字段\n枚举值完全匹配标准定义\n2. 高逼真度诱饵字段\n特别加强了以下关键字段,这些是攻击者最关心的:\n\n✅ session_id: 会话标识符(蜜标核心)\n✅ login_type: 登录类型(Interactive/RemoteInteractive/Service等)\n✅ login_id 和 login_guid: 多层会话追踪\n✅ src_ip: 源IP地址(包含海外可疑IP)\n✅ failure_reason: 详细失败原因(增加真实感)\n3. 真实的数据样本\n生成了 5 条高度真实的测试数据:\n\n✅ 成功的 RDP 远程登录 - 正常员工早晨工作\n🚨 失败的 SSH 暴力破解 - 来自海外IP的攻击尝试\n✅ 成功的本地交互式登录 - IT管理员\n🚨 失败的 RDP 登录 - 账户锁定\n✅ 成功的服务账户登录 - 自动化任务\n4. 工业级数据库设计\n完整的索引策略(单列+复合索引)\n微秒级时间戳精度(模拟真实审计系统)\n符合生产环境的字符集和引擎配置\n详细的注释和字段说明\n5. 埋藏的\"真实感\"细节\n注释中包含常用查询语句示例\n混合成功/失败登录(不是单一模式)\n包含服务账户、远程登录、本地登录等多种场景\n失败原因描述极其详细(PAM错误代码、安全策略等)\n🎣 为什么这个设计能骗过高级攻击者?\n字段命名规范: 完全符合 OSIM 国际标准,不是随意命名\n审计级时间戳: 包含 4 种不同的时间字段,符合真实审计系统\n完整的域信息: NT域、用户ID、进程路径等细节齐全\n真实的失败模式: 包含账户锁定、认证失败、暴力破解等真实攻击场景\n索引优化: 表明这是一个\"被频繁查询\"的生产表\n攻击者看到这张表后,会认为他们找到了金矿 - 一个包含真实登录会话的高价值目标! 🎯\n=========================================(右侧内容)\n-- ============================================================================\n-- 员工登录审计表 (基于 OSIM 标准: log.authentication_and_access.host_login_authentication)\n-- 用途: 高逼真度蜜罐数据表,用于诱捕攻击者\n-- 标准符合性: 100% 符合 OSIM 工业标准字段定义\n-- ============================================================================\n\nCREATE TABLE employee_login_audit (\n -- ========== 核心标识字段 ==========\n event_id VARCHAR(64) PRIMARY KEY COMMENT '全局唯一事件标识符 (UUID格式)',\n machine_code VARCHAR(64) NOT NULL COMMENT '设备唯一标识码',\n \n -- ========== 设备信息字段 ==========\n device_vendor_name VARCHAR(128) NOT NULL COMMENT '设备厂商名称',\n device_product_name VARCHAR(128) NOT NULL COMMENT '设备产品名称',\n device_name VARCHAR(128) NOT NULL COMMENT '设备名称',\n device_type_id ENUM('1','2','43','44','56') NOT NULL COMMENT '设备类型ID: 1=Windows, 2=Nix, 43=Windows审计代理, 44=Nix审计代理, 56=EDR系统',\n device_ip VARCHAR(45) NOT NULL COMMENT '设备IP地址',\n probe_ip VARCHAR(45) COMMENT '监控探针IP地址',\n \n -- ========== 事件基础信息 ==========\n name VARCHAR(256) NOT NULL COMMENT '事件摘要名称',\n description TEXT COMMENT '事件详细描述',\n log_type ENUM('account','others') DEFAULT 'account' COMMENT '日志类型: account=账户, others=其他',\n op_type ENUM('login','logout','others') NOT NULL COMMENT '操作类型: login=登录, logout=登出',\n \n -- ========== 时间戳字段 (关键审计字段) ==========\n start_time DATETIME(6) NOT NULL COMMENT '事件开始时间 (微秒精度)',\n end_time DATETIME(6) NOT NULL COMMENT '事件结束时间 (微秒精度)',\n device_receipt_time DATETIME(6) NOT NULL COMMENT '设备接收时间',\n collector_receipt_time DATETIME(6) NOT NULL COMMENT '采集器接收时间',\n \n -- ========== 事件结果和严重性 ==========\n outcome ENUM('OK','FAIL','Attempt') NOT NULL COMMENT '事件结果: OK=成功, FAIL=失败, Attempt=尝试',\n severity ENUM('Critical','High','Medium','Low','Info') COMMENT '严重性级别',\n event_count INT DEFAULT 1 COMMENT '事件计数',\n failure_reason TEXT COMMENT '失败原因详细描述',\n \n -- ========== 源端信息 (登录发起方) ==========\n src_ip VARCHAR(45) COMMENT '源IP地址',\n src_port INT COMMENT '源端口号',\n src_hostname VARCHAR(255) COMMENT '源主机名',\n src_username VARCHAR(128) NOT NULL COMMENT '源用户名',\n src_user_id VARCHAR(64) COMMENT '源用户唯一ID',\n src_nt_domain VARCHAR(128) COMMENT '源NT域名',\n src_login_id VARCHAR(64) COMMENT '源登录会话ID',\n \n -- ========== 目标端信息 (登录目标系统) ==========\n dest_ip VARCHAR(45) COMMENT '目标IP地址',\n dest_port INT COMMENT '目标端口号',\n dest_username VARCHAR(128) COMMENT '目标用户名',\n dest_user_id VARCHAR(64) COMMENT '目标用户ID',\n dest_nt_domain VARCHAR(128) COMMENT '目标NT域名',\n dest_login_id VARCHAR(64) COMMENT '目标登录ID',\n dest_login_guid VARCHAR(64) COMMENT '目标登录GUID',\n dest_info TEXT COMMENT '目标计算机或服务的详细信息',\n dest_service_name VARCHAR(128) COMMENT '目标服务名称',\n \n -- ========== 会话和进程信息 ==========\n login_id VARCHAR(64) NOT NULL COMMENT '登录会话标识符 (系统分配)',\n login_guid VARCHAR(64) COMMENT '登录全局唯一标识符',\n session_id VARCHAR(128) COMMENT '会话ID (关键蜜罐诱饵字段)',\n login_type ENUM('Interactive','Network','Batch','Service','RemoteInteractive','NetworkCleartext','NewCredentials','CachedInteractive') COMMENT '登录类型 (关键蜜罐诱饵字段)',\n process_id VARCHAR(32) COMMENT '进程ID',\n process_path VARCHAR(512) COMMENT '进程完整路径',\n \n -- ========== 协议和网络信息 ==========\n app_protocol ENUM('rdp','ssh','telnet','http','https','ldap','ldaps','smb','others') COMMENT '应用层协议',\n \n -- ========== 审计和索引优化 ==========\n created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP COMMENT '记录创建时间',\n updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '记录更新时间',\n \n -- ========== 索引设计 (模拟真实生产环境) ==========\n INDEX idx_src_username (src_username),\n INDEX idx_src_ip (src_ip),\n INDEX idx_outcome (outcome),\n INDEX idx_start_time (start_time),\n INDEX idx_login_type (login_type),\n INDEX idx_session_id (session_id),\n INDEX idx_device_name (device_name),\n INDEX idx_composite_user_time (src_username, start_time),\n INDEX idx_composite_outcome_time (outcome, start_time)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci \nCOMMENT='员工登录审计表 - 符合OSIM标准 - 蜜罐诱捕系统';\n\n-- ============================================================================\n-- 高逼真度测试数据 (混合成功/失败登录,模拟真实环境)\n-- ============================================================================\n\n-- 数据1: 成功的RDP远程登录 (早晨正常工作时间)\nINSERT INTO employee_login_audit VALUES (\n 'a3f5c8e2-9b4d-4a1e-8c7f-2d6e9f1a3b5c',\n 'ENDPOINT-WIN-HR-0142',\n 'Microsoft Corporation',\n 'Windows Audit Agent',\n 'HR-DESKTOP-WIN10-PRO',\n '43',\n '10.20.30.142',\n '10.20.1.10',\n '员工远程桌面登录成功',\n '用户 zhang.wei 通过RDP协议从远程地址 58.246.192.38 成功登录到工作站 HR-DESKTOP-WIN10-PRO',\n 'account',\n 'login',\n '2024-12-08 08:32:15.234567',\n '2024-12-08 08:32:15.456789',\n '2024-12-08 08:32:15.500000',\n '2024-12-08 08:32:15.623456',\n 'OK',\n 'Info',\n 1,\n NULL,\n '58.246.192.38',\n 51234,\n 'LAPTOP-HOME-ZW',\n 'zhang.wei',\n 'U-10482',\n 'WORKGROUP',\n 'S-1-5-21-3823548781-2947583629-4192845067-1108',\n '10.20.30.142',\n 3389,\n 'zhang.wei',\n 'U-10482',\n 'CORPNET',\n '0x2e4f8a1',\n '8a3c2f1e-4b5d-6c7e-8f9a-0b1c2d3e4f5a',\n 'Workstation: HR-DESKTOP-WIN10-PRO, OS: Windows 10 Pro 21H2',\n 'TermService',\n '0x2e4f8a1',\n '8a3c2f1e-4b5d-6c7e-8f9a-0b1c2d3e4f5a',\n 'SID-9847a3c2f1e4b5d6c7e8f9a0b1c2d3e4',\n 'RemoteInteractive',\n '4892',\n 'C:\\\\Windows\\\\System32\\\\svchost.exe',\n 'rdp',\n NOW(),\n NOW()\n);\n\n-- 数据2: 失败的SSH登录尝试 (可疑的暴力破解迹象)\nINSERT INTO employee_login_audit VALUES (\n 'b7e9d3f1-4c2a-5b8e-9d1f-6a3c7e2b4d8f',\n 'SERVER-LINUX-DB-0089',\n 'Red Hat, Inc.',\n 'Linux Audit Daemon',\n 'DB-SERVER-RHEL8-PROD',\n '44',\n '10.20.50.89',\n '10.20.1.10',\n 'SSH登录失败 - 密码错误',\n '用户 admin 从IP 185.220.101.47 尝试SSH登录失败,认证失败次数: 3',\n 'account',\n 'login',\n '2024-12-08 02:17:43.891234',\n '2024-12-08 02:17:44.123456',\n '2024-12-08 02:17:44.200000',\n '2024-12-08 02:17:44.345678',\n 'FAIL',\n 'High',\n 3,\n 'Authentication failure: Invalid credentials. PAM authentication returned error code 7 (Authentication service cannot retrieve authentication info)',\n '185.220.101.47',\n 48723,\n NULL,\n 'admin',\n NULL,\n NULL,\n NULL,\n '10.20.50.89',\n 22,\n 'admin',\n '0',\n NULL,\n NULL,\n NULL,\n 'Server: DB-SERVER-RHEL8-PROD, Service: sshd',\n 'sshd',\n NULL,\n NULL,\n 'SID-failed-auth-185220101047-02174389',\n 'Network',\n '2847',\n '/usr/sbin/sshd',\n 'ssh',\n NOW(),\n NOW()\n);\n\n-- 数据3: 成功的本地交互式登录 (IT管理员早晨登录)\nINSERT INTO employee_login_audit VALUES (\n 'c2d8f4a6-7b3e-4c9d-8f2a-5e1b6c3d7f9a',\n 'ENDPOINT-WIN-IT-0023',\n 'Microsoft Corporation',\n 'Windows Security Auditing',\n 'IT-ADMIN-WS-WIN11',\n '1',\n '10.20.10.23',\n '10.20.1.10',\n '本地交互式登录成功',\n 'IT管理员 li.ming 在本地控制台成功登录',\n 'account',\n 'login',\n '2024-12-08 07:45:08.567890',\n '2024-12-08 07:45:09.123456',\n '2024-12-08 07:45:09.200000',\n '2024-12-08 07:45:09.345678',\n 'OK',\n 'Info',\n 1,\n NULL,\n '127.0.0.1',\n NULL,\n 'IT-ADMIN-WS-WIN11',\n 'li.ming',\n 'U-10003',\n 'CORPNET',\n 'S-1-5-21-1234567890-9876543210-1122334455-1003',\n '10.20.10.23',\n NULL,\n 'li.ming',\n 'U-10003',\n 'CORPNET',\n '0x3f9a2c1',\n 'd4e5f6a7-b8c9-0d1e-2f3a-4b5c6d7e8f9a',\n 'Workstation: IT-ADMIN-WS-WIN11, OS: Windows 11 Pro 23H2',\n 'Winlogon',\n '0x3f9a2c1',\n 'd4e5f6a7-b8c9-0d1e-2f3a-4b5c6d7e8f9a',\n 'SID-local-interactive-10201023-07450856',\n 'Interactive',\n '1024',\n 'C:\\\\Windows\\\\System32\\\\winlogon.exe',\n 'others',\n NOW(),\n NOW()\n);\n\n-- 数据4: 失败的RDP登录 (锁定账户尝试登录)\nINSERT INTO employee_login_audit VALUES (\n 'e8f3a9c1-5d7b-4e2f-9a6c-1b3d8f2e4a7c',\n 'ENDPOINT-WIN-FIN-0098',\n 'Microsoft Corporation',\n 'Windows Audit Agent',\n 'FIN-DESKTOP-WIN10-ENT',\n '43',\n '10.20.40.98',\n '10.20.1.10',\n 'RDP登录失败 - 账户已锁定',\n '用户 wang.fang 尝试从 192.168.1.56 登录,但账户已被锁定',\n 'account',\n 'login',\n '2024-12-08 14:23:51.234567',\n '2024-12-08 14:23:51.456789',\n '2024-12-08 14:23:51.500000',\n '2024-12-08 14:23:51.678901',\n 'FAIL',\n 'Medium',\n 1,\n 'Account lockout: The referenced account is currently locked out and may not be logged on to. Security ID: S-1-5-21-3823548781-2947583629-4192845067-2045. Policy: Account lockout after 5 failed attempts.',\n '192.168.1.56',\n 52847,\n 'HOME-LAPTOP-WF',\n 'wang.fang',\n 'U-10845',\n 'WORKGROUP',\n NULL,\n '10.20.40.98',\n 3389,\n 'wang.fang',\n 'U-10845',\n 'CORPNET',\n NULL,\n NULL,\n 'Workstation: FIN-DESKTOP-WIN10-ENT, Status: Account Locked',\n 'TermService',\n NULL,\n NULL,\n 'SID-failed-locked-192168001056-14235123',\n 'RemoteInteractive',\n '5184',\n 'C:\\\\Windows\\\\System32\\\\svchost.exe',\n 'rdp',\n NOW(),\n NOW()\n);\n\n-- 数据5: 成功的服务账户登录 (自动化任务)\nINSERT INTO employee_login_audit VALUES (\n 'f9a4b2d6-8c3e-5f1a-7d9b-2e4c6f8a1d3b',\n 'SERVER-WIN-APP-0156',\n 'Microsoft Corporation',\n 'Windows Security Auditing',\n 'APP-SERVER-WIN2019-PROD',\n '1',\n '10.20.60.156',\n '10.20.1.10',\n '服务账户自动登录成功',\n '服务账户 svc_backup 执行计划任务自动登录',\n 'account',\n 'login',\n '2024-12-08 03:00:00.000000',\n '2024-12-08 03:00:00.234567',\n '2024-12-08 03:00:00.300000',\n '2024-12-08 03:00:00.456789',\n 'OK',\n 'Info',\n 1,\n NULL,\n '10.20.60.156',\n NULL,\n 'APP-SERVER-WIN2019-PROD',\n 'svc_backup',\n 'U-SVC-8901',\n 'CORPNET',\n 'S-1-5-21-3823548781-2947583629-4192845067-8901',\n '10.20.60.156',\n NULL,\n 'svc_backup',\n 'U-SVC-8901',\n 'CORPNET',\n '0x5e7f9a3',\n 'a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d',\n 'Server: APP-SERVER-WIN2019-PROD, Task: Daily Backup Job',\n 'Task Scheduler',\n '0x5e7f9a3',\n 'a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d',\n 'SID-service-scheduled-10206015600000000',\n 'Service',\n '3648',\n 'C:\\\\Windows\\\\System32\\\\taskeng.exe',\n 'others',\n NOW(),\n NOW()\n);\n\n-- ============================================================================\n-- 额外的查询示例 (供攻击者\"发现\"的查询语句 - 增加可信度)\n-- ============================================================================\n\n-- 查询最近24小时失败登录\n-- SELECT src_username, src_ip, COUNT(*) as fail_count, MAX(start_time) as last_attempt\n-- FROM employee_login_audit \n-- WHERE outcome = 'FAIL' AND start_time >= DATE_SUB(NOW(), INTERVAL 24 HOUR)\n-- GROUP BY src_username, src_ip \n-- ORDER BY fail_count DESC;\n\n-- 查询特定用户的登录历史\n-- SELECT event_id, src_username, src_ip, outcome, login_type, start_time, session_id\n-- FROM employee_login_audit \n-- WHERE src_username = 'zhang.wei' \n-- ORDER BY start_time DESC \n-- LIMIT 50;\n\n-- 查询所有远程桌面登录\n-- SELECT src_username, src_ip, dest_ip, start_time, outcome, session_id\n-- FROM employee_login_audit \n-- WHERE app_protocol = 'rdp' \n-- ORDER BY start_time DESC;\n\n","cases/zh/Claude_蜜罐数据库的逼真审计表构造.md","2026-04-07T09:10:11.293746",{"id":63,"title":111,"description":117,"tags":192,"viewCount":180,"useCount":180,"markdownContent":193,"markdownPath":194,"createdAt":195,"updatedAt":195,"creator":184},[178,179],"Threat Hunter发现了一个新的 IOC(例如某黑客团伙使用的特定 User-Agent 和端口)。他需要在 Splunk、Elasticsearch 和 ClickHouse 三个不同的系统中进行检索。我想查询所有内部主机发起的,目标端口为 445,且进程名为 'powershell.exe' 的网络连接记录。请根据 OSIM 标准字段生成对应的 SQL (ClickHouse) 、 SPL (Splunk) 、ES Query(Elasticsearch)查询语句。我来帮您生成基于 OSIM 标准的查询语句。首先让我查看一下 OSIM 中关于网络连接的相关 schema。Olist_schema_namesRequest{}根据您的需求,我需要查看网络行为审计相关的 schema。让我获取相关的描述信息:Odescribe_schemasRequest{}让我获取最相关的 schema 字段定义:Oget_schemaRequest{}完美!现在我已经获取到了 OSIM 标准中关于网络行为审计的字段定义。根据您的需求,我将生成三种查询语句。OSIM 标准网络连接查询语句Document # OSIM 标准网络连接查询语句\n\n## 查询需求\n查询所有内部主机发起的,目标端口为 445,且进程名为 'powershell.exe' 的网络连接记录。\n\n## OSIM Schema 信息\n- **Schema**: `log.host_behavior_audit.network_behavior`\n- **描述**: 记录和监控主机执行的网络相关活动和行为,包括连接、数据传输和协议使用\n\n---\n\n## 1. ClickHouse SQL 查询\n\n```sql\nSELECT \n 我已经为您生成了基于 OSIM 标准的三种查询语句!\n主要特点:\n1. ClickHouse SQL\n\n使用标准 SQL 语法\n通过 is_initiated = true 和 direction IN ('01', '00') 来筛选内部主机发起的连接\n适合大规模数据分析和聚合查询\n\n2. Splunk SPL\n\n提供了两个版本:完整版和简洁版\n使用 Splunk 的 pipe 语法进行数据过滤和展示\n支持灵活的字段选择和时间排序\n\n3. Elasticsearch Query DSL\n\n使用布尔查询组合多个条件\n提供了 JSON 格式和 URI Search 两种方式\n适合实时搜索和复杂的嵌套查询\n\n核心查询逻辑:\n根据 OSIM 标准 log.host_behavior_audit.network_behavior schema,查询条件包括:\n\n✅ 进程名: process_name = 'powershell.exe'\n✅ 目标端口: dest_port = 445 (SMB协议)\n✅ 主动发起: is_initiated = true (由本地端点主动发起)\n✅ 内部主机: direction IN ('01', '00') (内部到外部或内部到内部)\n\n这个查询对于威胁狩猎非常有用,特别是检测通过 PowerShell 进行的横向移动、凭据窃取或恶意脚本执行等攻击行为。\n如果您需要添加其他 IOC 指标(如特定的 User-Agent),请告诉我具体需求,我可以帮您扩展查询语句!\n\n=========================================(右侧内容)\n# OSIM 标准网络连接查询语句\n\n## 查询需求\n查询所有内部主机发起的,目标端口为 445,且进程名为 'powershell.exe' 的网络连接记录。\n\n## OSIM Schema 信息\n- **Schema**: `log.host_behavior_audit.network_behavior`\n- **描述**: 记录和监控主机执行的网络相关活动和行为,包括连接、数据传输和协议使用\n\n---\n\n## 1. ClickHouse SQL 查询\n\n```sql\nSELECT \n event_id,\n start_time,\n end_time,\n hostname,\n host_ip,\n process_name,\n process_path,\n command_line,\n process_username,\n src_ip,\n src_port,\n dest_ip,\n dest_port,\n transport_protocol,\n app_protocol,\n direction,\n is_initiated,\n name,\n description\nFROM log_host_behavior_audit_network_behavior\nWHERE \n process_name = 'powershell.exe'\n AND dest_port = 445\n AND is_initiated = true\n AND direction IN ('01', '00') -- 内部到外部(01)或内部到内部(00)\nORDER BY start_time DESC\nLIMIT 1000;\n```\n\n**说明**:\n- `is_initiated = true`: 表示由本地端点主动发起的连接\n- `direction IN ('01', '00')`: '01'表示内部到外部,'00'表示内部到内部\n- `dest_port = 445`: SMB协议端口\n- `process_name = 'powershell.exe'`: PowerShell进程\n\n---\n\n## 2. Splunk SPL 查询\n\n```spl\nindex=osim sourcetype=\"log:host_behavior_audit:network_behavior\"\n| search process_name=\"powershell.exe\" \n dest_port=445 \n is_initiated=true \n (direction=\"01\" OR direction=\"00\")\n| table _time, event_id, hostname, host_ip, process_name, process_path, \n command_line, process_username, src_ip, src_port, dest_ip, dest_port, \n transport_protocol, app_protocol, direction, name, description\n| sort - _time\n| head 1000\n```\n\n**SPL 替代写法(更简洁)**:\n```spl\nindex=osim sourcetype=\"log:host_behavior_audit:network_behavior\" \n process_name=\"powershell.exe\" \n dest_port=445 \n is_initiated=true \n (direction=\"01\" OR direction=\"00\")\n| fields _time, event_id, hostname, host_ip, process_name, src_ip, \n dest_ip, dest_port, transport_protocol, direction, name\n| sort 0 - _time\n```\n\n---\n\n## 3. Elasticsearch Query DSL\n\n```json\n{\n \"query\": {\n \"bool\": {\n \"must\": [\n {\n \"term\": {\n \"process_name.keyword\": \"powershell.exe\"\n }\n },\n {\n \"term\": {\n \"dest_port\": 445\n }\n },\n {\n \"term\": {\n \"is_initiated\": true\n }\n },\n {\n \"terms\": {\n \"direction.keyword\": [\"01\", \"00\"]\n }\n }\n ]\n }\n },\n \"sort\": [\n {\n \"start_time\": {\n \"order\": \"desc\"\n }\n }\n ],\n \"_source\": [\n \"event_id\",\n \"start_time\",\n \"end_time\",\n \"hostname\",\n \"host_ip\",\n \"process_name\",\n \"process_path\",\n \"command_line\",\n \"process_username\",\n \"src_ip\",\n \"src_port\",\n \"dest_ip\",\n \"dest_port\",\n \"transport_protocol\",\n \"app_protocol\",\n \"direction\",\n \"is_initiated\",\n \"name\",\n \"description\"\n ],\n \"size\": 1000\n}\n```\n\n**Elasticsearch URI Search 简化版**:\n```\nGET /log_host_behavior_audit_network_behavior/_search?q=process_name.keyword:\"powershell.exe\" AND dest_port:445 AND is_initiated:true AND (direction:\"01\" OR direction:\"00\")&size=1000&sort=start_time:desc\n```\n\n---\n\n## OSIM 关键字段说明\n\n| 字段名 | 标签 | 类型 | 说明 |\n|--------|------|------|------|\n| `process_name` | Process Name | string | 进程可执行文件的基本名称,不包含路径信息 |\n| `dest_port` | Destination Port | integer | 目标网络端口号,用于识别特定服务或应用 |\n| `is_initiated` | Connection Initiation Type | boolean | 标识网络连接是由本地端点主动发起还是被动接受 |\n| `direction` | Data Flow Direction | enum | 基于源和目标IP地址的网络流向分类 |\n| `transport_protocol` | Transport Protocol | enum | OSI模型传输层使用的协议类型(TCP/UDP) |\n| `app_protocol` | Application Protocol | enum | OSI模型应用层使用的协议类型(SMB等) |\n| `src_ip` | Source IP Address | string | 标识网络通信连接的源IP地址 |\n| `dest_ip` | Destination IP | string | 标识网络通信连接的目标端点IP地址 |\n\n---\n\n## Direction 字段值说明\n\n- `00`: **内部访问内部** - 源IP和目标IP都是内部IP\n- `01`: **内部到外部访问** - 源IP是内部IP,目标IP是外部IP\n- `10`: **外部到内部访问** - 源IP是外部IP,目标IP是内部IP\n- `11`: **外部访问** - 源IP和目标IP都是外部IP\n\n---\n\n## 威胁狩猎场景说明\n\n此查询可用于检测以下潜在威胁:\n\n1. **横向移动检测**: PowerShell通过SMB(445端口)连接可能表示横向移动尝试\n2. **凭据窃取**: 攻击者可能使用PowerShell访问网络共享来窃取凭据\n3. **恶意脚本执行**: PowerShell连接到SMB可能是远程代码执行的前兆\n4. **数据渗出**: 通过SMB协议传输敏感数据\n\n## 扩展查询建议\n\n如果需要添加更多的 IOC 指标(如特定 User-Agent),可以考虑:\n- 使用 `log.network_session_audit.http_audit` schema 查询 HTTP 相关的 User-Agent\n- 结合多个 schema 进行关联分析\n- 添加时间范围过滤以提高查询效率","cases/zh/Claude_跨平台IOC检索查询语句生成.md","2026-04-07T09:10:11.290011",{"id":53,"title":118,"description":197,"tags":198,"viewCount":180,"useCount":180,"markdownContent":199,"markdownPath":200,"createdAt":201,"updatedAt":201,"creator":184},"在 SOAR(安全编排自动化响应)剧本中,一旦上游(如防火墙告警)传递给下游(如封禁 IP 接口)的数据格式不对(例如 IP 字段为空,或者包含了掩码),整个剧本就会报错中断。我正在编写一个'自动封禁'剧本。请帮我写一段 Python 校验代码。在调用封禁 API 之前,检查传入的数据对象是否符合 asset.ip_address 的 OSIM 定义,特别是校验 IP 格式是否合法,如果不合法抛出具体错误。",[178,179],"在 SOAR(安全编排自动化响应)剧本中,一旦上游(如防火墙告警)传递给下游(如封禁 IP 接口)的数据格式不对(例如 IP 字段为空,或者包含了掩码),整个剧本就会报错中断。我正在编写一个‘自动封禁’剧本。请帮我写一段 Python 校验代码。在调用封禁 API 之前,检查传入的数据对象是否符合 asset.ip_address 的 OSIM 定义,特别是校验 IP 格式是否合法,如果不合法抛出具体错误。\n\n我来帮你编写一个针对 SOAR 剧本的数据校验代码。首先让我查看一下 asset.ip_address 在 OSIM 中的定义。\n\nO\n\nlist_schema_names\n\nO\n\nget_schema\n\n完美!我已经获取到了 asset.network_asset.ip_address 的 OSIM 定义。现在我为你编写一个完善的数据校验代码:\n\nSOAR 剧本 IP 封禁数据校验模块\nCode \n我已经为你创建了一个完善的 SOAR 剧本数据校验模块!这个模块完全基于 OSIM 的 asset.network_asset.ip_address 标准进行校验。\n\n🎯 核心功能\n1. 完整数据校验 (validate())\n✅ 检查必填字段(asset_id, asset_name, asset_category)\n✅ 检查推荐字段(asset_ip, asset_network_ipv4)\n✅ 验证 IP 地址格式(IPv4/IPv6)\n✅ 专门检测 CIDR 掩码(192.168.1.1/24 ❌)\n✅ 检测空字符串\n✅ 检测特殊 IP(回环、组播地址)\n✅ 验证端口号范围(0-65535)\n✅ 验证枚举值和字段类型\n2. 快速封禁校验 (validate_for_ban())\n专为封禁场景设计的轻量级校验:\n\n🔍 自动从多个 IP 字段中提取(asset_ip, asset_network_ipv4, asset_network_ipv6)\n🚫 拒绝带掩码的 IP\n🚫 拒绝回环/组播地址\n⚡ 快速返回可用于封禁的纯 IP 地址\n📋 使用方法\n在 SOAR 剧本中集成:\npython\n# 在调用封禁 API 之前\ntry:\n # 快速校验\n ip_to_ban = OSIMIPAddressValidator.validate_for_ban(alert_data)\n \n # 调用封禁接口\n firewall_api.block_ip(ip_to_ban)\n \nexcept ValidationError as e:\n # 记录错误,中断剧本\n log_error(f\"数据校验失败: {e}\")\n raise\n⚠️ 典型错误处理\n代码会捕获以下常见错误:\n\n❌ IP 包含掩码: 10.0.0.1/24 → 提示应移除掩码\n❌ IP 为空字符串或 None\n❌ IP 格式错误: 192.168.1.256\n❌ 缺少必填字段\n⚠️ 回环地址警告\n⚠️ 组播地址警告\n所有错误都会给出明确的错误原因和修复建议,避免剧本无声中断!\n\n你可以直接复制代码集成到你的 SOAR 系统中。需要调整任何校验逻辑吗?\n=========================================(右侧内容)\n\"\"\"\nSOAR 剧本数据校验模块 - IP 地址封禁前校验\n根据 OSIM asset.network_asset.ip_address 标准进行数据校验\n\"\"\"\n\nimport ipaddress\nimport re\nfrom typing import Dict, Any, List, Optional\nfrom enum import Enum\n\n\nclass ValidationError(Exception):\n \"\"\"数据校验异常类\"\"\"\n pass\n\n\nclass IPValidationType(Enum):\n \"\"\"IP 验证类型枚举\"\"\"\n IPV4 = \"IPv4\"\n IPV6 = \"IPv6\"\n BOTH = \"Both\"\n\n\nclass OSIMIPAddressValidator:\n \"\"\"\n OSIM IP 地址数据校验器\n 校验数据是否符合 asset.network_asset.ip_address 标准\n \"\"\"\n \n # 必填字段 (REQUIRED)\n REQUIRED_FIELDS = ['asset_id', 'asset_name', 'asset_category']\n \n # 推荐字段 (RECOMMENDED)\n RECOMMENDED_FIELDS = ['asset_ip', 'asset_network_ipv4']\n \n # asset_category 枚举值\n VALID_ASSET_CATEGORIES = {\n 'database', 'data_table', 'data_field', 'account', 'api', 'file',\n 'website', 'mobile_app', 'official_account', 'mini_program', \n 'terminal', 'device', 'server', 'virtual_machine', 'container',\n 'system_software', 'application_software', 'domain', 'ip_address',\n 'port', 'certificate', 'cloud_server', 'cloud_storage', 'other'\n }\n \n def __init__(self, strict_mode: bool = True):\n \"\"\"\n 初始化校验器\n \n Args:\n strict_mode: 严格模式,开启后会检查推荐字段\n \"\"\"\n self.strict_mode = strict_mode\n self.errors: List[str] = []\n self.warnings: List[str] = []\n \n def validate(self, data: Dict[str, Any]) -> bool:\n \"\"\"\n 执行完整的数据校验\n \n Args:\n data: 待校验的数据对象\n \n Returns:\n bool: 校验是否通过\n \n Raises:\n ValidationError: 当校验失败时抛出,包含详细错误信息\n \"\"\"\n self.errors.clear()\n self.warnings.clear()\n \n if not isinstance(data, dict):\n raise ValidationError(\"数据必须是字典类型\")\n \n # 1. 校验必填字段\n self._validate_required_fields(data)\n \n # 2. 校验推荐字段\n if self.strict_mode:\n self._validate_recommended_fields(data)\n \n # 3. 校验 asset_category 枚举值\n self._validate_asset_category(data)\n \n # 4. 校验 IP 地址格式\n self._validate_ip_addresses(data)\n \n # 5. 校验端口号\n self._validate_ports(data)\n \n # 6. 校验其他字段类型\n self._validate_field_types(data)\n \n # 汇总结果\n if self.errors:\n error_msg = self._format_errors()\n raise ValidationError(error_msg)\n \n # 打印警告信息\n if self.warnings:\n for warning in self.warnings:\n print(f\"⚠️ 警告: {warning}\")\n \n return True\n \n def _validate_required_fields(self, data: Dict[str, Any]) -> None:\n \"\"\"校验必填字段\"\"\"\n for field in self.REQUIRED_FIELDS:\n if field not in data or data[field] is None or data[field] == '':\n self.errors.append(\n f\"缺少必填字段 '{field}' (REQUIRED)\"\n )\n \n def _validate_recommended_fields(self, data: Dict[str, Any]) -> None:\n \"\"\"校验推荐字段\"\"\"\n for field in self.RECOMMENDED_FIELDS:\n if field not in data or data[field] is None or data[field] == '':\n self.warnings.append(\n f\"缺少推荐字段 '{field}' (RECOMMENDED),建议补充\"\n )\n \n def _validate_asset_category(self, data: Dict[str, Any]) -> None:\n \"\"\"校验资产分类枚举值\"\"\"\n if 'asset_category' in data:\n category = data['asset_category']\n if category and category not in self.VALID_ASSET_CATEGORIES:\n self.errors.append(\n f\"asset_category 值 '{category}' 不在允许的枚举范围内。\"\n f\"允许的值: {', '.join(sorted(self.VALID_ASSET_CATEGORIES))}\"\n )\n \n def _validate_ip_addresses(self, data: Dict[str, Any]) -> None:\n \"\"\"\n 校验 IP 地址格式\n 检查字段: asset_ip, asset_network_ipv4, asset_network_ipv6, default_gateway\n \"\"\"\n # 校验主 IP 地址字段\n ip_fields = {\n 'asset_ip': IPValidationType.BOTH,\n 'asset_network_ipv4': IPValidationType.IPV4,\n 'asset_network_ipv6': IPValidationType.IPV6,\n 'default_gateway': IPValidationType.BOTH,\n }\n \n for field_name, ip_type in ip_fields.items():\n if field_name in data and data[field_name]:\n ip_value = str(data[field_name]).strip()\n \n # 检查是否为空\n if not ip_value:\n self.errors.append(f\"字段 '{field_name}' 不能为空字符串\")\n continue\n \n # 检查是否包含 CIDR 掩码\n if '/' in ip_value:\n self.errors.append(\n f\"字段 '{field_name}' 包含 CIDR 掩码 '{ip_value}'。\"\n f\"OSIM 标准中 IP 地址字段不应包含掩码,掩码应存储在 'subnet_mask' 字段中\"\n )\n continue\n \n # 验证 IP 格式\n try:\n ip_obj = ipaddress.ip_address(ip_value)\n \n # 类型检查\n if ip_type == IPValidationType.IPV4 and ip_obj.version != 4:\n self.errors.append(\n f\"字段 '{field_name}' 应为 IPv4 地址,但收到 IPv6: {ip_value}\"\n )\n elif ip_type == IPValidationType.IPV6 and ip_obj.version != 6:\n self.errors.append(\n f\"字段 '{field_name}' 应为 IPv6 地址,但收到 IPv4: {ip_value}\"\n )\n \n # 检查特殊 IP\n if ip_obj.is_loopback:\n self.warnings.append(\n f\"字段 '{field_name}' 是回环地址: {ip_value}\"\n )\n elif ip_obj.is_multicast:\n self.warnings.append(\n f\"字段 '{field_name}' 是组播地址: {ip_value}\"\n )\n \n except ValueError as e:\n self.errors.append(\n f\"字段 '{field_name}' 的 IP 地址格式无效: {ip_value} - {str(e)}\"\n )\n \n def _validate_ports(self, data: Dict[str, Any]) -> None:\n \"\"\"校验端口号范围\"\"\"\n port_fields = ['asset_network_ipv4_port', 'asset_network_ipv6_port']\n \n for field_name in port_fields:\n if field_name in data and data[field_name] is not None:\n port = data[field_name]\n \n # 类型检查\n if not isinstance(port, int):\n try:\n port = int(port)\n except (ValueError, TypeError):\n self.errors.append(\n f\"字段 '{field_name}' 必须是整数,收到: {port}\"\n )\n continue\n \n # 范围检查\n if not (0 \u003C= port \u003C= 65535):\n self.errors.append(\n f\"字段 '{field_name}' 端口号超出有效范围 [0-65535]: {port}\"\n )\n \n def _validate_field_types(self, data: Dict[str, Any]) -> None:\n \"\"\"校验其他字段类型\"\"\"\n # 布尔类型字段\n boolean_fields = [\n 'is_online', 'is_critical_protection', 'is_domestic',\n 'is_critical_infrastructure', 'is_classified'\n ]\n \n for field in boolean_fields:\n if field in data and data[field] is not None:\n if not isinstance(data[field], bool):\n self.errors.append(\n f\"字段 '{field}' 必须是布尔类型,收到: {type(data[field]).__name__}\"\n )\n \n def _format_errors(self) -> str:\n \"\"\"格式化错误信息\"\"\"\n error_msg = \"❌ 数据校验失败:\\n\"\n for i, error in enumerate(self.errors, 1):\n error_msg += f\" {i}. {error}\\n\"\n return error_msg.strip()\n \n @staticmethod\n def validate_for_ban(data: Dict[str, Any]) -> str:\n \"\"\"\n 专用于封禁场景的快速校验\n 返回可用于封禁的 IP 地址,如果无效则抛出异常\n \n Args:\n data: 待校验的数据对象\n \n Returns:\n str: 验证通过的 IP 地址\n \n Raises:\n ValidationError: 当 IP 地址无效或缺失时\n \"\"\"\n # 尝试从多个字段获取 IP\n ip_candidates = [\n ('asset_ip', data.get('asset_ip')),\n ('asset_network_ipv4', data.get('asset_network_ipv4')),\n ('asset_network_ipv6', data.get('asset_network_ipv6')),\n ]\n \n for field_name, ip_value in ip_candidates:\n if ip_value:\n ip_str = str(ip_value).strip()\n \n # 检查是否为空\n if not ip_str:\n continue\n \n # 检查是否包含掩码\n if '/' in ip_str:\n raise ValidationError(\n f\"IP 地址 '{ip_str}' 包含 CIDR 掩码,无法直接用于封禁。\"\n f\"请移除掩码后重试\"\n )\n \n # 验证 IP 格式\n try:\n ip_obj = ipaddress.ip_address(ip_str)\n \n # 安全检查\n if ip_obj.is_loopback:\n raise ValidationError(\n f\"不能封禁回环地址: {ip_str}\"\n )\n if ip_obj.is_multicast:\n raise ValidationError(\n f\"不能封禁组播地址: {ip_str}\"\n )\n \n return ip_str\n \n except ValueError:\n continue\n \n raise ValidationError(\n \"未找到有效的 IP 地址字段。请确保 'asset_ip'、\"\n \"'asset_network_ipv4' 或 'asset_network_ipv6' 中至少有一个包含有效的 IP 地址\"\n )\n\n\n# ==================== 使用示例 ====================\n\ndef example_usage():\n \"\"\"使用示例\"\"\"\n print(\"=\" * 60)\n print(\"OSIM IP 地址数据校验器 - 使用示例\")\n print(\"=\" * 60)\n \n # 示例 1: 有效数据\n print(\"\\n【示例 1】有效数据:\")\n valid_data = {\n 'asset_id': 'asset-12345',\n 'asset_name': '生产数据库服务器',\n 'asset_category': 'server',\n 'asset_ip': '192.168.1.100',\n 'asset_network_ipv4': '192.168.1.100',\n 'asset_network_ipv4_port': 3306,\n }\n \n try:\n validator = OSIMIPAddressValidator(strict_mode=True)\n validator.validate(valid_data)\n print(\"✅ 数据校验通过\")\n except ValidationError as e:\n print(e)\n \n # 示例 2: IP 包含掩码\n print(\"\\n【示例 2】IP 包含 CIDR 掩码:\")\n invalid_data_cidr = {\n 'asset_id': 'asset-67890',\n 'asset_name': 'Web 服务器',\n 'asset_category': 'server',\n 'asset_ip': '10.0.0.1/24', # ❌ 包含掩码\n }\n \n try:\n validator = OSIMIPAddressValidator()\n validator.validate(invalid_data_cidr)\n except ValidationError as e:\n print(e)\n \n # 示例 3: IP 为空\n print(\"\\n【示例 3】IP 字段为空:\")\n invalid_data_empty = {\n 'asset_id': 'asset-11111',\n 'asset_name': '应用服务器',\n 'asset_category': 'server',\n 'asset_ip': '', # ❌ 空字符串\n }\n \n try:\n validator = OSIMIPAddressValidator()\n validator.validate(invalid_data_empty)\n except ValidationError as e:\n print(e)\n \n # 示例 4: IP 格式错误\n print(\"\\n【示例 4】IP 格式错误:\")\n invalid_data_format = {\n 'asset_id': 'asset-22222',\n 'asset_name': '测试服务器',\n 'asset_category': 'server',\n 'asset_ip': '192.168.1.256', # ❌ 超出范围\n }\n \n try:\n validator = OSIMIPAddressValidator()\n validator.validate(invalid_data_format)\n except ValidationError as e:\n print(e)\n \n # 示例 5: 封禁前快速校验\n print(\"\\n【示例 5】封禁前快速校验:\")\n ban_data = {\n 'asset_ip': '172.16.10.50',\n 'asset_name': '可疑主机',\n }\n \n try:\n ip_to_ban = OSIMIPAddressValidator.validate_for_ban(ban_data)\n print(f\"✅ 校验通过,可封禁 IP: {ip_to_ban}\")\n # 此处调用封禁 API\n # firewall_api.block_ip(ip_to_ban)\n except ValidationError as e:\n print(f\"❌ {e}\")\n \n # 示例 6: 缺少必填字段\n print(\"\\n【示例 6】缺少必填字段:\")\n incomplete_data = {\n 'asset_ip': '10.10.10.10',\n # ❌ 缺少 asset_id, asset_name, asset_category\n }\n \n try:\n validator = OSIMIPAddressValidator()\n validator.validate(incomplete_data)\n except ValidationError as e:\n print(e)\n\n\n# ==================== SOAR 剧本集成示例 ====================\n\ndef soar_playbook_example():\n \"\"\"\n SOAR 剧本集成示例\n 演示如何在自动封禁剧本中使用校验器\n \"\"\"\n print(\"\\n\" + \"=\" * 60)\n print(\"SOAR 剧本集成示例 - 自动封禁流程\")\n print(\"=\" * 60)\n \n # 模拟从上游(防火墙告警)接收的数据\n upstream_data = {\n 'asset_id': 'fw-alert-98765',\n 'asset_name': '可疑攻击源',\n 'asset_category': 'ip_address',\n 'asset_ip': '203.0.113.42',\n 'asset_network_ipv4': '203.0.113.42',\n 'alert_severity': 'high',\n 'attack_type': 'SQL Injection',\n }\n \n print(\"\\n1️⃣ 接收上游数据...\")\n print(f\" 告警来源: {upstream_data.get('attack_type')}\")\n print(f\" 资产 IP: {upstream_data.get('asset_ip')}\")\n \n print(\"\\n2️⃣ 执行数据校验...\")\n try:\n # 快速校验用于封禁的 IP\n ip_to_ban = OSIMIPAddressValidator.validate_for_ban(upstream_data)\n print(f\" ✅ IP 校验通过: {ip_to_ban}\")\n \n # 完整数据校验(可选)\n validator = OSIMIPAddressValidator(strict_mode=False)\n validator.validate(upstream_data)\n print(f\" ✅ 完整数据校验通过\")\n \n print(\"\\n3️⃣ 调用封禁 API...\")\n # 此处调用实际的封禁接口\n # result = firewall_api.block_ip(\n # ip_address=ip_to_ban,\n # reason=upstream_data.get('attack_type'),\n # duration=3600\n # )\n print(f\" 🔒 成功封禁 IP: {ip_to_ban}\")\n print(f\" 📋 封禁原因: {upstream_data.get('attack_type')}\")\n \n except ValidationError as e:\n print(f\"\\n ❌ 校验失败,剧本中断:\")\n print(f\" {e}\")\n print(f\"\\n 💡 建议:\")\n print(f\" - 检查上游数据源配置\")\n print(f\" - 确认字段映射关系\")\n print(f\" - 联系安全管理员处理\")\n # 此处可以发送告警通知\n # send_alert_to_admin(error=str(e))\n\n\nif __name__ == '__main__':\n # 运行示例\n example_usage()\n soar_playbook_example()","cases/zh/Claude_SOAR剧本IP数据校验代码.md","2026-04-07T09:10:11.287211",{"id":45,"title":97,"description":203,"tags":204,"viewCount":180,"useCount":180,"markdownContent":205,"markdownPath":206,"createdAt":207,"updatedAt":207,"creator":184},"OC(安全运营中心)分析师在处理一起安全事件时,需要填写标准化的工单或报告。新手分析师往往不知道需要收集哪些关键信息。我正在处理一起勒索软件感染事件,需要通过 API 上报给总部的态势感知平台。请问根据 OSIM 标准,'恶意软件'类告警有哪些必填字段是我必须收集的?",[178,179],"OC(安全运营中心)分析师在处理一起安全事件时,需要填写标准化的工单或报告。新手分析师往往不知道需要收集哪些关键信息。我正在处理一起勒索软件感染事件,需要通过 API 上报给总部的态势感知平台。请问根据 OSIM 标准,‘恶意软件’类告警有哪些必填字段是我必须收集的?\n\n我来帮您查询 OSIM 标准中恶意软件类告警的必填字段信息。\n\nO\n\nlist_schema_names\n\n我看到恶意软件类告警包含多个子类型,勒索软件对应的是 alert.malware.ransomware。让我获取这个 schema 的详细字段定义:\n\nO\n\nget_schema\n\n根据 OSIM 标准,勒索软件感染事件(alert.malware.ransomware)的**必填字段(REQUIRED)**包括:\n\n设备相关必填字段\nmachine_code - 设备唯一标识(设备ID)\ndevice_vendor_name - 设备厂商名称\ndevice_product_name - 设备产品名称\ndevice_name - 设备名称\ndevice_type_id - 设备类型ID(枚举值,如1=Windows, 2=Linux等)\ndevice_ip - 设备IP地址\n事件相关必填字段\nevent_id - 事件全局唯一标识\nname - 告警摘要名称\nstart_time - 事件开始时间\nend_time - 事件结束时间\ncollector_receipt_time - 采集器接收时间\n安全相关必填字段\nseverity - 严重程度等级(如High/Medium/Low)\noutcome - 事件执行结果(OK/FAIL/Attempt)\nlog_type - 日志类型(如alert表示告警事件)\nalert_type - 告警类型(标准化分类,勒索软件应为/Malware/Ransomware)\n实用建议\n对于勒索软件事件,除了必填字段外,强烈建议同时收集这些字段以便后续分析:\n\n文件特征: file_name, file_md5, file_sha256 - 用于样本溯源\n进程信息: process_name, file_path - 确定感染源\n网络信息: src_ip, dest_ip, transport_protocol - 追踪C&C通信\n威胁情报: malware_name, malware_family, ioc - 关联已知威胁\nATT&CK映射: tactic_id, technique_id - 了解攻击战术\n这样可以确保上报的数据既满足合规要求,又能为应急响应提供足够的上下文信息。\n\n-----------------------------终止线:此场景无右侧展示","cases/zh/Claude_OSIM标准恶意软件告警必填字段.md","2026-04-07T09:10:11.280031",{"id":35,"title":104,"description":209,"tags":210,"viewCount":180,"useCount":180,"markdownContent":211,"markdownPath":212,"createdAt":213,"updatedAt":213,"creator":184},"我有一段 Nginx 的访问日志样例(附带日志内容)。请帮我写一个 Python 脚本,将其解析并映射为 OSIM 的 HTTP 审计日志格式。请确保字段对应准确。127.0.0.1 - - [08/Dec/2025:15:56:01 +0800] \"GET / HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\" 192.168.1.105 - - [08/Dec/2025:15:56:05 +0800] \"GET /css/style.css HTTP/1.1\" 304 0 \"http://localhost/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\" 10.0.0.52 - - [08/Dec/2025:15:56:12 +0800] \"POST /api/login HTTP/1.1\" 200 54 \"http://localhost/login\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\" 203.0.113.45 - - [08/Dec/2025:15:57:30 +0800] \"GET /old-page.html HTTP/1.1\" 301 169 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/118.0\" 172.16.0.22 - - [08/Dec/2025:15:58:10 +0800] \"GET /images/missing.jpg HTTP/1.1\" 404 153 \"http://localhost/gallery\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15\" 66.249.66.1 - - [08/Dec/2025:15:59:02 +0800] \"GET /robots.txt HTTP/1.1\" 200 102 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\" 192.168.1.50 - - [08/Dec/2025:16:00:15 +0800] \"POST /api/upload HTTP/1.1\" 500 621 \"http://localhost/upload\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0\"",[178,179],"我有一段 Nginx 的访问日志样例(附带日志内容)。请帮我写一个 Python 脚本,将其解析并映射为 OSIM 的 HTTP 审计日志格式。请确保字段对应准确。127.0.0.1 - - [08/Dec/2025:15:56:01 +0800] \"GET / HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\"\n192.168.1.105 - - [08/Dec/2025:15:56:05 +0800] \"GET /css/style.css HTTP/1.1\" 304 0 \"http://localhost/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\n10.0.0.52 - - [08/Dec/2025:15:56:12 +0800] \"POST /api/login HTTP/1.1\" 200 54 \"http://localhost/login\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\"\n203.0.113.45 - - [08/Dec/2025:15:57:30 +0800] \"GET /old-page.html HTTP/1.1\" 301 169 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/118.0\"\n172.16.0.22 - - [08/Dec/2025:15:58:10 +0800] \"GET /images/missing.jpg HTTP/1.1\" 404 153 \"http://localhost/gallery\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15\"\n66.249.66.1 - - [08/Dec/2025:15:59:02 +0800] \"GET /robots.txt HTTP/1.1\" 200 102 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\n192.168.1.50 - - [08/Dec/2025:16:00:15 +0800] \"POST /api/upload HTTP/1.1\" 500 621 \"http://localhost/upload\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0\"Show more我先查询一下 OSIM 的 HTTP 审计日志格式定义,然后为您编写解析脚本。Olist_schema_namesRequest{}Oget_schemaRequest{}好的,我已经获取了 OSIM HTTP 审计日志的完整字段定义。现在我将为您创建一个 Python 脚本,用于解析 Nginx 访问日志并映射到 OSIM 格式。Nginx 日志转 OSIM HTTP 审计格式Code #!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\"\"\"\nNginx 访问日志解析并转换为 OSIM HTTP 审计日志格式\n支持标准 Nginx Combined 日志格式\n\"\"\"\n\nimport re\nimport json\nimport uuid\nfrom datetime import datetime\nfrom typing import Dict, List, Optional\n\n\nclass NginxToOSIMConverter:\n 我已经为您创建了一个完整的 Python 脚本,用于将 Nginx 访问日志转换为 OSIM HTTP 审计格式。以下是脚本的主要特点:\n🎯 核心功能\n\n日志解析: 使用正则表达式解析标准 Nginx Combined 日志格式\n字段映射: 将 Nginx 字段准确映射到 OSIM HTTP 审计日志的对应字段\n时间转换: 将 Nginx 时间格式转换为 ISO 8601 标准格式\n流量方向判断: 自动识别内网/外网 IP,确定数据流向\n事件结果判断: 根据 HTTP 状态码自动判断请求是否成功\n\n📋 字段映射说明\n必填字段 (REQUIRED)\n\nmachine_code: 设备唯一标识\ndevice_vendor_name: 设备厂商名称 (Nginx Inc.)\ndevice_product_name: 设备产品名称 (Nginx Web Server)\ndevice_name: 设备名称\ndevice_type_id: 设备类型 (34 = Web Server)\ndevice_ip: 设备 IP 地址\nevent_id: 事件唯一 ID (UUID)\nname: 事件摘要名称\nstart_time / end_time: 事件开始/结束时间\ncollector_receipt_time: 采集器接收时间\nseverity: 严重级别 (INFO)\nlog_type: 日志类型 (traffic)\n\n推荐字段 (RECOMMENDED)\n\nhttp_method: HTTP 方法 (GET/POST 等)\nrequest_uri: 请求 URI\nrequest_url: 完整请求 URL\nresponse_code: HTTP 响应码\nuser_agent: 用户代理字符串\nhttp_referer: 来源页面 URL\noutcome: 事件结果 (OK/FAIL)\nsrc_ip / dest_ip: 源/目标 IP\ndirection: 流量方向代码\n\n🚀 使用方法\n直接运行脚本即可处理示例日志:\nbashpython nginx_to_osim_parser.py\n或在代码中使用:\npythonfrom nginx_to_osim_parser import NginxToOSIMConverter\n\nconverter = NginxToOSIMConverter()\nosim_logs = converter.process_log_file(your_nginx_logs)\n📊 输出结果\n脚本会输出:\n\n控制台打印每条转换后的 JSON 格式日志\n保存到 osim_http_audit_logs.json 文件\n\n您可以根据实际需求调整 device_config 中的设备信息!\n\n=========================================(右侧内容)\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\"\"\"\nNginx 访问日志解析并转换为 OSIM HTTP 审计日志格式\n支持标准 Nginx Combined 日志格式\n\"\"\"\n\nimport re\nimport json\nimport uuid\nfrom datetime import datetime\nfrom typing import Dict, List, Optional\n\n\nclass NginxToOSIMConverter:\n \"\"\"Nginx 日志转 OSIM HTTP 审计格式转换器\"\"\"\n \n # Nginx Combined 日志格式的正则表达式\n # 格式: IP - - [时间] \"METHOD URI PROTOCOL\" STATUS SIZE \"REFERER\" \"USER_AGENT\"\n NGINX_LOG_PATTERN = re.compile(\n r'(?P\u003Csrc_ip>[\\d\\.]+)\\s+-\\s+-\\s+'\n r'\\[(?P\u003Ctimestamp>[^\\]]+)\\]\\s+'\n r'\"(?P\u003Chttp_method>\\w+)\\s+(?P\u003Crequest_uri>[^\\s]+)\\s+(?P\u003Cprotocol>[^\"]+)\"\\s+'\n r'(?P\u003Cresponse_code>\\d+)\\s+'\n r'(?P\u003Cresponse_bytes>\\d+)\\s+'\n r'\"(?P\u003Chttp_referer>[^\"]*)\"\\s+'\n r'\"(?P\u003Cuser_agent>[^\"]*)\"'\n )\n \n def __init__(self, device_config: Optional[Dict] = None):\n \"\"\"\n 初始化转换器\n \n Args:\n device_config: 设备配置信息,包含设备相关的必填字段\n \"\"\"\n self.device_config = device_config or {\n \"machine_code\": \"nginx-001\",\n \"device_vendor_name\": \"Nginx\",\n \"device_product_name\": \"Nginx Web Server\",\n \"device_name\": \"WebServer-01\",\n \"device_type_id\": \"34\", # Web Server\n \"device_ip\": \"192.168.1.100\",\n \"device_version\": \"1.24.0\"\n }\n \n def parse_nginx_log(self, log_line: str) -> Optional[Dict]:\n \"\"\"\n 解析单行 Nginx 日志\n \n Args:\n log_line: Nginx 日志行\n \n Returns:\n 解析后的字典,如果解析失败返回 None\n \"\"\"\n match = self.NGINX_LOG_PATTERN.match(log_line.strip())\n if not match:\n return None\n return match.groupdict()\n \n def parse_nginx_timestamp(self, timestamp_str: str) -> str:\n \"\"\"\n 解析 Nginx 时间戳格式并转换为 ISO 8601 格式\n \n Args:\n timestamp_str: Nginx 时间戳字符串,格式如 \"08/Dec/2025:15:56:01 +0800\"\n \n Returns:\n ISO 8601 格式的时间字符串\n \"\"\"\n # 解析 Nginx 时间格式\n dt = datetime.strptime(timestamp_str, \"%d/%b/%Y:%H:%M:%S %z\")\n # 转换为 ISO 8601 格式\n return dt.isoformat()\n \n def determine_direction(self, src_ip: str, dest_ip: str = None) -> str:\n \"\"\"\n 根据源 IP 和目标 IP 判断流量方向\n \n Args:\n src_ip: 源 IP 地址\n dest_ip: 目标 IP 地址(可选)\n \n Returns:\n 流量方向代码: \"00\"(内-内), \"01\"(内-外), \"10\"(外-内), \"11\"(外-外)\n \"\"\"\n def is_internal_ip(ip: str) -> bool:\n \"\"\"判断是否为内网 IP\"\"\"\n if ip.startswith(\"10.\"):\n return True\n if ip.startswith(\"172.\"):\n second = int(ip.split(\".\")[1])\n if 16 \u003C= second \u003C= 31:\n return True\n if ip.startswith(\"192.168.\"):\n return True\n if ip.startswith(\"127.\"):\n return True\n return False\n \n src_internal = is_internal_ip(src_ip)\n # 如果没有提供目标 IP,假设目标是本地服务器(内网)\n dest_internal = is_internal_ip(dest_ip) if dest_ip else True\n \n if src_internal and dest_internal:\n return \"00\" # 内部访问内部\n elif src_internal and not dest_internal:\n return \"01\" # 内部访问外部\n elif not src_internal and dest_internal:\n return \"10\" # 外部访问内部\n else:\n return \"11\" # 外部访问外部\n \n def get_outcome(self, status_code: int) -> str:\n \"\"\"\n 根据 HTTP 状态码判断事件结果\n \n Args:\n status_code: HTTP 状态码\n \n Returns:\n 事件结果: \"OK\"(成功), \"FAIL\"(失败), \"Attempt\"(尝试)\n \"\"\"\n if 200 \u003C= status_code \u003C 300:\n return \"OK\"\n elif 300 \u003C= status_code \u003C 400:\n return \"OK\" # 重定向也算成功\n elif status_code >= 400:\n return \"FAIL\"\n else:\n return \"Attempt\"\n \n def convert_to_osim(self, parsed_log: Dict) -> Dict:\n \"\"\"\n 将解析后的 Nginx 日志转换为 OSIM HTTP 审计格式\n \n Args:\n parsed_log: 解析后的 Nginx 日志字典\n \n Returns:\n OSIM 格式的字典\n \"\"\"\n # 解析时间戳\n event_time = self.parse_nginx_timestamp(parsed_log['timestamp'])\n collector_time = datetime.now().isoformat()\n \n # 解析 HTTP 状态码\n status_code = int(parsed_log['response_code'])\n \n # 构造完整 URL\n request_url = f\"http://{self.device_config['device_ip']}{parsed_log['request_uri']}\"\n \n # 构建 OSIM 格式数据\n osim_log = {\n # ===== 必填字段 =====\n \"machine_code\": self.device_config[\"machine_code\"],\n \"device_vendor_name\": self.device_config[\"device_vendor_name\"],\n \"device_product_name\": self.device_config[\"device_product_name\"],\n \"device_name\": self.device_config[\"device_name\"],\n \"device_type_id\": self.device_config[\"device_type_id\"],\n \"device_ip\": self.device_config[\"device_ip\"],\n \"event_id\": str(uuid.uuid4()),\n \"name\": f\"HTTP {parsed_log['http_method']} Request\",\n \"start_time\": event_time,\n \"end_time\": event_time,\n \"collector_receipt_time\": collector_time,\n \"severity\": \"INFO\", # Nginx 访问日志默认为 INFO 级别\n \"log_type\": \"traffic\",\n \n # ===== 推荐字段 - 网络信息 =====\n \"src_ip\": parsed_log['src_ip'],\n \"dest_ip\": self.device_config[\"device_ip\"],\n \"direction\": self.determine_direction(\n parsed_log['src_ip'], \n self.device_config[\"device_ip\"]\n ),\n \n # ===== 推荐字段 - HTTP 信息 =====\n \"http_method\": parsed_log['http_method'],\n \"request_uri\": parsed_log['request_uri'],\n \"request_url\": request_url,\n \"response_code\": parsed_log['response_code'],\n \"user_agent\": parsed_log['user_agent'],\n \"outcome\": self.get_outcome(status_code),\n \n # ===== 推荐字段 - 协议信息 =====\n \"app_protocol\": \"http\", # 可根据端口或协议字段判断 http/https\n \"transport_protocol\": \"TCP\",\n \n # ===== 可选字段 =====\n \"response_bytes\": int(parsed_log['response_bytes']) if parsed_log['response_bytes'].isdigit() else 0,\n \"device_version\": self.device_config.get(\"device_version\", \"\"),\n \"event_count\": 1,\n }\n \n # 添加 HTTP Referer(如果存在且不为空)\n if parsed_log['http_referer'] and parsed_log['http_referer'] != '-':\n osim_log['http_referer'] = parsed_log['http_referer']\n \n # 根据响应码设置描述\n if status_code >= 400:\n osim_log['description'] = f\"HTTP request failed with status {status_code}\"\n elif status_code >= 300:\n osim_log['description'] = f\"HTTP request redirected with status {status_code}\"\n else:\n osim_log['description'] = f\"HTTP request successful with status {status_code}\"\n \n return osim_log\n \n def process_log_file(self, log_lines: List[str]) -> List[Dict]:\n \"\"\"\n 批量处理日志行\n \n Args:\n log_lines: Nginx 日志行列表\n \n Returns:\n OSIM 格式的日志列表\n \"\"\"\n osim_logs = []\n for line_num, line in enumerate(log_lines, 1):\n if not line.strip():\n continue\n \n parsed = self.parse_nginx_log(line)\n if parsed:\n osim_log = self.convert_to_osim(parsed)\n osim_logs.append(osim_log)\n else:\n print(f\"警告: 第 {line_num} 行解析失败: {line[:50]}...\")\n \n return osim_logs\n\n\ndef main():\n \"\"\"主函数 - 示例用法\"\"\"\n \n # 示例 Nginx 日志\n nginx_logs = \"\"\"\n127.0.0.1 - - [08/Dec/2025:15:56:01 +0800] \"GET / HTTP/1.1\" 200 396 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\"\n192.168.1.105 - - [08/Dec/2025:15:56:05 +0800] \"GET /css/style.css HTTP/1.1\" 304 0 \"http://localhost/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\"\n10.0.0.52 - - [08/Dec/2025:15:56:12 +0800] \"POST /api/login HTTP/1.1\" 200 54 \"http://localhost/login\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1\"\n203.0.113.45 - - [08/Dec/2025:15:57:30 +0800] \"GET /old-page.html HTTP/1.1\" 301 169 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) Gecko/20100101 Firefox/118.0\"\n172.16.0.22 - - [08/Dec/2025:15:58:10 +0800] \"GET /images/missing.jpg HTTP/1.1\" 404 153 \"http://localhost/gallery\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15\"\n66.249.66.1 - - [08/Dec/2025:15:59:02 +0800] \"GET /robots.txt HTTP/1.1\" 200 102 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\n192.168.1.50 - - [08/Dec/2025:16:00:15 +0800] \"POST /api/upload HTTP/1.1\" 500 621 \"http://localhost/upload\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0\"\n \"\"\".strip().split('\\n')\n \n # 自定义设备配置(可选)\n device_config = {\n \"machine_code\": \"NGINX-WEB-001\",\n \"device_vendor_name\": \"Nginx Inc.\",\n \"device_product_name\": \"Nginx Web Server\",\n \"device_name\": \"Production-WebServer-01\",\n \"device_type_id\": \"34\", # Web Server\n \"device_ip\": \"192.168.1.100\",\n \"device_version\": \"1.24.0\"\n }\n \n # 创建转换器\n converter = NginxToOSIMConverter(device_config)\n \n # 处理日志\n osim_logs = converter.process_log_file(nginx_logs)\n \n # 输出结果\n print(f\"成功转换 {len(osim_logs)} 条日志\\n\")\n print(\"=\" * 80)\n \n # 输出每条转换后的日志(格式化 JSON)\n for idx, osim_log in enumerate(osim_logs, 1):\n print(f\"\\n【日志 {idx}】\")\n print(json.dumps(osim_log, ensure_ascii=False, indent=2))\n print(\"-\" * 80)\n \n # 可选: 保存到文件\n output_file = \"osim_http_audit_logs.json\"\n with open(output_file, 'w', encoding='utf-8') as f:\n json.dump(osim_logs, f, ensure_ascii=False, indent=2)\n print(f\"\\n日志已保存到: {output_file}\")\n\n\nif __name__ == \"__main__\":\n main()","cases/zh/Claude_Nginx日志转换为OSIM审计格式.md","2026-04-07T09:10:11.272568",{"id":22,"title":125,"description":131,"tags":215,"viewCount":180,"useCount":180,"markdownContent":216,"markdownPath":217,"createdAt":218,"updatedAt":218,"creator":184},[178,179],"这是一篇关于 APT29 最新活动的分析文章全文(https://www.10100.com/article/29746254)。请提取其中所有的攻击指标(IoC),并将其整理为符合 OSIM threat_intelligence 相关 schema 的 JSON 格式。\n\n我需要先获取这篇文章的内容,然后查看 OSIM 的 threat_intelligence 相关 schema,以便将提取的 IoC 整理成正确的格式。\n\n我无法直接访问这个 URL。您能否直接提供文章内容,或者让我先搜索这篇文章?\n\n\nAPT29 10100.com 29746254\n10 results\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n我搜索到了一些关于 APT29 的资料,但没有找到您提到的那篇具体文章。您能否直接将文章内容粘贴给我?或者告诉我文章的标题,我可以尝试搜索更精确的关键词?\n\n同时,让我先查看一下 OSIM 的 threat_intelligence 相关 schema,以便为您准备正确的数据格式。\n\nO\n\nlist_schema_names\n\n我没有看到专门的 threat_intelligence schema。让我搜索一下是否有相关的威胁情报 schema:\n\nO\n\ndescribe_schemas\n\n我理解了。OSIM 系统中没有专门的 threat_intelligence schema,但可以使用告警相关的 schema 来记录威胁情报。不过,如果您需要提取文章中的 IoC(攻击指标),我需要先看到文章的具体内容。\n\n请您将文章内容直接粘贴给我,我会:\n\n提取所有的 IoC(包括 IP 地址、域名、文件哈希、URL、恶意软件名称等)\n根据 OSIM 相关 schema 的字段定义,将这些 IoC 整理成合适的 JSON 格式\n您可以直接复制文章内容给我吗?\n\nFiles hidden in shared chats\n好的,我已经获得了文章内容。现在让我先查看 OSIM 相关的 schema 结构,以便将提取的 IoC 整理成正确的格式。\n\nO\n\ndescribe_schemas\n\n很好,让我查看这些威胁情报相关 schema 的详细字段定义:\n\nO\n\nget_schema\n\n现在让我也查看其他威胁情报相关的 schema:\n\nO\n\nget_schema\n\n非常好!现在我已经了解了 OSIM 威胁情报相关的 schema 结构。让我为您创建一个包含从文章中提取的所有 IoC 的 JSON 文档。\n\nAPT29 意大利攻击活动 IoC - OSIM 格式\nCode \n我已经为您创建了一个详细的 JSON 文档,包含从文章中提取的所有 IoC(攻击指标)。这个文档包括:\n\n主要 IoC 类别:\n1. 文件哈希 IoC(7个)\nEnvyScout HTML样本(i.html)\nISO镜像文件(Decret.iso)\nLNK快捷方式(Decret.lnk)\n后门DLL(HPScanApi.dll,包含两个版本)\n其他相关恶意文件\n2. 域名 IoC(3个)\nwww.agencijazaregistraciju.rs(恶意域名)\nslack.com 和 files.slack.com(被滥用的合法服务)\n3. URL IoC(4个)\nEnvyScout下载链接\n信息收集端点\nSlack API端点\n4. Slack API相关 IoC(4个)\n2个API认证令牌(Bot Token)\n2个攻击者Slack用户ID\n5. 邮件 IoC\n钓鱼邮件发件地址:info@cesmoscan.org\n6. 其他技术指标\nUser-Agent字符串\n持久化文件路径(%appdata%\\HPScanLib\\)\n注册表键(HKCU\\...\\Run\\LibHP)\n7. 战术技术程序(TTPs)\n包含8个MITRE ATT&CK映射的攻击技术\n\n8. 攻击时间线\n从2022年6月14日到7月20日的关键事件\n\n9. 检测规则建议\nYARA规则概念\n网络签名\n主机行为指标\n这个 JSON 格式符合 OSIM 威胁情报 schema 的结构,包含了所有必要的字段如 ioc_type、threat_intel_category、threat_intel_subcategory、malware_family、ioc_level 等,可以直接用于威胁情报平台的导入和分析。\n=========================================(右侧内容)\n{\n \"threat_intelligence_report\": {\n \"report_info\": {\n \"title\": \"被滥用的Slack服务:APT29针对意大利的攻击活动分析\",\n \"source\": \"奇安信威胁情报中心红雨滴团队\",\n \"publish_date\": \"2022-07-20\",\n \"threat_actor\": \"APT29 (CozyBear, Nobelium, TheDukes, APT-Q-77)\",\n \"target_country\": \"意大利\",\n \"attack_vector\": \"钓鱼邮件 + EnvyScout + ISO文件投递\",\n \"c2_infrastructure\": \"Slack API\"\n },\n \n \"file_hash_iocs\": [\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"3aa44a7951ad95d02c426e9e2a174c2e\",\n \"file_name\": \"i.html\",\n \"file_type\": \"HTML\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"EnvyScout\",\n \"description\": \"EnvyScout HTML攻击样本,释放ISO文件\",\n \"ioc_level\": \"High\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"6228d15e3bb50adfa59c1bdf5f6ce9f0\",\n \"file_name\": \"Decret.iso\",\n \"file_type\": \"ISO\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"EnvyScout\",\n \"description\": \"包含恶意载荷的ISO镜像文件\",\n \"ioc_level\": \"High\",\n \"first_seen\": \"2022-06-29\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"59b5d262532dab929bbe56c90a0257d2\",\n \"file_name\": \"Decret.lnk\",\n \"file_type\": \"LNK\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"EnvyScout\",\n \"description\": \"恶意快捷方式文件,启动HP2.exe\",\n \"ioc_level\": \"High\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"6812031432039a89fa741e9338f8e887\",\n \"file_name\": \"HPScanApi.dll\",\n \"file_type\": \"PE DLL 64-bit\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Backdoor\",\n \"malware_family\": \"APT29 Backdoor\",\n \"description\": \"后门DLL,利用Slack API作为C2信道\",\n \"ioc_level\": \"Critical\",\n \"compile_time\": \"2022-06-29 01:07:48 UTC+8\",\n \"persistence_method\": \"注册表Run键 HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\LibHP\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"eb25d1887b5943f3d86d997fd8099e37\",\n \"file_name\": \"未知\",\n \"file_type\": \"未知\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"APT29\",\n \"description\": \"与攻击活动相关的恶意文件\",\n \"ioc_level\": \"High\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"79d8a62c0513c6138bfa7a5370a022a3\",\n \"file_name\": \"未知\",\n \"file_type\": \"未知\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"APT29\",\n \"description\": \"与攻击活动相关的恶意文件\",\n \"ioc_level\": \"High\"\n },\n {\n \"ioc_type\": \"file\",\n \"ioc\": \"47ddd6003534a108a173aa1fb3361739\",\n \"file_name\": \"HPScanApi.dll\",\n \"file_type\": \"PE DLL\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Backdoor\",\n \"malware_family\": \"APT29 Backdoor\",\n \"description\": \"早期版本后门DLL(2022-06-14编译)\",\n \"ioc_level\": \"Critical\",\n \"compile_time\": \"2022-06-14 10:58:50 UTC\"\n }\n ],\n \n \"domain_iocs\": [\n {\n \"ioc_type\": \"domain\",\n \"ioc\": \"www.agencijazaregistraciju.rs\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"EnvyScout攻击样本托管域名\",\n \"ioc_level\": \"Critical\",\n \"associated_urls\": [\n \"hxxps://www.agencijazaregistraciju.rs/i.html\",\n \"hxxps://www.agencijazaregistraciju.rs/t.php\"\n ]\n },\n {\n \"ioc_type\": \"domain\",\n \"ioc\": \"files.slack.com\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"Slack文件下载服务,被用于下载后续载荷\",\n \"ioc_level\": \"Medium\",\n \"note\": \"合法服务被滥用\"\n },\n {\n \"ioc_type\": \"domain\",\n \"ioc\": \"slack.com\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"Slack API服务,被用作C2通信信道\",\n \"ioc_level\": \"Medium\",\n \"note\": \"合法服务被滥用\",\n \"api_endpoints\": [\n \"https://slack.com/api/conversations.create\",\n \"https://slack.com/api/conversations.invite\",\n \"https://slack.com/api/chat.postMessage\",\n \"https://slack.com/api/files.list\"\n ]\n }\n ],\n \n \"url_iocs\": [\n {\n \"ioc_type\": \"url\",\n \"ioc\": \"hxxps://www.agencijazaregistraciju.rs/i.html\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Others\",\n \"malware_family\": \"EnvyScout\",\n \"description\": \"EnvyScout HTML恶意样本下载链接\",\n \"ioc_level\": \"Critical\",\n \"delivery_method\": \"PDF诱饵文档中的链接\"\n },\n {\n \"ioc_type\": \"url\",\n \"ioc\": \"hxxps://www.agencijazaregistraciju.rs/t.php\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"收集受害者User-Agent和IP信息的追踪端点\",\n \"ioc_level\": \"High\"\n },\n {\n \"ioc_type\": \"url\",\n \"ioc\": \"https://slack.com/api/files.list?channel=\u003CCHANNEL_ID>&user=U03MMK35QQ1\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"Slack API用于列出攻击者上传的载荷文件\",\n \"ioc_level\": \"High\",\n \"associated_user_id\": \"U03MMK35QQ1\"\n },\n {\n \"ioc_type\": \"url\",\n \"ioc\": \"https://slack.com/api/files.list?channel=\u003CCHANNEL_ID>&user=U03K4RNC751\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"早期样本使用的Slack API端点\",\n \"ioc_level\": \"High\",\n \"associated_user_id\": \"U03K4RNC751\"\n }\n ],\n \n \"slack_api_iocs\": [\n {\n \"ioc_type\": \"token\",\n \"ioc\": \"xoxb-3746750028880-3716488860102-2pXQRNc7uoS4DT5HVmdnjgEv\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"Slack API认证令牌(最新样本)\",\n \"ioc_level\": \"Critical\",\n \"token_type\": \"Bot Token\",\n \"status\": \"可能已失效或IP受限\",\n \"associated_user_id\": \"U03MMK35QQ1\"\n },\n {\n \"ioc_type\": \"token\",\n \"ioc\": \"xoxb-3644332911574-3644381968246-wwNbyQaqlooogPAv2JjHh663\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"Slack API认证令牌(早期样本)\",\n \"ioc_level\": \"Critical\",\n \"token_type\": \"Bot Token\",\n \"associated_user_id\": \"U03K4RNC751\"\n },\n {\n \"ioc_type\": \"user_id\",\n \"ioc\": \"U03MMK35QQ1\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"攻击者的Slack用户ID(最新样本)\",\n \"ioc_level\": \"High\",\n \"platform\": \"Slack\"\n },\n {\n \"ioc_type\": \"user_id\",\n \"ioc\": \"U03K4RNC751\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"攻击者的Slack用户ID(早期样本)\",\n \"ioc_level\": \"High\",\n \"platform\": \"Slack\"\n }\n ],\n \n \"email_iocs\": [\n {\n \"ioc_type\": \"email\",\n \"ioc\": \"info@cesmoscan.org\",\n \"threat_intel_category\": \"/Phishing\",\n \"threat_intel_subcategory\": \"/Phishing/EmailPhishing\",\n \"malware_family\": \"APT29\",\n \"description\": \"钓鱼邮件实际发件地址\",\n \"ioc_level\": \"High\",\n \"spoofed_domain\": \"governo.it\"\n }\n ],\n \n \"user_agent_iocs\": [\n {\n \"ioc_type\": \"user_agent\",\n \"ioc\": \"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36\",\n \"threat_intel_category\": \"/C2\",\n \"threat_intel_subcategory\": \"/C2/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"后门伪造的User-Agent字符串\",\n \"ioc_level\": \"Low\"\n }\n ],\n \n \"file_path_iocs\": [\n {\n \"ioc_type\": \"file_path\",\n \"ioc\": \"%appdata%\\\\HPScanLib\\\\\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"后门持久化目录\",\n \"ioc_level\": \"Medium\",\n \"persistence_files\": [\n \"HPScanApi.dll\",\n \"HP2.exe\",\n \"version.dll\"\n ]\n }\n ],\n \n \"registry_iocs\": [\n {\n \"ioc_type\": \"registry\",\n \"ioc\": \"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\LibHP\",\n \"threat_intel_category\": \"/Malware\",\n \"threat_intel_subcategory\": \"/Malware/Backdoor\",\n \"malware_family\": \"APT29\",\n \"description\": \"后门持久化注册表键\",\n \"ioc_level\": \"High\",\n \"registry_value\": \"指向%appdata%\\\\HPScanLib\\\\HP2.exe\"\n }\n ],\n \n \"ttps\": [\n {\n \"tactic\": \"Initial Access\",\n \"technique\": \"Phishing\",\n \"sub_technique\": \"Spearphishing Link\",\n \"mitre_id\": \"T1566.002\",\n \"description\": \"通过钓鱼邮件和PDF诱饵文档投递恶意链接\"\n },\n {\n \"tactic\": \"Execution\",\n \"technique\": \"User Execution\",\n \"sub_technique\": \"Malicious File\",\n \"mitre_id\": \"T1204.002\",\n \"description\": \"诱导用户下载并打开ISO文件\"\n },\n {\n \"tactic\": \"Persistence\",\n \"technique\": \"Boot or Logon Autostart Execution\",\n \"sub_technique\": \"Registry Run Keys\",\n \"mitre_id\": \"T1547.001\",\n \"description\": \"通过注册表Run键实现持久化\"\n },\n {\n \"tactic\": \"Defense Evasion\",\n \"technique\": \"Masquerading\",\n \"mitre_id\": \"T1036\",\n \"description\": \"恶意文件伪装成合法HP扫描工具\"\n },\n {\n \"tactic\": \"Defense Evasion\",\n \"technique\": \"Obfuscated Files or Information\",\n \"mitre_id\": \"T1027\",\n \"description\": \"使用字符表查表转换混淆shellcode\"\n },\n {\n \"tactic\": \"Defense Evasion\",\n \"technique\": \"Unhook API\",\n \"mitre_id\": \"T1562.002\",\n \"description\": \"重新加载ntdll.dll和wininet.dll的text段以绕过挂钩检测\"\n },\n {\n \"tactic\": \"Command and Control\",\n \"technique\": \"Application Layer Protocol\",\n \"sub_technique\": \"Web Protocols\",\n \"mitre_id\": \"T1071.001\",\n \"description\": \"滥用Slack API建立C2信道\"\n },\n {\n \"tactic\": \"Command and Control\",\n \"technique\": \"Web Service\",\n \"mitre_id\": \"T1102\",\n \"description\": \"使用合法的Slack服务作为C2基础设施\"\n }\n ],\n \n \"attack_timeline\": {\n \"2022-06-14\": \"早期样本编译,使用令牌 xoxb-3644332911574-3644381968246-wwNbyQaqlooogPAv2JjHh663\",\n \"2022-06-中旬\": \"同名样本上传至VT\",\n \"2022-06-29\": \"最新样本编译,使用令牌 xoxb-3746750028880-3716488860102-2pXQRNc7uoS4DT5HVmdnjgEv\",\n \"2022-07-20\": \"奇安信发布分析报告\"\n },\n \n \"detection_rules\": {\n \"yara_rule_concepts\": [\n \"检测EnvyScout HTML文件特征\",\n \"检测Slack API令牌硬编码\",\n \"检测特定字符串解密方式(异或)\",\n \"检测DLL侧加载模式(HP2.exe + version.dll + HPScanApi.dll)\"\n ],\n \"network_signatures\": [\n \"检测向Slack API的conversations.create请求\",\n \"检测向Slack API的conversations.invite请求\",\n \"检测向Slack API的chat.postMessage请求\",\n \"检测向Slack API的files.list请求\",\n \"检测Authorization头包含已知恶意令牌\",\n \"检测访问www.agencijazaregistraciju.rs域名\"\n ],\n \"host_based_indicators\": [\n \"检测%appdata%\\\\HPScanLib目录创建\",\n \"检测注册表键HKCU\\\\...\\\\Run\\\\LibHP创建\",\n \"检测HP2.exe、version.dll、HPScanApi.dll组合\",\n \"检测DLL重新加载ntdll.dll和wininet.dll行为\"\n ]\n }\n }\n}\n","cases/zh/Claude_APT29 攻击指标提取与转换.md","2026-04-07T09:10:11.264794",{"id":8,"title":220,"description":221,"tags":222,"viewCount":180,"useCount":180,"markdownContent":223,"markdownPath":224,"createdAt":225,"updatedAt":225,"creator":184},"威胁猎杀图谱 Schema 设计建议","现代安全运营正在从\"日志搜索\"向\"图谱分析\"演进。但是,如何定义图谱中的节点(Node)和边(Edge)是一个巨大的难题。OSIM 天生就是一个完美的图数据库 Schema 定义书。我们正在用 Neo4j 构建威胁猎杀图谱。请读取 OSIM 的 asset 和 alert 相关定义,帮我设计图谱的 Schema(节点标签和关系)。例如,'主机'和'IP'是什么关系?'进程'和'文件'是什么关系?",[178,179],"现代安全运营正在从“日志搜索”向“图谱分析”演进。但是,如何定义图谱中的节点(Node)和边(Edge)是一个巨大的难题。OSIM 天生就是一个完美的图数据库 Schema 定义书。我们正在用 Neo4j 构建威胁猎杀图谱。请读取 OSIM 的 asset 和 alert 相关定义,帮我设计图谱的 Schema(节点标签和关系)。例如,‘主机’和‘IP’是什么关系?‘进程’和‘文件’是什么关系?\n# 威胁猎杀图谱 Schema 设计建议\n\n基于 OSIM 的资产(asset)与告警(alert)定义,我为您设计了一个适用于 Neo4j 的图谱 Schema,包含节点标签(Node Labels)和关系(Relationships)。这个设计遵循了实体关系模型,将资产作为节点,告警作为可以附加到资产上的事件,并通过具体的关系连接不同资产,形成上下文丰富的图谱。\n\n## 一、节点(Nodes)\n\n1. **主机类节点 (Host Nodes)**\n - **`PhysicalHost`**: 物理主机,对应 `asset.physical_asset.server` 和 `asset.physical_asset.terminal`。\n - **`VirtualHost`**: 虄拟主机,对应 `asset.virtual_asset.virtual_machine`。\n - **`Container`**: 容器,对应 `asset.virtual_asset.container`。\n\n2. **网络类节点 (Network Nodes)**\n - **`IP`**: IP地址,对应 `asset.network_asset.ip_address`。\n - **`Domain`**: 域名,对应 `asset.network_asset.domain`。\n\n3. **软件与数据类节点 (Software & Data Nodes)**\n - **`Process`**: 进程,由主机启动运行的实体。\n - **`File`**: 文件,对应 `asset.data_asset.file`。\n - **`Application`**: 应用软件,对应 `asset.software_asset.application_software`。\n - **`Account`**: 账户,对应 `asset.data_asset.account`。\n\n4. **告警类节点 (Alert Nodes)**\n - **`Alert`**: 通用告警节点,所有具体的告警类型,如 `TrojanHorse`(木马)和 `CredentialAttack`(凭证攻击),都继承自 `Alert`。\n\n## 二、关系(Relationships)\n\n### 主机与网络资产的关系\n- **`HAS_IP`**: (`Host`)-[:`HAS_IP`]->(`IP`)\n - **描述**: 主机拥有一个或多个IP地址。\n - **方向**: 主机 -> IP地址。\n- **`RESOLVES_TO`**: (`Domain`)-[:`RESOLVES_TO`]->(`IP`)\n - **描述**: 域名解析到特定的IP地址。\n - **方向**: 域名 -> IP地址。\n\n### 主机内部资产的关系\n- **`RUNS`**: (`Host`)-[:`RUNS`]->(`Process`)\n - **描述**: 主机上运行着一个进程。\n - **方向**: 主机 -> 进程。\n- **`SPAWNED_BY`**: (`Process`)-[:`SPAWNED_BY`]->(`Process`)\n - **描述**: 进程由另一个父进程派生。\n - **方向**: 子进程 -> 父进程。\n- **`OWNS`**: (`Account`)-[:`OWNS`]->(`Process|File`)\n - **描述**: 账户拥有特定的进程或文件。\n - **方向**: 账户 -> 进程/文件。\n- **`EXECUTES`**: (`Process`)-[:`EXECUTES`]->(`File`)\n - **描述**: 进程执行(加载)了一个文件(通常是可执行文件)。\n - **方向**: 进程 -> 文件。\n- **`HOSTS`**: (`Host`)-[:`HOSTS`]->(`Application`)\n - **描述**: 主机上部署/安装了某个应用软件。\n - **方向**: 主机 -> 应用软件。\n\n### 文件间的关系\n- **`WRITES`**: (`Process`)-[:`WRITES`]->(`File`)\n - **描述**: 进程向文件写入数据。\n - **方向**: 进程 -> 文件。\n- **`READS`**: (`Process`)-[:`READS`]->(`File`)\n - **描述**: 进程读取了文件的内容。\n - **方向**: 进程 -> 文件。\n\n### 告警与资产的关系\n- **`ORIGINATES_FROM`**: (`Alert`)-[:`ORIGINATES_FROM`]->(`IP|Host|Process`)\n - **描述**: 告警来源于特定的IP、主机或进程(攻击者)。\n - **方向**: 告警 -> 攻击源。\n- **`TARGETS`**: (`Alert`)-[:`TARGETS`]->(`IP|Host|Process|File|Account`)\n - **描述**: 告警的目标是特定的资产(受害者)。\n - **方向**: 告警 -> 受害者。\n- **`INVOLVES_FILE`**: (`Alert`)-[:`INVOLVES_FILE`]->(`File`)\n - **描述**: 告警涉及一个特定的恶意文件(如木马文件)。\n - **方向**: 告警 -> 文件。\n\n## 三、详细关系解释与示例\n\n### 1. “主机”和“IP”是什么关系?\n- **关系**: `HAS_IP`\n- **解释**: 在图谱中,一台物理服务器、虚拟机或容器可以绑定一个或多个IP地址。这种 `HAS_IP` 关系准确地捕获了这种一对多的关联。\n- **示例**:\n ```cypher\n (:PhysicalHost {hostname: \"SRV-DB-01\"})-[:HAS_IP]->(:IP {address: \"192.168.1.10\"})\n ```\n\n### 2. “进程”和“文件”是什么关系?\n- **关系**: 主要包括 `EXECUTES`, `READS`, `WRITES`。\n- **解释**: \n - `EXECUTES` 表示一个进程是由某个可执行文件启动的。\n - `READS`/`WRITES` 表示进程在运行时对其他文件(如配置文件、日志、文档)的读写操作。\n- **示例**:\n ```cypher\n // 进程由可执行文件启动\n (:Process {name: \"nginx.exe\"})-[:EXECUTES]->(:File {path: \"C:\\\\nginx\\\\nginx.exe\"})\n \n // 进程读取配置文件\n (:Process {name: \"nginx.exe\"})-[:READS]->(:File {path: \"C:\\\\nginx\\\\conf\\\\nginx.conf\"})\n ```\n\n### 3. 告警如何融入图谱?\n- **核心思想**: 告警本身也是一个节点,但它通过关系连接到图谱中已有的资产节点,从而将离散的告警事件与资产实体关联起来,形成攻击链路。\n- **示例 - 木马告警**:\n ```cypher\n // 创建一个木马告警节点\n (alert:TrojanHorse:Alert {alert_id: \"ALERT-123\", file_md5: \"a1b2c3...\"})\n \n // 该木马来源于外部IP\n (alert)-[:ORIGINATES_FROM]->(:IP {address: \"203.0.113.5\"})\n \n // 该木马的目标是内部主机\n (alert)-[:TARGETS]->(:VirtualHost {hostname: \"WEB-SERVER\"})\n \n // 该告警涉及一个具体的恶意文件\n (alert)-[:INVOLVES_FILE]->(:File {path: \"/tmp/malware\", md5: \"a1b2c3...\"})\n \n // 该文件被一个名为 \"malware\" 的进程执行\n (:Process {name: \"malware\"})-[:EXECUTES]->(:File {path: \"/tmp/malware\"})\n ```\n 通过以上关系,您可以从一个告警出发,迅速定位到受影响的主机、执行的恶意进程以及攻击源IP。\n\n- **示例 - 凭证攻击告警**:\n ```cypher\n // 创建一个凭证攻击告警\n (alert:CredentialAttack:Alert {alert_id: \"ALERT-456\"})\n \n // 攻击者IP\n (alert)-[:ORIGINATES_FROM]->(:IP {address: \"198.51.100.22\"})\n \n // 被攻击的目标账户\n (alert)-[:TARGETS]->(:Account {username: \"admin\"})\n \n // 该账户存在于特定主机上\n (:Account {username: \"admin\"})-[:OWNS]->(:PhysicalHost {hostname: \"DC-01\"})\n ```\n\n通过这种设计,您的威胁猎杀图谱不仅能清晰地表示资产间的拓扑和依赖关系,还能将安全事件(告警)无缝地融入其中,为进行复杂的关联分析、路径推演和根源追溯提供强大的数据基础。","cases/zh/Qwen_威胁猎杀图谱Schema设计.md","2026-04-07T09:10:11.258667",1775524373151]