getIncident
You can use this method to retrieve information regarding a specific Incident, by referencing it's ID.
API url: CONTROL_CENTER_APIs_ACCESS_URL/v1.2/jsonrpc/incidents
Parameters
Parameter | Description | Included in request | Type | Values |
|---|---|---|---|---|
| The ID of the incident you want to retrieve information for. | Mandatory | String | No additional requirements. |
Return value
Attribute | Type | Description |
|---|---|---|
| String | The ID of the incident. |
| String | The number of the incident, as shown in the GravityZone console, under the Incidents page. |
| Object | The ID of the company where the incident was generated. For more information, refer to |
| String | The status of the incident. Possible values:
|
| String | The main action that was taken automatically by the protection technologies when the incident was detected. Possible values:
|
| String | The time and date of when the incident was detected in the network, in ISO-8601 format. |
| String | The time and date of when the incident was last updated by GravityZone, in ISO-8601 format. |
| String | The time and date of when the incident was last processed by GravityZone, in ISO-8601 format. |
| Integer | The severity score assigned to the incident, as reported by the detection technologies. Possible values: |
| String | A URL linking to a web page where the incident details can be viewed in a browser. |
| Object | The ID of the GravityZone user that is assigned to this incident. If no user is assigned, this object is not included in the return. For more information, refer to |
| String | The priority assigned to the incident. Possible values:
|
| Array of strings | A list of attack types detected in the incident. |
| Object | This object contains additional information regarding the incident. The information provided will depend on the value assigned to the |
| Object | A list of notes that were attached to the incident. For more information, refer to |
objects
company
Attribute | Type | Description |
|---|---|---|
| String | The ID of the company where the incident was generated. |
| String | The name of the company where the incident was generated. |
assignee
Attribute | Type | Description |
|---|---|---|
| String | The ID of the user that the case is assigned to. |
| String | The name of the user that the case is assigned to. |
| String | The ID of the company the assigned user belongs to. |
| String | The name of the company the assigned user belongs to. |
notes
Attribute | Type | Description |
|---|---|---|
| String | The ID of the note. |
| String | The ID of the user that created the note. |
| String | The text added to the note. |
| String | The date and time when the note was created, in ISO-8601 format. |
details - for EDR incidents
Attribute | Type | Description |
|---|---|---|
| String | The name of the detection. |
| Object | A list of objects that indicates in which extended incidents this incident was used for correlating data. |
| String | The ID of the endpoint that generated the incident. |
| String | The name of the endpoint that generated the incident. |
| String | The FQDN of the endpoint that generated the incident. |
| String | The IP of the endpoint that generated the incident. If the endpoint has multiple IPs, the one used to communicate with GravityZone will be reported here, not the one used in the attack. |
| Array of strings | A list of the endpoints' MAC addresses. |
| Object | A list of counters that reflect how many resources of a certain type were present in the incident. For more information, refer to |
| String | The ID of the node that triggered the incident. This is the root node of the incident graph. The node belongs to the list of nodes listed in the |
| Array of objects | The list of nodes from the incident graph. For more information, refer to |
| Array of objects | The list of alerts from the incident events. For more information, refer to |
| Array of objects | A list of transitions between nodes. It maps event flow between nodes in the EDR behavior graph. For more information, refer to |
| Array of objects | MITRE techniques detected in the attack. |
partOf
Attribute | Type | Description |
|---|---|---|
| String | The ID of the incident. |
| String | A URL that can be used to open the incident in GravityZone. NoteUsers will need to log to GravityZone to access the incident. |
counters
Attribute | Type | Description |
|---|---|---|
| Integer | The number of endpoints involved in the incident. |
| Integer | The number of files involved in the incident. |
| Integer | The number of processes involved in the incident. |
| Integer | The number of domains involved in the incident. |
| Integer | The number of registry keys involved in the incident. This applies only to endpoints that use Windows. |
| Integer | The number of system events involved in the incident. |
| Integer | The number of storage devices involved in the incident. |
mitreTags
Attribute | Type | Description |
|---|---|---|
| String | The category the MITRE technique belongs to. |
| Array of objects | The MITRE techniques detected for this category. |
techniques
Attribute | Type | Description |
|---|---|---|
| String | The ID of the MITRE technique (for example, |
| Sstring | The name of the MITRE technique (for example, |
| Array of objects | The MITRE sub-techniques detected for this technique. |
subtechniquesAttribute | Type | Description |
|---|---|---|
| String | The ID of the MITRE sub-technique (for example, |
| String | The name of the MITRE sub-technique (for example, |
nodes
Attribute | Type | Description |
|---|---|---|
| String | The ID of the node. |
| String | The name of the node. |
| String | The type of the node. Possible values:
|
| Array of strings | A list of alert ids. These correlate with the objects from |
| Array of objects | The details available for the node. The data contained by the object varies based on the value of the For any other types, the attribute will not be included in the response. |
details
Value of | Attribute | Type |
|---|---|---|
|
| String |
| String | |
| String | |
| String | |
| Boolean | |
| Boolean | |
|
| String |
| String | |
| String | |
| String | |
| Integer | |
| Boolean | |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
|
| Object Contains the following attributes:
|
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
|
| Object Contains the following attributes:
|
| Object Contains the following attributes:
| |
|
| Object Contains the following attributes:
|
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
|
alerts
Attribute | Type | Description |
|---|---|---|
| String | The ID of the alert. |
| String | The name of the alert. |
| String | The time and date when the alert was detected in the network, |
| Object | The object contains information about who detected the alert. |
| Object | The object contains information regarding the resources involved in the alert. |
| Array of objects | Extra information for the alert |
detectedBy
Attribute | Type | Description |
|---|---|---|
| String | The name of the technology that detected the threat. |
| String | The type of the technology that detected the threat. |
resources
Attribute | Type | Description |
|---|---|---|
| String | The type of the resource. Possible values:
|
| Array of objects | The details available for the node. The data contained by the object varies based on the value of the For any other types, the attribute will not be included in the response. |
detailsValue of | Attribute | Type |
|---|---|---|
|
| String |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
|
| String |
| String | |
| Integer | |
| String | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| Integer | |
| Integer | |
| Integer | |
| Integer | |
| String | |
| String | |
| Integer | |
| Integer | |
| String | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
| String | |
|
| Integer |
| String | |
| Integer | |
| String | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
| Integer | |
| String | |
| Integer | |
| String | |
| Integer | |
| Integer | |
| String | |
| String | |
| String | |
| String | |
| String | |
|
| String |
| String | |
| String | |
| String | |
| String |
extra
Attribute | Type |
|---|---|
| String |
| Number | Boolean | String |
transitions
This items should be used to build the incident graph. They indicate how nodes connect.
Attribute | Type | Description |
|---|---|---|
| String | The ID of the origin node. |
| String | The ID of the destination node. |
| String | The date and time of the transition, in ISO-8601 format. |
details - for XDR incidents
Attribute | Type | Description |
|---|---|---|
| Object | A list of objects that indicates in which extended incident this incident was used for correlating data. For more information, refer to |
| Object | A list of objects that indicates what other incidents were used for correlating data in this incident. For more information, refer to |
| Object | A map of counters that reflect how many resources of a certain type were present in the incident. For more information, refer to |
| Object | MITRE techniques detected in the attack. For more information, refer to |
| Array of strings | An array listing the stages of the cyberattack lifecycle, based on the MITRE ATT&CK framework. Each value represents a specific phase the threat actor may have reached during the incident. Possible values:
|
| String | Indicates the most recent stage reached in the cyberattack lifecycle during the incident, based on the MITRE ATT&CK framework. It reflects the furthest progression observed by the system. Possible values:
|
| Object | A list of CVEs identified in the attack. For more information, refer to |
| Object | A list of suspected actors that might have done the attack. For more information, refer to |
| Object | The list of nodes from the incident graph For more information, refer to |
| Object | The list of alerts from the incident events For more information, refer to |
partOf and contains
Attribute | Type | Description |
|---|---|---|
| String | The ID of the incident. |
| String | A URL that can be used to open the incident in GravityZone. NoteUsers will need to log to GravityZone to access the incident. |
counters
Attribute | Type | Description |
|---|---|---|
| Integer | The number of endpoints involved in the incident. |
| Integer | The number of servers involved in the incident. |
| Integer | The number of mobile devices involved in the incident. |
| Integer | The number of printers involved in the incident. |
| Integer | The number of routers involved in the incident. |
| Integer | The number of Internet-of-Things involved in the incident. |
| Integer | The number of identities involved in the incident. |
| Integer | The number of emails involved in the incident. |
| Integer | The number of IPs involved in the incident. |
| Integer | The number of domains involved in the incident. |
| Integer | The number of domain name servers involved in the incident. |
| Integer | The number of domain generation algorithms (DGAs) involved in the incident. |
| Integer | The number of cloud storages involved in the incident. |
| Integer | The number of Tor nodes involved in the incident. |
| Integer | The number of external drives involved in the incident. |
| Integer | The number of external sources involved in the incident. |
| Integer | The number of exfiltrated files involved in the incident. |
| Integer | The number of internal IPs involved in the incident. |
| Integer | The number of internal emails involved in the incident. |
| Integer | The number of users involved in the incident. |
| Integer | The number of virtual desktops involved in the incident. |
| Integer | The number of containers (docker, k8s, etc.) involved in the incident. |
| Integer | The number of databases involved in the incident. |
| Integer | The number of storages involved in the incident. |
| Integer | The number of Office 365 instances involved in the incident. |
| Integer | The number of Active Directory instances involved in the incident. |
| Integer | The number of Azure Active Directory instances involved in the incident. |
| Integer | The number of Google Cloud Platform instances involved in the incident. |
| Integer | The number of Google Workspaces instances involved in the incident. |
| Integer | The number of Atlassian instances involved in the incident. |
| Integer | The number of Atlasian Bitbucket products involved in the incident. |
| Integer | The number of Atlassian Jira producs involved in the incident. |
| Integer | The number of Atlassian Confluence producs involved in the incident. |
| Integer | The number of Bitbucket projects involved in the incident. |
| Integer | The number of Confluence spaces involved in the incident. |
mitreTags
Attribute | Type | Description |
|---|---|---|
| String | The category the MITRE technique belongs to. |
| Array of objects | The MITRE techniques detected for this category. |
techniques
Attribute | Type | Description |
|---|---|---|
| String | The ID of the MITRE technique (for example, |
| String | The name of the MITRE technique (for example, |
| Array of objects | The MITRE sub-techniques detected for this technique. |
subtechniquesAttribute | Type | Description |
|---|---|---|
| String | The ID of the MITRE sub-technique (for example, |
| String | The name of the MITRE sub-technique (for example, |
cves
Attribute | Type | Description |
|---|---|---|
| String | The ID of a CVE (for example, |
suspectedActors
Attribute | Type | Description |
|---|---|---|
| String | The name of the suspected actor. |
| Integer | Confidence score for correlating the attack with this actor |
| Array of objects | A list of reasons why this attack was correlated with this actor. |
reasons
Attribute | Type | Description |
|---|---|---|
| String | The type of the reason. Possible values:
|
| String | The value for the reason. The string format will depend on the type field. |
nodes
Attribute | Type | Description |
|---|---|---|
| String | The ID of the node. |
| String | The name of the node. |
| Boolean | Indicates if the node is a resource from the client’s network on not. |
| String | The type of the node. Possible values:
|
| Object | The details available for this the mode. The data contained by the object varies based on the value of the For any other types, the attribute will not be included in the response. |
details
Value of | Attribute | Type |
|---|---|---|
|
| String |
| Array of strings | |
| Array of strings | |
| String | |
|
| String |
| Array of strings | |
| Array of strings | |
| String | |
| Array of strings | |
|
| String |
| String | |
| String | |
| String | |
| String | |
|
| String |
| String | |
|
| String |
|
| String |
| Array of strings | |
| String | |
| Array of strings | |
|
| String |
| Array of strings | |
| String | |
|
| String |
| Array of strings | |
|
| String |
|
| String |
| String | |
|
| String |
| String | |
|
| String |
| String | |
|
| Array of strings |
| Array of strings | |
| String | |
|
| Array of strings |
| Array of strings | |
| String | |
|
| Array of strings |
| Array of strings | |
| String | |
|
| Array of strings |
| Array of strings | |
| String | |
| String | |
| String | |
|
| Array of strings |
| Array of strings | |
| String | |
| String | |
| String | |
| String | |
|
| String |
| String | |
| String | |
| String | |
|
| String |
|
| String |
| Array of strings | |
| Array of strings | |
|
| String |
|
| String |
| String | |
|
| String |
| String | |
| String |
alerts
Attribute | Type | Description |
|---|---|---|
| String | The ID of the alert. |
| String | The name of the alert. |
| String | The time and date when the alert was detected in the network, in ISO-8601 format. |
| Array of strings | A list of sensors that detected the alert. Possible values:
|
| String | The MITRE tactic detected for this alert. Possible values:
|
| Array of objects | This array contains data used to build the incident graph. It indicates how nodes connect. |
transitions
Attribute | Type | Description |
|---|---|---|
| String | Node ID |
| String | Node ID |
| Array of objects. | Resources associated with this transition. |
resourcesAttribute | Type | Description |
|---|---|---|
| String | The name of the resource. |
| String | The type of the resource. Possible values:
|
| Object | Details for the resource. Schema depends on the type field. The details available for this the resource. The data contained by the object varies based on the value of the For any other types, the attribute will not be included in the response. For any other types the value for the details object will be null. |
detailsValue of | Attribute | Type |
|---|---|---|
|
| String |
|
| String |
| String | |
|
| String |
|
| String |
| String | |
| Integer | |
| String | |
| String | |
|
| String |
| String | |
| String | |
| String | |
| String | |
| String (ISO-8601) | |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| Object Contains the following attributes:
| |
| String | |
| Object Contains the following attributes:
| |
|
| String |
|
| String |
| String | |
| String | |
|
| String |
| String | |
|
| String |
|
| String |
| String | |
|
| String |
| String |
Example
Request:
{
"id": "1231",
"method": "getIncident",
"jsonrpc": "2.0",
"params": {
"id": "67dd30dd4a842ebbbb0b6af3"
}
}Response:
For an EDR incident
{
"id": "1231",
"jsonrpc": "2.0",
"result": {
"incidentId": "67dd30dd4a842ebbbb0b6af3",
"incidentNumber": 5,
"status": "open",
"mainAction": "reported",
"created": "2025-03-21T11:26:53+02:00",
"lastUpdated": "2025-03-21T11:26:53+02:00",
"lastProcessed": "2025-03-21T11:26:53+02:00",
"severityScore": 94,
"incidentLink": "https://10.192.168.35:443/#!/incidents/view/67dd30dd4a842ebbbb0b6af3",
"assignee": null,
"priority": "unknown",
"attackTypes": [
"Malware",
"Ransomware",
"Password Stealer"
],
"company": {
"id": "67b8a808bc8acb8a10084244",
"name": "Bitdefender"
},
"incidentType": "incident",
"details": {
"detectionName": "Detection name",
"counters": {
"endpoints": 1,
"files": 15,
"processes": 14,
"domains": 0,
"registries": 0,
"events": 39,
"storages": 0
},
"computerId": "67dd30b41f27f76f5b0785c4",
"computerName": "Computer 2-j6dz3W",
"computerFqdn": "computer2.local",
"computerIp": "204.51.35.166",
"computerMacAddresses": [
"909434863998"
],
"partOf": [],
"alerts": [
{
"id": "67dd30dd4a842ebbbb0b6af8",
"name": "Trojan.GenericKD.43872040",
"date": "2025-03-19T17:49:46+02:00",
"detectedBy": {
"name": "Trojan.GenericKD.43872040",
"class": "Anti-Malware detection"
},
"resources": [
{
"type": "process",
"details": {
"pid": 6368,
"processPath": "c:\\users\\bdvm\\desktop\\edr win samples\\ctc sample\\runme.exe",
"processPathSize": null,
"commandLine": "",
"parentPid": 7036,
"parentProcessPath": null,
"parentProcessCmdline": null,
"parentProcessUser": null,
"user": "LEV-EDR5\\BDVM",
"loadedModule": null,
"loadedModulePid": null,
"processInjectionWriter": null,
"processInjectionWriterPid": null,
"processInjectionTarget": null,
"processInjectionTargetPid": null,
"processInjectionSizeofWrite": null,
"processAccessPrivileges": null,
"parentProcessAccessPrivileges": null,
"processIntegrityLevel": null,
"parentProcessIntegrityLevel": null,
"processPackerName": null
}
},
{
"type": "file",
"details": {
"filePath": "c:\\users\\bdvm\\desktop\\9b74ecceff733dd080c75355b7852076.1.exe",
"fileSize": null,
"accessType": null,
"attributeChangeType": null,
"rawDiskAccessType": null,
"internalName": null,
"originalFileName": null,
"companyName": null,
"fileDescription": null,
"productName": null,
"md5": null,
"sha256": null,
"certificateIssuer": null,
"certificateSigner": null,
"fileType": null,
"filePackerName": null,
"newFilePath": null
}
}
],
"extra": []
},
{
"id": "67dd30dd4a842ebbbb0b6afc",
"name": "ATC.Malicious",
"date": "2025-03-20T18:45:42+02:00",
"detectedBy": {
"name": "ATC.Malicious",
"class": "ATD detection"
},
"resources": [
{
"type": "process",
"details": {
"pid": 7228,
"processPath": "c:\\users\\bdvm\\desktop\\edr win samples\\poc_cb_x32\\syringe.exe",
"processPathSize": null,
"commandLine": "-i AmCreateRemoteThread -p notepad -t notepad",
"parentPid": 3772,
"parentProcessPath": null,
"parentProcessCmdline": null,
"parentProcessUser": null,
"user": "LEV-EDR5\\BDVM",
"loadedModule": null,
"loadedModulePid": null,
"processInjectionWriter": null,
"processInjectionWriterPid": null,
"processInjectionTarget": null,
"processInjectionTargetPid": null,
"processInjectionSizeofWrite": null,
"processAccessPrivileges": null,
"parentProcessAccessPrivileges": null,
"processIntegrityLevel": null,
"parentProcessIntegrityLevel": null,
"processPackerName": null
}
},
{
"type": "file",
"details": {
"filePath": "c:\\users\\bdvm\\desktop\\edr win samples\\poc_cb_x32\\syringe.exe",
"fileSize": 344576,
"accessType": null,
"attributeChangeType": null,
"rawDiskAccessType": null,
"internalName": null,
"originalFileName": null,
"companyName": null,
"fileDescription": null,
"productName": null,
"md5": null,
"sha256": null,
"certificateIssuer": null,
"certificateSigner": null,
"fileType": null,
"filePackerName": null,
"newFilePath": null
}
}
],
"extra": []
},
...
],
"nodes": [
{
"id": "67dd30dd4a842ebbbb0b6b1b",
"name": "runme.exe",
"type": "process_execution",
"details": {
"file": {
"name": null,
"path": "c:\\users\\bdvm\\desktop\\edr win samples\\ctc sample\\runme.exe",
"md5": "b5f9240a49fcc6be5de168c5cbbff59a",
"sha256": "8407fe2c7da0141f111806ec5d3453d92099b75070b0ff829f2efcc38100794d",
"size": 523958,
"isExecutable": true
},
"process": {
"pid": 6368,
"parent": {
"pid": 7036,
"name": "explorer.exe",
"path": null
},
"commandLine": "",
"userId": 0,
"userName": "LEV-EDR5\\BDVM",
"date": "2020-11-26T11:07:47+02:00",
"name": null
},
"sandbox": null,
"quarantine": null,
"killProcess": null
},
"alertIds": []
},
{
"id": "67dd30dd4a842ebbbb0b6b1e",
"name": "9b74ecceff733dd080c75355b7852076.1.exe",
"type": "file",
"details": {
"name": null,
"path": "c:\\users\\bdvm\\desktop\\9b74ecceff733dd080c75355b7852076.1.exe",
"md5": "ccbb2d648319c4387ef492b6fedbc2df",
"sha256": "8826f87868946ad6482c18a51a6bee59380690863fdb2a78f662ec90384f2fea",
"size": 362482,
"isExecutable": true,
"fileProcess": null,
"sandbox": null,
"quarantine": null
},
"alertIds": [
"67dd30dd4a842ebbbb0b6af8"
]
},
...
],
"triggerNodeId": "67dd30dd4a842ebbbb0b6b1e",
"transitions": [
{
"from": "67dd30dd4a842ebbbb0b6b1b",
"to": "67dd30dd4a842ebbbb0b6b1e",
"date": "2025-03-19T23:16:39+02:00"
},
{
"from": "67dd30dd4a842ebbbb0b6b1f",
"to": "67dd30dd4a842ebbbb0b6b1b",
"date": "2025-03-19T15:42:57+02:00"
},
...
],
"mitreTags": [
{
"category": "Privilege Escalation",
"techniques": [
{
"name": "Abuse Elevation Control Mechanism",
"id": "T1548",
"subtechniques": [
{
"name": "Setuid and Setgid",
"id": "T1548.001"
}
]
}
]
},
{
"category": "Execution",
"techniques": [
{
"name": "User Execution",
"id": "T1204",
"subtechniques": [
{
"name": "Malicious File",
"id": "T1204.002"
}
]
}
]
},
{
"category": "Initial Access",
"techniques": [
{
"name": "Phishing",
"id": "T1566",
"subtechniques": [
{
"name": "Spearphishing Attachment",
"id": "T1566.001"
}
]
},
{
"name": "Exploit Public-Facing Application",
"id": "T1190",
"subtechniques": []
}
]
}
]
},
"notes": []
}
}For an XDR incident
{
"id": 1,
"jsonrpc": "2.0",
"result": {
"incidentId": "67e2ccfe50ce0cbdb004ad14",
"incidentNumber": 59,
"status": "open",
"mainAction": "reported",
"created": "2025-03-25T17:34:22+02:00",
"lastUpdated": "2025-03-25T17:34:22+02:00",
"lastProcessed": "2025-03-25T17:34:22+02:00",
"severityScore": 45,
"incidentLink": "https://10.26.70.11:443/#!/incidents/view/67e2ccfe50ce0cbdb004ad14",
"assignee": null,
"priority": "unknown",
"attackTypes": [
"Malware",
"Ransomware",
"Password Stealer"
],
"company": {
"id": "67d98d3cd13abc2515011634",
"name": "Bitdefender"
},
"incidentType": "extendedIncident",
"details": {
"counters": {
"endpoints": 13,
"servers": 0,
"mobileDevices": 20,
"printers": 6,
"routers": 6,
"IoTs": 8,
"identities": 0,
"emails": 1,
"IPs": 9,
"domains": 12,
"DNSs": 3,
"DGAs": 2,
"cloudStorages": 20,
"torNodes": 8,
"externalDrives": 12,
"externalSources": 10,
"exfiltratedFiles": 0,
"internalIPs": 0,
"internalEmails": 0,
"users": 0,
"virtualDesktops": 0,
"containers": 0,
"databases": 0,
"storages": 0,
"office365Instances": 0,
"ADInstances": 0,
"azureADInstances": 0,
"AWSInstances": 0,
"GCPInstances": 0,
"googleWorkspaceInstances": 0,
"atlassianInstances": 0,
"atlassianBitbucketProducts": 0,
"atlassianJiraProducts": 0,
"atlassianConfluenceProducts": 0,
"bitbucketProjects": 0,
"confluenceSpaces": 0
},
"contains": [],
"partOf": [],
"cves": [
{
"id": "CVE-2018-4878"
},
{
"id": "CVE-2015-8651"
},
...
],
"suspectedActors": [
{
"name": "Lazarus Group",
"confidenceScore": 90,
"reasons": [
{
"type": "sample",
"value": "fake-ioc-md5"
},
{
"type": "file_name",
"value": "fake-ioc-file-name"
}
]
},
{
"name": "Red Apollo",
"confidenceScore": 85,
"reasons": []
},
{
"name": "Comment Crew",
"confidenceScore": 80,
"reasons": []
},
{
"name": "Turla",
"confidenceScore": 75,
"reasons": []
}
],
"killChainPhases": [
"initial_access",
"persistence",
"privilege_escalation",
"lateral_movement",
"collection",
"command_and_control",
"exfiltration",
"impact"
],
"lastKillChainPhase": "impact",
"alerts": [
{
"id": "67e2ccfe50ce0cbdb004ad16",
"name": "Email with infected attachment is sent to all company workers",
"date": "2020-02-28T17:02:00+02:00",
"sensors": [
"NTSA"
],
"tactic": "lateral_movement",
"transitions": [
{
"from": "67e2ccfe50ce0cbdb004ad19",
"to": "67e2ccfe50ce0cbdb004ad15",
"resources": [
{
"name": "ROLE_e95071481b54554343285e3f.pdf",
"type": "role",
"details": {
"id": "226c1168-a59e-4acb-af0c-d038d63898c9"
}
},
{
"name": "SHARING_LINK_cba147f3e25117638d1f8351.pdf",
"type": "sharing_link",
"details": {
"url": "https://phishing-domain.com/file/8zp0jce0f1wkv8si7.pdf"
}
},
{
"name": "Email_7d5f1c2e2927129d075ebfc2",
"type": "email",
"details": {
"id": "N2ZiOWMwODU4Mjg3MzM3OTllZGI1YTI3N2NiMTkwYTI=",
"subject": "Important Update",
"userId": "sample1926@bitdefender.com",
"userTenantId": "0920ef2c-2850-4171-867a-70817f48af07",
"sensorIdentifier": null,
"receivedOn": "2025-03-25T17:33:22+02:00",
"sender": {
"name": "Attacker",
"address": "attacker458@email-provider.com"
},
"toRecipients": [
{
"name": "Sample name",
"address": "sample1926@bitdefender.com"
}
],
"ccRecipients": [],
"bccRecipients": [],
"urls": [],
"attachments": [
{
"name": "notice.zip",
"fileMd5": "74dce2360c9dc6f5530eebe30655641c",
"fileSha256": "535080ec267d4d1c0ba52c95b9a824870899a081bdcb561fb653ff8883782226",
"size": 33874
}
]
}
},
{
"name": "Generic_f00634125526b1342cf3328d",
"type": "generic",
"details": {
"data": "Generic data"
}
},
...
]
},
{
"from": "67e2ccfe50ce0cbdb004ad1f",
"to": "67e2ccfe50ce0cbdb004ad1b",
"resources": [
{
"name": "App_4d0ab867315d951b5e7f63d7",
"type": "application",
"details": {
"appAddress": "C:\\tmp\\app.exe",
"ip": null
}
}
]
},
{
"from": "67e2ccfe50ce0cbdb004ad1b",
"to": "67e2ccfe50ce0cbdb004ad1a",
"resources": []
},
...
]
},
{
"id": "67e2ccfe50ce0cbdb004ad17",
"name": "Users open the email attachment",
"date": "2020-02-28T17:02:00+02:00",
"sensors": [
"NTSA",
"EDR",
"XDR"
],
"tactic": "collection",
"transitions": [
{
"from": "67e2ccfe50ce0cbdb004ad1a",
"to": "67e2ccfe50ce0cbdb004ad19",
"resources": [
{
"name": "KEY_VAULT_01a8bb19dde124c4",
"type": "key_vault",
"details": null
},
{
"name": "Generic_25ecebefdf7fee86ef20bea2",
"type": "flow",
"details": null
},
{
"name": "Generic_19f9842a9e5010e5ced2486c",
"type": "policy",
"details": null
},
{
"name": "URL_http://e2711a182a1c020c5f2191e1.com",
"type": "url",
"details": {
"url": "https://bitdefender-testing.com/malware/?alabala=34ab2d12-dd23-11ee-a344-0050568edb17"
}
},
{
"name": "Generic_9df528e539438b8ab6463689",
"type": "policy",
"details": null
},
{
"name": "SSH_KEY_3539bea49dcb49abdaa03c91",
"type": "ssh_key",
"details": {
"sshPublicKey": "ssh-rsa czFleGx4enYycWNqcjB4Z3U5d2ZkNWc0aHZkcW10MXRzbzU4OTR2dGJqOG11OHcxNDhxNzNzcWpqa3FjOWVpMGd2bG1mODN2NDFycHJleHYzNTc2cHN4bDd0OHZxaHF4NW5xcXpiNDB1bHF0aGpwMWl3d3Zvemg5eGF6a3dnNmJoM3g1cXEwZXYycGxvdGw5Z2x1djk3bGdzamMza3Nqa2I4NzVuejBjczlyMTEyMnRieDlrNzIxdTBvNjdpNzM1NmVzcXFtem1vMHFvdTg0NmMxZDVvbmY0ZHpsbXpzcmU0d21xNWtpaGwyNmhpcGJiNG4ycHB0OW5sNjE2eHZjMw=="
}
},
{
"name": "Email_b7493f43a032bacdaf64c8de",
"type": "email",
"details": {
"id": "MDBjYWZhOGE2NjNjZGE2NjdlYmU3MGZjNGVmZTBjZTA=",
"subject": "Important Update",
"userId": "sample7929@bitdefender.com",
"userTenantId": "66b474e1-9e17-4184-899d-c6d444d460e4",
"sensorIdentifier": null,
"receivedOn": "2025-03-25T17:33:22+02:00",
"sender": {
"name": "Attacker",
"address": "attacker2713@email-provider.com"
},
"toRecipients": [
{
"name": "Sample name",
"address": "sample7929@bitdefender.com"
}
],
"ccRecipients": [],
"bccRecipients": [],
"urls": [],
"attachments": [
{
"name": "notice.zip",
"fileMd5": "74dce2360c9dc6f5530eebe30655641c",
"fileSha256": "535080ec267d4d1c0ba52c95b9a824870899a081bdcb561fb653ff8883782226",
"size": 33874
}
]
}
},
{
"name": "KEY_VAULT_4b2b8932ba760620",
"type": "key_vault",
"details": null
},
{
"name": "ROLE_188b6c1fe2f09fe1afed5029.pdf",
"type": "role",
"details": {
"id": "a0572580-0962-48b5-bf83-9a22bd9bef2e"
}
},
{
"name": "ROLE_68387384e1149f2b964314b2.pdf",
"type": "role",
"details": {
"id": "d657efff-1685-42b0-9baa-6030610b82b7"
}
}
]
},
...
]
},
...
],
"nodes": [
{
"id": "67e2ccfe50ce0cbdb004ad15",
"name": "Attacker",
"isExternal": false,
"type": "attacker",
"details": {
"threatGroup": "APT29"
}
},
{
"id": "67e2ccfe50ce0cbdb004ad19",
"name": "promotions@rand.com",
"isExternal": false,
"type": "email",
"details": {
"sender": "b86e72bcf11de38a67b5",
"recipients": [
"c97e858ab76dd945706f",
"db71824e54e7f5b5a06f",
"354d1fd7b8d1d29a2bd0",
"6b3101f2cfc427527eab"
],
"subject": "734ed2ca46bb2eb684cc",
"attachments": [
"ec8540e4b77221367ff5",
"6000058a1f8aef7a55f0",
"4075cdb160de26f9256c",
"f11214a106ce0bb02513"
]
}
},
{
"id": "67e2ccfe50ce0cbdb004ad1a",
"name": "Endpoint 1",
"isExternal": false,
"type": "endpoint",
"details": {
"hardwareId": "24935257-89404259-1260-1115-7183-151640137522",
"ips": [],
"macs": [],
"endpointId": null
}
},
...
],
"mitreTags": [
{
"category": "Command And Control",
"techniques": [
{
"name": "Dynamic Resolution",
"id": "T1568",
"subtechniques": [
{
"name": "Domain Generation Algorithms",
"id": "T1568.002"
}
]
}
]
},
{
"category": "Execution",
"techniques": [
{
"name": "User Execution",
"id": "T1204",
"subtechniques": [
{
"name": "Malicious File",
"id": "T1204.002"
}
]
}
]
}
]
},
"notes": []
}
}