From 9c33a2a6b151c2038f54bcc426887c5816df12d9 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Tue, 12 Mar 2024 14:13:56 -0700
Subject: [PATCH] updating dataset

---
 .../attack_techniques/T1566/zscalar_web_proxy.txt     |  2 +-
 .../attack_techniques/T1566/zscalar_web_proxy.yml     | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy.txt b/datasets/attack_techniques/T1566/zscalar_web_proxy.txt
index fb8f4792..0e252487 100644
--- a/datasets/attack_techniques/T1566/zscalar_web_proxy.txt
+++ b/datasets/attack_techniques/T1566/zscalar_web_proxy.txt
@@ -1,4 +1,4 @@
-{ "datetime": "2023-11-06 16:49:46 GMT", "reason": "Not allowed to browse this category", "event_id": "0000000000000000000", "protocol": "HTTPS", "action": "Blocked", "zstenantid": "zs0-0000000", "zstenantdomain": "example.com", "transactionsize": "15319", "responsesize": "14662", "requestsize": "657", "urlcategory": "Other Information Technology", "serverip": "00.000.00.000", "clienttranstime": "0", "requestmethod": "POST", "refererURL": "dummy-referer.example.com", "useragent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/00.0.0000.00 Safari/537.36", "product": "NSS", "location": "Road Warrior", "ClientIP": "00.000.0.000", "status": "403", "user": "dummyuser@example.com", "url": "dummy-url.example.com", "vendor": "Zscaler", "hostname": "dummy-hostname.example.com", "clientpublicIP": "000.00.00.000", "threatcategory": "None", "threatname": "r-adware-r", "filetype": "None", "appname": "General Browsing", "pagerisk": "0", "department": "0000DepartmentCode", "urlsupercategory": "Information Technology", "appclass": "General Browsing", "dlpengine": "None", "dlp_allow": "NA", "urlclass": "Business Use", "threatclass": "Behavior Analysis", "dlpdictionaries": "None", "dlphitcount": "None", "fileclass": "None", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "dummyowner", "devicehostname": "DUMMY-HOSTNAME", "clientsslcipher": "TLS1_3_CK_AES_256_GCM_SHA384", "clientsslsessreuse": "NO", "clienttlsversion": "TLS1_3", "deviceappversion": "0.0.0.0", "devicename": "dummy-device-name", "deviceostype": "Dummy OS", "deviceosversion": "Dummy OS Version", "filename": "None", "filesubtype": "None", "md5": "d41d8cd98f00b204e9800998ecf8427e", "mobappcat": "None", "mobappname": "None", "mobdevtype": "None", "respcode": "403", "respversion": "1.1", "rulelabel": "Dummy Rule Label", "ruletype": "UrlCat", "serversslsessreuse": "UNKNOWN", "srvcertchainvalpass": "PASS", "srvcertvalidationtype": "DV", "srvcertvalidityperiod": "MEDIUM", "srvocspresult": "None", "srvsslcipher": "None", "srvtlsversion": "None", "srvwildcardcert": "NO", "ssldecrypted": "Yes", "externalspr": "INSPECTED", "trafficredirectmethod": "DummyRedirectMethod", "datacenter": "DC1", "datacentercity": "City", "datacentercountry": "CT", "df_hostname": "None", "df_hosthead": "None" }
+{ "datetime": "2023-11-06 16:49:47 GMT", "reason": "Not allowed to browse this category", "event_id": "0000000000000000000", "protocol": "HTTPS", "action": "Blocked", "zstenantid": "zs0-0000000", "zstenantdomain": "example.com", "transactionsize": "15319", "responsesize": "14662", "requestsize": "657", "urlcategory": "Other Information Technology", "serverip": "00.000.00.000", "clienttranstime": "0", "requestmethod": "POST", "refererURL": "dummy-referer.example.com", "useragent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/00.0.0000.00 Safari/537.36", "product": "NSS", "location": "Road Warrior", "ClientIP": "00.000.0.000", "status": "403", "user": "dummyuser@example.com", "url": "dummy-url.example.com", "vendor": "Zscaler", "hostname": "dummy-hostname.example.com", "clientpublicIP": "000.00.00.000", "threatcategory": "None", "threatname": "r-adware-r", "filetype": "None", "appname": "General Browsing", "pagerisk": "0", "department": "0000DepartmentCode", "urlsupercategory": "Information Technology", "appclass": "General Browsing", "dlpengine": "None", "dlp_allow": "NA", "urlclass": "Business Use", "threatclass": "Behavior Analysis", "dlpdictionaries": "None", "dlphitcount": "None", "fileclass": "None", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "dummyowner", "devicehostname": "DUMMY-HOSTNAME", "clientsslcipher": "TLS1_3_CK_AES_256_GCM_SHA384", "clientsslsessreuse": "NO", "clienttlsversion": "TLS1_3", "deviceappversion": "0.0.0.0", "devicename": "dummy-device-name", "deviceostype": "Dummy OS", "deviceosversion": "Dummy OS Version", "filename": "None", "filesubtype": "None", "md5": "d41d8cd98f00b204e9800998ecf8427e", "mobappcat": "None", "mobappname": "None", "mobdevtype": "None", "respcode": "403", "respversion": "1.1", "rulelabel": "Dummy Rule Label", "ruletype": "UrlCat", "serversslsessreuse": "UNKNOWN", "srvcertchainvalpass": "PASS", "srvcertvalidationtype": "DV", "srvcertvalidityperiod": "MEDIUM", "srvocspresult": "None", "srvsslcipher": "None", "srvtlsversion": "None", "srvwildcardcert": "NO", "ssldecrypted": "Yes", "externalspr": "INSPECTED", "trafficredirectmethod": "DummyRedirectMethod", "datacenter": "DC1", "datacentercity": "City", "datacentercountry": "CT", "df_hostname": "None", "df_hosthead": "None" }
 { "datetime": "2023-11-06 16:49:47 GMT", "reason": "Not allowed to browse this category", "event_id": "0000000000000000001", "protocol": "HTTPS", "action": "Blocked", "zstenantid": "zs0-0000000", "zstenantdomain": "example.com", "transactionsize": "15319", "responsesize": "14662", "requestsize": "657", "urlcategory": "Other Information Technology", "serverip": "00.000.00.000", "clienttranstime": "0", "requestmethod": "POST", "refererURL": "dummy-referer.example.com", "useragent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/00.0.0000.00 Safari/537.36", "product": "NSS", "location": "Road Warrior", "ClientIP": "00.000.0.000", "status": "403", "user": "dummyuser@example.com", "url": "dummy-url.example.com", "vendor": "Zscaler", "hostname": "dummy-hostname.example.com", "clientpublicIP": "000.00.00.000", "threatcategory": "None", "threatname": "r-miner-r", "filetype": "None", "appname": "General Browsing", "pagerisk": "0", "department": "0000DepartmentCode", "urlsupercategory": "Information Technology", "appclass": "General Browsing", "dlpengine": "None", "dlp_allow": "NA", "urlclass": "Business Use", "threatclass": "None", "dlpdictionaries": "None", "dlphitcount": "None", "fileclass": "None", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "dummyowner", "devicehostname": "DUMMY-HOSTNAME", "clientsslcipher": "TLS1_3_CK_AES_256_GCM_SHA384", "clientsslsessreuse": "NO", "clienttlsversion": "TLS1_3", "deviceappversion": "0.0.0.0", "devicename": "dummy-device-name", "deviceostype": "Dummy OS", "deviceosversion": "Dummy OS Version", "filename": "None", "filesubtype": "None", "md5": "d41d8cd98f00b204e9800998ecf8427e", "mobappcat": "None", "mobappname": "None", "mobdevtype": "None", "respcode": "403", "respversion": "1.1", "rulelabel": "Dummy Rule Label", "ruletype": "UrlCat", "serversslsessreuse": "UNKNOWN", "srvcertchainvalpass": "PASS", "srvcertvalidationtype": "DV", "srvcertvalidityperiod": "MEDIUM", "srvocspresult": "None", "srvsslcipher": "None", "srvtlsversion": "None", "srvwildcardcert": "NO", "ssldecrypted": "Yes", "externalspr": "INSPECTED", "trafficredirectmethod": "DummyRedirectMethod", "datacenter": "DC1", "datacentercity": "City", "datacentercountry": "CT", "df_hostname": "None", "df_hosthead": "None" }
 { "datetime": "2023-11-06 16:49:48 GMT", "reason": "Not allowed to browse this category", "event_id": "0000000000000000002", "protocol": "HTTPS", "action": "Blocked", "zstenantid": "zs0-0000000", "zstenantdomain": "example.com", "transactionsize": "15319", "responsesize": "14662", "requestsize": "657", "urlcategory": "Other Information Technology", "serverip": "00.000.00.000", "clienttranstime": "0", "requestmethod": "POST", "refererURL": "dummy-referer.example.com", "useragent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/00.0.0000.00 Safari/537.36", "product": "NSS", "location": "Road Warrior", "ClientIP": "00.000.0.000", "status": "403", "user": "dummyuser@example.com", "url": "dummy-url.example.com", "vendor": "Zscaler", "hostname": "dummy-hostname.example.com", "clientpublicIP": "000.00.00.000", "threatcategory": "None", "threatname": "HTML.Phish.Genjp", "filetype": "None", "appname": "General Browsing", "pagerisk": "0", "department": "0000DepartmentCode", "urlsupercategory": "Information Technology", "appclass": "General Browsing", "dlpengine": "None", "dlp_allow": "NA", "urlclass": "Business Use", "threatclass": "None", "dlpdictionaries": "None", "dlphitcount": "None", "fileclass": "None", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "dummyowner", "devicehostname": "DUMMY-HOSTNAME", "clientsslcipher": "TLS1_3_CK_AES_256_GCM_SHA384", "clientsslsessreuse": "NO", "clienttlsversion": "TLS1_3", "deviceappversion": "0.0.0.0", "devicename": "dummy-device-name", "deviceostype": "Dummy OS", "deviceosversion": "Dummy OS Version", "filename": "None", "filesubtype": "None", "md5": "d41d8cd98f00b204e9800998ecf8427e", "mobappcat": "None", "mobappname": "None", "mobdevtype": "None", "respcode": "403", "respversion": "1.1", "rulelabel": "Dummy Rule Label", "ruletype": "UrlCat", "serversslsessreuse": "UNKNOWN", "srvcertchainvalpass": "PASS", "srvcertvalidationtype": "DV", "srvcertvalidityperiod": "MEDIUM", "srvocspresult": "None", "srvsslcipher": "None", "srvtlsversion": "None", "srvwildcardcert": "NO", "ssldecrypted": "Yes", "externalspr": "INSPECTED", "trafficredirectmethod": "DummyRedirectMethod", "datacenter": "DC1", "datacentercity": "City", "datacentercountry": "CT", "df_hostname": "None", "df_hosthead": "None" }
 { "datetime": "2023-11-06 16:49:49 GMT", "reason": "Not allowed to browse this category", "event_id": "0000000000000000003", "protocol": "HTTPS", "action": "Blocked", "zstenantid": "zs0-0000000", "zstenantdomain": "example.com", "transactionsize": "15319", "responsesize": "14662", "requestsize": "657", "urlcategory": "Other Information Technology", "serverip": "00.000.00.000", "clienttranstime": "0", "requestmethod": "POST", "refererURL": "dummy-referer.example.com", "useragent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/00.0.0000.00 Safari/537.36", "product": "NSS", "location": "Road Warrior", "ClientIP": "00.000.0.000", "status": "403", "user": "dummyuser@example.com", "url": "dummy-url.example.com", "vendor": "Zscaler", "hostname": "dummy-hostname.example.com", "clientpublicIP": "000.00.00.000", "threatcategory": "None", "threatname": "r-scam-r", "filetype": "None", "appname": "General Browsing", "pagerisk": "0", "department": "0000DepartmentCode", "urlsupercategory": "Information Technology", "appclass": "General Browsing", "dlpengine": "None", "dlp_allow": "NA", "urlclass": "Business Use", "threatclass": "None", "dlpdictionaries": "None", "dlphitcount": "None", "fileclass": "None", "servertranstime": "0", "contenttype": "Other", "unscannabletype": "None", "deviceowner": "dummyowner", "devicehostname": "DUMMY-HOSTNAME", "clientsslcipher": "TLS1_3_CK_AES_256_GCM_SHA384", "clientsslsessreuse": "NO", "clienttlsversion": "TLS1_3", "deviceappversion": "0.0.0.0", "devicename": "dummy-device-name", "deviceostype": "Dummy OS", "deviceosversion": "Dummy OS Version", "filename": "None", "filesubtype": "None", "md5": "d41d8cd98f00b204e9800998ecf8427e", "mobappcat": "None", "mobappname": "None", "mobdevtype": "None", "respcode": "403", "respversion": "1.1", "rulelabel": "Dummy Rule Label", "ruletype": "UrlCat", "serversslsessreuse": "UNKNOWN", "srvcertchainvalpass": "PASS", "srvcertvalidationtype": "DV", "srvcertvalidityperiod": "MEDIUM", "srvocspresult": "None", "srvsslcipher": "None", "srvtlsversion": "None", "srvwildcardcert": "NO", "ssldecrypted": "Yes", "externalspr": "INSPECTED", "trafficredirectmethod": "DummyRedirectMethod", "datacenter": "DC1", "datacentercity": "City", "datacentercountry": "CT", "df_hostname": "None", "df_hosthead": "None" }
diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy.yml b/datasets/attack_techniques/T1566/zscalar_web_proxy.yml
index e69de29b..6b3975fd 100644
--- a/datasets/attack_techniques/T1566/zscalar_web_proxy.yml
+++ b/datasets/attack_techniques/T1566/zscalar_web_proxy.yml
@@ -0,0 +1,11 @@
+author: Bhavin patel, Gowtham
+id: e18714c0-ab84-44f6-9117-5531e3eb3a0c
+date: '2024-03-12'
+description: 'Synthentic Dataset generated for Zscaler detections for Blocked activities'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log
+sourcetypes:
+- zscalernss-web
+references:
+- https://help.zscaler.com/zia/nss-feed-output-format-web-logs
\ No newline at end of file