晚上好,我是OSIM助手,
我可以帮你把字段统一成 OSIM 标准格式(支持SQL、SPL、ESQL等格式),请提供你的字段信息,
并试试看这样提问:
这是一篇关于 APT29 最新活动的分析文章全文(https://www.10100.com/article/29746254)。请提取其中所有的攻击指标(IoC),并将其整理为符合 OSIM threat_intelligence 相关 schema 的 JSON 格式。
或点击下方 推荐案例,生成同款场景对话
推荐案例
网端日志关联:Webshell 成功上传检测方法如何关联网络侧和终端侧的安全设备日志,实现对Webshell成功上传的检测?
网端关联分析:DNSLog 信息外带利用行为确认如何通过网端关联确认攻击者成功利用dnslog实现信息外带?Sigma 规则生成:Windows 安全日志 RDP 暴力破解检测(高风险 + MITRE ATT&CK)帮我生成一条检测 RDP 暴力破解的 Sigma 规则,适配 Windows 安全日志,告警等级设为高,带 MITRE ATT&CK 标签Sigma 规则生成:Sysmon 日志 rundll32 加载可疑 DLL 检测(含检测逻辑注释)生成一条检测rundll32加载可疑 DLL 的 Sigma 规则,适配 Sysmon 日志,规则里要加注释说明检测逻辑Sigma 规则生成:CMD 获取域内所有用户 SID 行为检测帮我生成一个检测使用CMD命令获取域内所有用户SID的 Sigma 规则OSIM字段映射:网络会话流量审计日志字段标准化解析帮我把这条日志解析为符合 OSIM 规范的日志:<46>2026-04-17T16:59:26+08:00 tgfw /opt/dbappsecurity/bin/vpp-agent [3429]: {"type":18,"time":1776416366,"sip":"192.168.12.34","sport":"51234","dip":"10.11.12.13","dport":"443","id":"12345","proto":"6","action":"permit","szone":"-","dzone":"-","app_name":"未知应用","policy_name":""}OSIM字段映射:Web攻击检测告警日志(含 DNS 代理工具攻击特征)帮我把这条日志中的关键字段映射到 OSIM 标准字段:<158>Mar 17 10:10:25 skyeye SyslogClient [1]: 2026-03-17 10:10:25|!10.50.2.26|!webids-ids_dolog|!{"attack_type": "代理工具", "attack_type_all": "攻击利用:16000000 | 代理工具:16220000", "dip": "10.17.20.166.150", "packet_data": "Vk5zVmMwWUJRUDZWWmh1U0NBQkZBQUJTb0N4QUFISVIzY0RmQlFVRkNoU2NqdzExaGp3QVBnQUFHVXVCZ0FBQUFBRUFBQUFCQk9oYTNTRWJMdmVRQUFBUVFCd0F3QUFRQUJBQUFOUUFBRXNvRFNyQUFBS1FUU0FBQUFBQQAA", "victim": "181.115.199.80", "sport": 5795, "affected_system": "","sip":"181.115.199.80","severity": 6,"detail_info":" 流量中发现特定域名带外 DNS 请求行为,说明发起者存在漏洞,并且利用成功。","attacker":"", "packet_size": 96, "info_id": "","description":"1","sig_id": 2678,"rule_name":" 发现利用特定域名带外 DNS 请求 ","write_date": 1773713372,"protocol_id": 17,"attack_method":" 远程 ","attack_flag":"true","rule_id": 23164,"serial_num":"FakeSerialNum001","appid": 130,"dport": 34364,"vuln_type":" 代理工具 ","victim_type":"client_victim","bulletin":" 排查发起服务器是否存在被攻击行为,对攻击者进行封禁, 并修补相关漏洞。","confidence": 50,"webrules_tag":"0","ids_rule_version":"3.0.0912.14053","cnnvd_id":"", "kill_chain": "0x02020000", "kill_chain_all": "入侵:0x02000000 | 漏洞利用:0x02020000", "intranet_rule_all": null, "attack_result": "1", "xff": "","proto":"dns","att_ck_all":" 初始访问:TA0001 | 利用面向公众的应用程序:T1190"}OSIM 规范校验:网络 Web 攻击告警日志合规性检查帮我检查这条日志是否符合 OSIM 规范:{ "fileName": "swagger-ui.html", "sendHostAddress": "10.12.34.56", "baas_sink_process_time": 1776667153843, "eventCount": "1", "srcPort": "12345", "deviceReceiptTime": "2026-04-20 14:39:13", "deviceId": "9876", "deviceName": "10.12.34.56", "responseCode": "0", "destAddress": "198.51.100.23", "destHostName": "198.51.100.23:8100", "ruleId": "123456789", "deviceAssetTypeId": "48", "eventId": "1234567890123456789", "machineCode": "a1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d-123456789", "destGeoLongitude": "12.345678", "netId": "a1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d", "rawKillChain": "0x01020000", "dataType": "原始告警", "srcAddress": "10.56.78.90", "eventType": "1", "deviceAssetType": "安全类", "srcGeoCountry": "局域网", "srcOrgId": "a1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d", "productVendorName": "奇安信", "deviceSendProductName": "天眼", "attackerAddress": "10.56.78.90", "destGeoAddress": "其他国家", "name": "Swagger 存在敏感信息泄露", "destGeoRegion": "未知", "catOutcome": "FAIL", "logType": "alert", "deviceProtocol": "syslog", "collectorReceiptTime": "2026-04-20 14:39:13", "rawEvent": "<158>Apr 20 14:39:13 skyeye SyslogClient[1]: 2026-04-20 14:39:13|!10.12.34.56|!webids-webattack_dolog|!{"attack_type": "信息泄露", "attack_type_all": "攻击利用:16000000|信息泄露:16160000", "referer": "", "file_name": "swagger-ui.html", "agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64", "victim": "198.51.100.23", "sport": 12345, "rsp_status": 0, "sip": "10.56.78.90", "severity": 4, "rsp_body_len": 0, "serial_num": "FakeSerial-0001", "rsp_content_type": "", "parameter": "", "method": "GET", "req_body": "", "req_header": "GET /api/swagger-ui.html HTTP/1.1
Host: 198.51.100.23:8100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Charset: utf-8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip
Connection: close
", "rule_name": "Swagger 存在敏感信息泄露", "host": "198.51.100.23:8100", "cookie": "", "write_date": 1776667018, "attacker": "10.56.78.90", "victim_type": "server", "attack_flag": "true", "uri": "/api/swagger-ui.html", "rsp_content_length": 0, "rule_version": 0, "rsp_body": "", "rsp_header": "", "dport": 8100, "dolog_count": 1, "dip": "198.51.100.23", "rule_id": 123456789, "confidence": 80, "detail_info": "Swagger是一个规范且完整的框架,提供描述、生产、消费和可视化RESTful Web Service,Swagger可以根据代码自动生成API文档。如果生产环境中开启了Swagger功能且Swagger未开启认证功能,会导致API接口信息泄露,部分接口可能执行文件上传、查询用户信息等敏感操作,从而导致服务器被未授权访问或越权访问。", "solution": "1、在生产环境中关闭Swagger的功能。
2、开启Swagger的认证和授权功能。", "vuln_desc": "Swagger是一个规范且完整的框架,提供描述、生产、消费和可视化RESTful Web Service,Swagger可以根据代码自动生成API文档。如果生产环境中开启了Swagger功能且Swagger未开启认证功能,会导致API接口信息泄露,部分接口可能执行文件上传、查询用户信息等敏感操作,从而导致服务器被未授权访问或越权访问。", "vuln_harm": "如果生产环境中开启了Swagger功能且Swagger未开启认证功能,会导致API接口信息泄露,部分接口可能执行文件上传、查询用户信息等敏感操作,从而导致服务器被未授权访问或越权访问。", "vuln_name": "Swagger 存在敏感信息泄露", "vuln_type": "信息泄露", "webrules_tag": "1", "public_date": "2021-06-09 10:59:56", "code_language": "", "site_app": "", "kill_chain": "0x01020000", "kill_chain_all": "侦察:0x01000000|信息泄露:0x01020000", "intranet_rule_all": null, "attack_result": "3", "xff": "", "proto": null, "att_ck_all": "初始访问:TA0001|利用面向公众的应用程序:T1190"}
", "appProtocol": "null", "dataSubType": "webids-webattack_dolog", "requestMethod": "GET", "deviceHostAssetId": "asset_f1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d_1234567890123", "destSecurityZone": "outer", "accessAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64", "deviceAddress": "10.12.34.56", "destPort": "8100", "destGeoCountry": "其他国家", "requestUrl": "/api/swagger-ui.html", "ruleType": "信息泄露", "customerId": "2", "startTime": "2026-04-20 14:39:13", "srcGeoAddress": "局域网", "destGeoCity": "未知", "direction": "01", "severity": "5", "destOrgId": "outer", "confidence": "80", "deviceAssetSubType": "统一威胁管理", "srcSecurityZone": "inner_a1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d_1234567890123", "victimAddress": "198.51.100.23", "requestUrlQuery": "/api/swagger-ui.html", "destGeoLatitude": "98.765432", "baas_srcDestAddress": "10.56.78.90#a1b2c3d4-e5f6-4a0b-8c7d-9e0f1a2b3c4d#198.51.100.23#outer", "@timestamp": "2026-04-20T06:39:13.000Z", "baas_engineInfo": "info:172.24.0.10,flink-ailpha-etl-taskmanager-1-1", "requestHeader": "GET /api/swagger-ui.html HTTP/1.1
Host: 198.51.100.23:8100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Charset: utf-8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip
Connection: close
", "deviceAssetSubTypeId": "9", "endTime": "2026-04-20 14:39:13", "srcGeoRegion": "局域网" }ES_QL 查询:近 2 小时 API 请求量 & 错误率统计用 ES|QL 写一个查询,统计近 2 小时内每个 API 接口的请求量和错误率,按错误率降序排列展示前50条ES_QL 查询:36 小时接口访问量异常波动统计帮我写一个ES|QL查询语句,基于 36 小时内 www.ocim.tech 网站的 /osim-backend/api/ai/chat/stream/multi 接口访问日志,通过滑动窗口计算每小时访问量的均值与标准差,当某小时访问量超过“均值 + 3倍标准差”时,判定为异常波动并输出一条记录,输出的记录按访问量降序排序。EQL 查询:单用户单日跨城市异常登录检测(Top10)使用 EQL 语句,从安全日志中,筛选出“用户认证成功”的记录,排查单用户单日多城市(超过3个)登录的异常行为,按来源城市数量降序排序,输出 Top10 的记录。C2 告警关联:内网失陷主机及对应进程定位方法如何通过网络侧的 C2 通信告警,关联定位到内网失陷主机中的进程