Alerts are hard to parse - change to JSON #564
Description
Motivation
I want to parse the alerts of fibratus to ingest them into my own project.
For that i need information like alert/detection ID, category, severity, threat name etc.
I parse the windows event logs, as in https://www.fibratus.io/#/alerts/senders/eventlog.
The relevant information is separated by newlines, whitespace, and colons.
Like this:
<EventData>
<Data>Suspicious access to the hosts file
Suspicious process C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.106\msedgewebview2.exe accessed the hosts file for potential tampering
Severity: medium
System events involved in this alert:
Event #1:
Seq: 1748233
Pid: 4324
Tid: 10840
Additionally, some information is stored with UTF8 arrows like "directory_table_base➜ 530c7000, domain➜ DESKTOP-C0HF6MF, exe➜ C:\Program Files (x86)".
This makes it hard to write a parser to extract the information.
Feature
Either change, or make an option which changes the output to JSON:
Like this:
<EventData>
<Data>
{
"title": "Suspicious access to the hosts file"
"threat": "Suspicious process C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.106\msedgewebview2.exe accessed the hosts file for potential tampering"
"severity": "medium",
"events": [
{
"Seq": 1748233,
"Pid": 4324,
"Tid": 10840,
...
Make sure that additional data like callstacks are nicely integrated.
Alternatives
XML or whatever.
Additional context
While the event logs in the current state are nicely human readable, it should be machine readable first.
My ugly LLM generated fibratus log parser: https://github.com/dobin/DetonatorAgent/blob/main/EdrPlugins/FibratusEdrPlugin.cs#L208
I need output like the following example: https://detonator.r00ted.ch/submissions/9