Appendix B - Harmony Mobile Syslogs

This appendix describes the structure of the Syslog event sent by Harmony Mobile.

Sample Harmony Mobile event:

May 15 11:24:26 dashboard-eu2-alerts HarmonyMobile: URL: dashboard-url.locsec.net, Product: Harmony Mobile, AttackVector: Application, DeviceAlert Event: Application, Product: Harmony Mobile, Threat Factors: Backup Tool, EventType: Installed, Signature: app_hash\: 781938e38fea1ee520b8ebe2da5d5cdd28bfee5c51bcd8d4a36e4b063a676ddf, RiskLevel: CRITICAL, DeviceID: 339, Client: Harmony Mobile Protect, Device Client Version: 4.3.0.9307, DeviceOwner: testUser, DeviceEmail: email@example.com, DeviceNumber: , DevicePolicy: Global, DeviceGroups: ALL|hm-integrations-g, DeviceSerialNumber: None, DeviceType: Android_work, DeviceOSLevel: 14, DeviceModel: samsung / SM-S911B, DeviceRiskLevel: 1.0, Event ID: 78, Event Timestamp: 1747297460000, Event Client Timestamp: 1747297457000, Device Tracking ID: 5292f8dffd6b92f87a24fa32337fefbf200fe65e5c09fb2d48583c4cb89f2f99, Host Type: Mobile, APP name: Smart Switch, APP package: com.sec.android.easyMover, APP Threat summary: None, APP SHA256: 781938e38fea1ee520b8ebe2da5d5cdd28bfee5c51bcd8d4a36e4b063a676ddf, App version: 3.7.62.1/376201130, App repackaged: False, APP Developer: None, APP Developer Certificate: None, System APP: None, APP Link: None, Network bssid: None, Device Location: None, Network Certificate: None, NetworkArpPoisoning: None, sms_urls: None, Sender: None, Location: None, ssid: None, Devicerootedjailbroken: False, Network Resource: None#015

Syslog event format for IBM QRadar SIEM:

May 15 11:24:26 HarmonyMobile dashboard-eu2-alerts: URL: dashboard-url.locsec.net, Product: Harmony Mobile, AttackVector: Application, DeviceAlert Event: Application, Product: Harmony Mobile, Threat Factors: Backup Tool, EventType: Installed, Signature: app_hash\: 781938e38fea1ee520b8ebe2da5d5cdd28bfee5c51bcd8d4a36e4b063a676ddf, RiskLevel: CRITICAL, DeviceID: 339, Client: Harmony Mobile Protect, Device Client Version: 4.3.0.9307, DeviceOwner: testUser, DeviceEmail: email@example.com, DeviceNumber: , DevicePolicy: Global, DeviceGroups: ALL|hm-integrations-g, DeviceSerialNumber: None, DeviceType: Android_work, DeviceOSLevel: 14, DeviceModel: samsung / SM-S911B, DeviceRiskLevel: 1.0, Event ID: 78, Event Timestamp: 1747297460000, Event Client Timestamp: 1747297457000, Device Tracking ID: 5292f8dffd6b92f87a24fa32337fefbf200fe65e5c09fb2d48583c4cb89f2f99, Host Type: Mobile, APP name: Smart Switch, APP package: com.sec.android.easyMover, APP Threat summary: None, APP SHA256: 781938e38fea1ee520b8ebe2da5d5cdd28bfee5c51bcd8d4a36e4b063a676ddf, App version: 3.7.62.1/376201130, App repackaged: False, APP Developer: None, APP Developer Certificate: None, System APP: None, APP Link: None, Network bssid: None, Device Location: None, Network Certificate: None, NetworkArpPoisoning: None, sms_urls: None, Sender: None, Location: None, ssid: None, Devicerootedjailbroken: False, Network Resource: None#015

Event Structure

Field	Description	Values	Sample Value
URL	Source tenant URL	HM tenant URL	dashboardurl.locsec.net
AttackVector	Attack vector	Application Cellular network WIFI network Device OS Exploits iOS profiles Network Security	Application
Product	Name of reporting product.	Harmony Mobile	Harmony Mobile
Threat Factors	Type of the threat.	See Threat Factor List.	Backup Tool
EventType	Type of the event.	Non-compliant Compliant Policy changed Active Inactive Disconnected Detected Ended Installed Removed Blocked Prevented Enabled Disabled	Removed
RiskLevel	Risk level of the event.	None Low Medium High Info	Info
DeviceID	Internal Harmony Mobile device ID.		1111
Client	Client application.	Harmony Mobile Protect	Harmony Mobile Protect
Device Client Version	Version of the client application.	M.m.mm.b	3.2.0.3986
DeviceOwner	Name of the device owner.		testUser
DeviceEmail	Email of the device owner.		email@example.com
DeviceNumber	Phone number of the device.		9720000000
DeviceType	Device type.	Android_4_x, iPhone	Android_4_x
DeviceOSLevel	Device OS version.		6.0.1
DeviceModel	Model of the device.	Multiple	samsung / SM-G930F,
DeviceRiskLevel	Current device risk level.	Unknown - cs6 = 0 None - cs6 = 0 Low - 0 < cs6 <= 0.3 Medium - 0.3 < cs6 <= 0.6 High - 0.6 < cs6 <= 1 cs6 is the custom string label for current device risk level.	0.0
Event ID	Internal ID of the event.		13
Event Timestamp	Event received timestamp.		1586078275000
Event Client Timestamp	Event occurred timestamp.		1586078274000
Device Tracking ID			3c55d882-f2c8-48ac-ba3a-91a1afab3f5e
Host Type	Type of the endpoint.	Mobile	Mobile
APP name	Name of the application, if the Attack Vector is Application .		Photos
APP package	Application package name.		com.google.android.apps.photos
APP Threat summary	Description of the app threats.		The application accesses the device data. It can backup sensitive information from the device
APP SHA256	SHA256 identifier of the binary.		382c9be98a2e63539dc8….
App version	Application version.		1.1/24
App repackaged	App was repackaged or not.	False True	False
APP Developer	Developer of the app.		None
APP Developer Certificate	Certificate of the app.		None
System APP	If system app or not.		None
APP Link	Link to the official app store.		None
Network bssid	BSSID of the attacking network.		None
Network Certificate	Certificate of the attacking network.		None
sms_urls	DEPRECATED, URLs found in SMS.		None
Sender	DEPRECATED, SMS sender number.		None
Location	Geo location of attacking network.		None
ssid	SSID Service Set Identifier. The technical term for a wireless network name that you see when you connect your device to your wireless home network. (name) of the attacking Wi-Fi network.		None
Devicerootedjailbroken	If the device is rooted or jailbroken.	False True	False
Network Resource	Malicious URL blocked by Harmony Mobile.		None