Appendix B - Harmony Mobile Syslogs
This appendix describes the structure of the Syslog event sent by Harmony Mobile.
Sample Harmony Mobile event :
Apr 5 09:17:55 172.18.0.1 URL: dashboard-url.locsec.net AttackVector: Application, Product: Harmony Mobile, Threat Factors: Backup Tool, EventType: Removed, RiskLevel: INFO, DeviceID: 1111, Client: Harmony Mobile Protect, Device Client Version: 3.2.0.3986, DeviceOwner: testUser, DeviceEmail: email@example.com, DeviceNumber: 9720000000, DeviceType: Android_4_x, DeviceOSLevel: 6.0.1, DeviceModel: samsung / SM-G930F, DeviceRiskLevel: 0.0, Event ID: 13, Event Timestamp: 1586078275000, Event Client Timestamp: 1586078274000, Device Tracking ID: 3c55d882-f2c8-48ac-ba3a-91a1afab3f5e, Host Type: Mobile, APP name: Photos, APP package: com.google.android.apps.photos, APP Threat summary: The application accesses the device data. It can backup sensitive information from the device, APP SHA256: 382c9be98a2e63539dc803d2565288d3be9aff5e379e24414f631e3517941077, App version: 1.1/24, App repackaged: False, APP Developer: None, APP Developer Certificate: None, System APP: None, APP Link: None, Network bssid: None, Network Certificate: None, sms_urls: None, Sender: None, Location: None, ssid: None, Devicerootedjailbroken: False, Network Resource: None
Event Structure
|
Field |
Description |
Values |
Sample Value |
|---|---|---|---|
|
URL |
Source tenant URL |
HM tenant URL |
dashboardurl.locsec.net |
|
AttackVector |
Attack vector. |
|
Application |
|
Product |
Name of reporting product. |
Harmony Mobile |
Harmony Mobile |
|
Threat Factors |
Type of the threat. |
See Threat Factor List. |
Backup Tool |
|
EventType |
Type of the event. |
|
Removed |
|
RiskLevel |
Risk level of the event. |
|
Info |
|
DeviceID |
Internal Harmony Mobile device ID. |
1111 |
|
|
Client |
Client application. |
Harmony Mobile Protect |
Harmony Mobile Protect |
|
Device Client Version |
Version of the client application. |
M.m.mm.b |
3.2.0.3986 |
|
DeviceOwner |
Name of the device owner. |
testUser |
|
|
DeviceEmail |
Email of the device owner. |
email@example.com |
|
|
DeviceNumber |
Phone number of the device. |
9720000000 |
|
|
DeviceType |
Device type. |
Android_4_x, iPhone |
Android_4_x |
|
DeviceOSLevel |
Device OS version. |
6.0.1 |
|
|
DeviceModel |
Model of the device. |
Multiple |
samsung / SM-G930F, |
|
DeviceRiskLevel |
Current device risk level. |
cs6 is the custom string label for current device risk level. |
0.0 |
|
Event ID |
Internal ID of the event. |
13 |
|
|
Event Timestamp |
Event received timestamp. |
1586078275000 |
|
|
Event Client Timestamp |
Event occurred timestamp. |
1586078274000 |
|
|
Device Tracking ID |
3c55d882-f2c8-48ac-ba3a-91a1afab3f5e |
||
|
Host Type |
Type of the endpoint. |
Mobile |
Mobile |
|
APP name |
Name of the application, if the Attack Vector is Application . |
|
Photos |
|
APP package |
Application package name. |
com.google.android.apps.photos |
|
|
APP Threat summary |
Description of the app threats. |
The application accesses the device data. It can backup sensitive information from the device |
|
|
APP SHA256 |
SHA256 identifier of the binary. |
382c9be98a2e63539dc8…. |
|
|
App version |
Application version. |
1.1/24 |
|
|
App repackaged |
App was repackaged or not. |
|
False |
|
APP Developer |
Developer of the app. |
None |
|
|
APP Developer Certificate |
Certificate of the app. |
None |
|
|
System APP |
If system app or not. |
None |
|
|
APP Link |
Link to the official app store. |
None |
|
|
Network bssid |
BSSID of the attacking network. |
None |
|
|
Network Certificate |
Certificate of the attacking network. |
None |
|
|
sms_urls |
DEPRECATED, URLs found in SMS. |
None |
|
|
Sender |
DEPRECATED, SMS sender number. |
None |
|
|
Location |
Geo location of attacking network. |
None |
|
|
ssid |
attacking Wi-Fi network. |
|
None |
|
Devicerootedjailbroken |
If the device is rooted or jailbroken. |
|
False |
|
Network Resource |
Malicious URL blocked by Harmony Mobile. |
None |
