Appendix C - Harmony Mobile ArcSight

This appendix describes the structure of the ArcSight event sent by Harmony Mobile.

Sample Harmony Mobile event:

<CEF:0|Check Point|SMB|4.0.2.9119|BACKUP_TOOL|Application|3|act=Installed alert_details=app_hash: 9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a app_name=Google Photos app_package=com.google.photos bssid=None cat=Alert cnt=1234 cs1=IPhone cs1Label=DeviceType cs2=+44 7469 376815 cs2Label=Phone cs3=15.6.1 cs3Label=OSLevel cs4=iPhone / iPhone 11 cs4Label=DeviceDetails cs5=None cs5Label=NetworkCertificate cs6=0.6 cs6Label=Current Device Risk deviceDirection=None deviceExternalId=971225 deviceInboundInterface=False device_client_version=4.0.2.9119 duid=AAA23C40-6577-4321-8B74-25454123457D duser= user@example.com dvchost=example-tenant.locsec.net externalId= F112343S-4123-4b69-90ff-0234DFHGHFY9 fileHash=9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a fileId=6.4.469058872 filePermission=False fileType=The application accesses the device data. It can backup sensitive information from the device. App Category - Photography This app might access and share your device unique identifier. This might be used to track location, gather user behaviour and present targeted advertisement msg=app_hash: 9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a resource=None rt=1662318312000 sender=None sms_urls=None ssid=None start=1662318312000 suid=None suser=Jhon's iPhone uuid=None

CEF Header

CEF Header

Description

CEF:0

Common Event Format (CEF) version.

Check Point

Vendor name.

SMB

Product name.

4.0.2.9119

Client version.

BACKUP_TOOL

Type of the threat, called as threat factor. To view the complete list of threat factors, seeThreat Factor List.

Application

Attack vector.

10

Severity of the event (values are discrete).

  • Low - 3

  • Medium - 7

  • High - 10

CEF Extension

CEF Extension

Description

Values

Sample Value

act

Type of the event.

  • Non-compliant

  • Compliant

  • Policy changed

  • Active

  • Inactive

  • Disconnected

  • Detected

  • Ended

  • Installed

  • Removed

  • Blocked

  • Prevented

  • Enabled

  • Disabled

Installed

alert_details

Event details.

 

app_hash: 9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a

app_name

Related application name, if relevant.

 

Google Photos

app_pacakge

Application package name, if relevant.

 

com.google.photos

bssid

BSSID of the attacking network.

 

None

cat

Harmony Mobile event category.

 

Alert

cnt

Harmony Mobile event ID.

  

1232

cs1

Device type.

  • Android_4_x

  • iPhone

iPhone

cs1Label

Custom string label Device Type.

DeviceType

DeviceType

cs2

Phone number of the device.

  

+44  7469 376815

cs2Label

Custom string label Phone.

Phone

Phone

cs3

Device OS version.

  

15.6.1

cs3Label

Custom string label OS level.

OSLevel

OSLevel

cs4

Model of the device.

Multiple

iPhone / iPhone 11

cs4Label

Custom string label DeviceDetails.

DeviceDetails

DeviceDetails

cs5

Certificate of the attacking network.

    

cs5Label

Custom string label NetworkCertificate

NetworkCertificate

NetworkCertificate

cs6

Current device risk level.

  • Unknown - cs6 = 0

  • None - cs6 = 0

  • Low - 0 < cs6 <= 0.3

  • Medium - 0.3 < cs6 <= 0.6

  • High - 0.6 < cs6 <= 1

0.6

cs6Label

Custom string label Current Device Risk.

Current device risk.

Custom string label

deviceDirection

Is ARPClosed Address Resolution Protocol. A protocol to map an IP address to a MAC address that is recognized in the local network. Poisoning network.

  • None

  • True

  • False

None

deviceExternalId

Device UUIDClosed Universal Unique Identifier. A UUID is a 128-bit value used to uniquely identify an object or entity on the internet.

Multiple

971225

deviceInboundInterface

If the device is rooted or jailbroken.

  • True

  • False

False

device_client_version

Version of the client app.

M.m.mm.b

4.0.2.9119

duid

Device Tracking ID.

  

AAA23C40-6577-4321-8B74-25454123457D

duser

User Email.

 

user@example.com

dvchost

Host

  

example-tenant.locsec.net

externalId

Device UUID.

  

F112343S-4123-4b69-90ff-0234DFHGHFY9

fileHash

SHA256 identifier of the binary.

  

9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a

fileId

Application version.

 

6.4.469058872

filePermission

Application was repackaged or not.

  • False

  • True

False

fileType

Description of the app threats.

  

The application accesses the device data. It can backup sensitive information from the device.

msg

Event details.

 

app_hash: 9061187fbd6aa0cf978bfe9928158cf41c53c70a884f9d8b279a52e232fa3a9a

resource

Malicious URL blocked by Harmony Mobile.

 

None

rt

Event Client Timestamp.

  

1662318312000

sender

DEPRECATED, SMS sender number.

  

None

sms_urls

DEPRECATED, URLs found in SMS.

  

None

ssid

SSIDClosed Service Set Identifier. The technical term for a wireless network name that you see when you connect your device to your wireless home network. (name) of the

attacking Wi-Fi network.

  

None

start

Event Received timestamp.

  

1662318312000

suid

Network location.

  • Latitude

  • Longitude

  • None

None

suser

Phone name.

  

Jhon's iPhone

uuid

Device UUID for Airwatch UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point..

  

None

Threat Factor List

Note - This list is dynamic, and the threat factors may be added or removed.

The below list is as on March 2022.

Threat Factors

Accessibility permission

Account Info Access

Achilles vulnerability

Action

Admin Rights

Adventure

Alcohol & Tobacco

Anonymizer

App Not Available in Market

Application Download

Arcade

ARP Poisoning

Art & Design

Art / Culture

Auto & Vehicles

Background refresh permission

Backup Tool

Beauty

Blogs / Personal Pages

Bluetooth Access

Board

Books & Reference

Botnets

Business

Business / Economy

Calendar Access

Call Log Access

Camera Access

Captive

Card

Casino

Casual

Cell Location Access

Child Abuse

Client version

Comics

Communication

Computers / Internet

Configuration Profile

Connectivity

Contacts Access

Dangerous App

Dating

Debug Certificate

Developer options

Dropper

Education

Educational

Email

Entertainment

Fake App

Fake Corporate Wi-Fi

Fake Public Wi-Fi

Fashion

File Download

File Storage and Sharing

Finance

Financial Information Stealing App

Financial Services

Food & Drink

Gambling

Games

General

Government / Military

Greeting Cards

Hacking

Hacking Tool

Harmony Mobile not installed on personal profile

Hate / Racism

Health

Health & Fitness

Hidden Clicker

History Bookmarks Access

House & Home

Illegal / Questionable

Illegal Drugs

Inactive Sites

Info Stealer

Instant Chat

Instant Messaging

Job Search / Careers

Keyboard Access

Knox permission not granted

Legitimate App

Libraries & Demo

Lifestyle

Lingerie and Swimsuit / Suggestive

Local Network Permission

Location Access

Location permission

Location Tracking

Malicious File

Malware

Man-In-The-Middle Attack App

Maps & Navigation

Marijuana

Media Sharing

Media Streams

Mediatek vulnerability

Medical

Microphone Access

MITM Attack Prevention

Mobile Remote Access Tool

Music & Audio

Nature / Conservation

Network Protection

Network Protection (TLSClosed Transport Layer Security. A security protocol designed to facilitate privacy and data security for communications over the Internet.)

Network Protection (VPN)

Network Redirection Tool

News & Magazines

News / Media

Newsgroups / Forums

Non Official App Store App

Non-profits & NGOs

Notification permission

Nudity

Open Wi-Fi

Optimizer Tool

OS patch level

OS Version

P2P File Sharing

Parenting

Personal profile compromised

Personal profile inactive

Personalization

Personals / Dating

Phishing

Phishing App

Photography

Policy verification

Political / Legal

Pornography

Port Scanning Detected

Premium Dialer

Productivity

Protected DNSClosed Domain Name System. A hierarchical distributed naming system for computers, services, or resources connected to the internet or a private network. Used to translate names into IP addresses.

Puzzle

Racing

Ransomware

Real Estate

Recreation

Religion

Remote Access Tool

Rogue Access Point Connected

Role Playing

Rooting Management Tool

Rootkit

Rough Ad-Network

Safari is not installed

Samsung knox block application until scan ends

Samsung knox block risky application

Screen lock protection

SD card encryption

Search Engines / Portals

SELinuxClosed Security-Enhanced Linux enforced

Sex

Sex Education

Shopping

Simulation

SMS Bot

Social

Social Networking

Software Downloads

Spam

Sports

Sports Game

Spyware / Malicious Sites

SSLClosed Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser. Interception (Advanced)

SSL Interception (Basic)

SSL Stripping

Storage encrypted

Storage permission not granted

Strategy

Suspecious app

Suspected Malware

Suspicious Content

Tasteless

This application was blacklisted

TLS/SSL Downgrade

Tools

Translation

Trivia

Uncategorized

USB debugging

Vehicles

Video Players & Editors

Violence

VPN lock down

Vulnerable app

Weapons

Weather

Web Advertisements

Word

Zero-Phishing