cURL event injector

1. Who to tell? Instance URL:

2. Who carries the message?

note: this account needs evt_mgmt_integration role to connect - sn_si.integration_user also contains this role

Username Password:

3. What to say? Initial test

{"source":"cURL Test","description":"Testing...", "additional_info":"Test send from the PHP script", "severity":"Clear" }

UATU: Info

{"classification": "Security", "source": "UATU", "severity" : "Info", "node" : "OWA-SD-01", "description" : "Test Informational Event (from curl script)", "additional_info" : "Arooga, Arooga - warning!" }

UATU: Critical

{"classification": "Security", "source": "UATU", "severity" : "Critical", "node" : "OWA-SD-01", "description" : "Test Critical Event (from curl script)", "additional_info" : "Danger, danger - high voltage!" }

UATU: Warning

{"classification": "Security", "source": "UATU", "severity" : "Warning", "node" : "IP-Switch-1", "description" : "Detected abnormal network spike on this switch", "additional_info" : "Testing - this should create a security incident" }

Splunk: malicious

{ "source":"Splunk", "description": "Malicious code was detected at runtime while attempting to communicate with external host", "event_class" : "splunk01.s-mart.com", "node" : "wepos01.s043.s-mart.com", "resource" : "Endpoint Protection", "severity" : "Critical", "type" : "SIEM", "message_key" : "Endpoint Protection -- splunk01.s-mart.com -- @WanaDecryptor@.exe -- ", "dest_ip": "12.23.34.45" }