"@type","Source","Detection Date","Name","Destination IP","Destination Port","Remaining Ack SLA on Pause","Assigned Date","MITRE ATT&CK ID","Priority Weight","Description","File Hash","Source IP","Source Port","Status","Severity","Type","UUID","Id","Tags","Queues"
"Alert","FortiSIEM","2023-01-19T06:48:00+00:00","Malformed Network packet","255.255.255.255","","0","2023-01-19T06:48:02+00:00","","0","The UDP header in the packet contains a wrong data length. 1404 bytes are advertised, but 1380 bytes are found in the payload.","","10.80.68.60","","Open","Low","Malware","555b57d5-4f0f-4b2a-8bf2-45621b5c27c7","1","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2022-09-19T06:14:54+00:00","Man in the middle attack on 101.11.85.23","101.11.85.23","1212","0","2023-02-04T06:30:30+00:00","","0","During MiTM attacks, cybercriminals insert themselves in the middle of data transactions or online communication. Through the distribution of malware, the attacker gains easy access to the user's web browser and the data it sends and receives during transactions. Person with IP 198.32.64.12 has attacked on one of the system at Level 5 with IP 101.11.85.23","","198.32.64.12","4124","Open","Low","Malware","8ffd2217-134a-4eaf-a75e-bef636d1cd8f","2","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-19T07:21:24+00:00","Malware detection [Dragonfly2]","10.132.255.118","443","0","2023-01-19T07:21:26+00:00","","0","Suspicious transferring of malware named 'TemplateAttack_DragonFly_2_0' (MD5: 722154a36f32ba10e98020a8ad758a7a) was detected involving resource '\\10.132.255.118 \ADMIN\CVcontrolEngineer.docx' after a 'read' operation","722154a36f32ba10e98020a8ad758a7a","10.121.221.12","1148","Open","Low","Malware","f350287b-b7c9-4aca-a65e-19f582bf057e","3","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-19T07:10:26+00:00","A suspicious packet was sent","10.132.255.118","443","0","2023-01-19T07:14:42+00:00","","0","A suspicious packet was sent. SMB Server Traffic contains NTLM-Authenticated SMBv1 Session. Activity was detected related to NTLM-Authenticated SMBv1 Session, that indicates attemps to abuse the exploits in SMBv1.","","10.121.221.12","1148","Open","Low","Other / Unknown","a86c6a3e-8308-4c29-aed0-9c4046350353","4","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-05T06:12:17+00:00","TCP Port Scan","10.12.31.56","","0","2023-02-04T06:30:35+00:00","T0885","0"," Asset 10.21.34.12 sent probe packets to 10.12.31.56 IP address on different ports.","","10.21.34.12","","Open","Low","Command and Control","b7541a1a-c624-472b-9cae-fffa38fd7d6e","5","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-05T06:12:17+00:00","TCP Port Scan","192.168.1.205","","0","2023-02-04T06:30:56+00:00","T0885","0"," Asset 192.155.11.12 sent probe packets to 192.168.1.205 IP address on different ports.","","192.155.11.12","","Open","Low","Command and Control","ffa55f65-65e5-4901-a57c-6e2a2cb96433","6","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-19T10:26:27+00:00","Configuration change from ""PROGRAM"" to ""REMOTE""","172.10.11.122","44121","0","2023-01-19T10:28:57+00:00","T0886","0","The position of the key for the device 172.10.11.122 changed from ""PROGRAM"" to ""REMOTE""","","192.168.11.131","10312","Open","Low","Brute Force Attempts","6e4dbe90-53ab-433c-9e85-254749c0f454","7","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2022-09-19T06:14:54+00:00","Unsupported function code 126 (PLC Programming) requested on producer 172.100.1.13","172.100.1.13","524","0","2023-02-04T06:30:51+00:00","T0845","0","An unsupported function was used on the OT device. This could be due to faulty software failing to perform an operation or a malicious attacker attempting to understand the device's capabilities.","","192.168.55.162","41321","Open","Low","Other / Unknown","e4c2a68e-b99f-40b6-aa6c-7991ba99ca74","8","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2022-12-30T06:31:50+00:00","Modbus TCP - Unauthorized Read Request to PLC","","","0","2023-02-04T06:30:41+00:00","","0","This event is generated when an unauthorized system attempts to write information to a PLC or other field device.
Modbus TCP is a protocol commonly used in SCADA and DCS networks for process control. The protocol does not provide authentication of the source of a command. Most SCADA/DCS networks have a limited number of control servers that should write information to a PLC. An adversary may attempt to corrupt a PLC or set in a state to negatively affect the process being controlled.
An attacker with IP connectivity to the PLC issues MODBUS write requests. This could change the configuration of the PLC, make the PLC interoperable, or send requests to actuators to change the state of the process being controlled.","","192.12.141.11","","Open","Low","Improper Disposal","70a5157e-7096-42a1-ac02-8511fb88f14b","9","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2022-09-19T06:14:54+00:00","Unsupported function code 126 (PLC Programming) requested on producer 172.100.1.11","172.100.1.11","445","0","2023-02-04T06:30:46+00:00","T0845","0","An unsupported function was used on the OT device. This could be due to faulty software failing to perform an operation or a malicious attacker attempting to understand the device's capabilities.","","192.168.25.62","52312","Open","Low","Other / Unknown","595912ed-589f-4de5-b306-4deef4da168f","10","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-19T10:26:27+00:00","Configuration change from ""REMOTE"" to ""PROGRAM""","172.10.11.122","44121","0","2023-01-19T10:26:28+00:00","T0886","0","The position of the key for the device 172.10.11.122 changed from ""REMOTE"" to ""PROGRAM""","","192.168.11.131","10312","Open","Low","Brute Force Attempts","1d131b8e-1df6-4b85-a745-1fc5da03c26f","11","['IT OT', 'Sample']","Default"
"Alert","FortiSIEM","2023-01-19T06:59:41+00:00","Suspicious activity between 10.121.221.12 and 10.132.255.118 has been detected.","10.132.255.118","","0","2023-01-19T06:59:43+00:00","","0","","","10.121.221.12","","Open","Low","Other / Unknown","7daffb9e-e32d-4254-a774-2cb87a26c649","12","['IT OT', 'Sample']","Default"