Home / Operation Hanguel Flow / Campaign Logs / HFL-003

HFL-003 Hanguel IR Agent Enriched Event

Source Alias:

HL-003

발생 위치:

App 서버 hanguel-ir-agent

원본 위치:

Docker log + /var/log + /var/log/audit/audit.log

수집 방식:

Python agent가 원시 로그를 읽고 ECS 유사 JSON으로 enrich 후 Logstash 8088로 전송

ELK index:

langflow-agent-*

분류:

normal, suspicious, attack

커버 Technique:

Operation Hanguel Flow 대부분의 Campaign Technique

주요 필드

Field	Meaning
`event.action`	정규화된 행위 이름
`hanguel.classification`	normal/suspicious/attack 분류
`hanguel.risk_score`	위험 점수
`hanguel.detection_stage`	탐지 단계
`hanguel.evidence`	룰 근거
`threat.technique`	연결된 ATT&CK Technique
`vulnerability.id`	취약점 ID

대표 분류 정책

normal: Langflow UI build request, host process telemetry
suspicious: direct validate API, container shell without strong exploit context
attack: suspicious validate API 이후 container shell, sensitive file access, tool transfer, Docker socket access

KQL

campaign.id : "HGC-2025-001" and hanguel.classification : *

hanguel.classification : ("normal" or "suspicious" or "attack")