Secret Net Studio
Secret Net Studio endpoint protection events by Security Code — authentication, mandatory and discretionary access control, integrity monitoring, device control, closed software environment, network protection, data protection with secure erasure, and audit events in ECS-compatible JSON format with Russian-locale descriptions matching real Secret Net Studio output.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/endpoint-secret-net/generator.yml \
--id endpoint-secret-net \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| authentication | Authentication (SN_AUTH_*) | 25% | authentication |
| discretionary-access | Discretionary Access Control (SN_DAC_*) | 18% | file |
| integrity-control | Integrity Control (SN_INTEGRITY_*) | 15% | host |
| device-control | Device Control (SN_DEVICE_*) | 12% | host |
| mandatory-access | Mandatory Access Control (SN_MAC_*) | 8% | file |
| closed-environment | Closed Software Environment (SN_CSE_*) | 7% | process |
| network-protection | Network Protection (SN_NET_*) | 7% | network |
| data-protection | Data Protection (SN_DATA_*) | 4% | file |
| audit | Audit (SN_AUDIT_*) | 4% | configuration |
Realism Features
- Shared monotonic event ID counter across all event types for consistent ordering
- CSV-sampled host pool with hostname, IP, MAC, OS, and domain fields for correlated device identity
- CSV-sampled user pool with Russian full names, departments, and clearance levels
- Three-tier confidentiality levels (Несекретно, Конфиденциально, Строго конфиденциально) matching Russian classification scheme
- Russian-language event descriptions and subsystem names matching real Secret Net Studio output
- Device inventory with vendor, model, serial, and VID/PID for USB device control events
- Integrity object database with file paths, registry keys, and expected checksums
Sample Output
{
"@timestamp": "2026-03-07T10:15:23.456Z",
"event": {
"kind": "event",
"module": "secret_net",
"dataset": "secret_net.endpoint",
"category": ["authentication"],
"type": ["start"],
"severity": 1,
"outcome": "success"
},
"observer": {
"vendor": "Security Code",
"product": "Secret Net Studio",
"version": "8.10.0.1573",
"hostname": "SN-SRV01",
"ip": ["10.1.0.15"]
},
"host": {
"hostname": "DESKTOP-FIN02",
"ip": ["10.1.10.35"],
"mac": ["00:50:56:8a:23:45"],
"os": { "name": "Windows 10", "version": "10.0.19045" },
"domain": "CORP.ACME.COM"
},
"secret_net": {
"event_id": 1000001,
"event_class": "SN_AUTH_LOGIN_OK",
"subsystem": "Идентификация и аутентификация",
"action": "login_success",
"description": "Успешный вход в систему",
"auth_method": "password+token",
"logon_type": 2,
"computer_level": "Строго конфиденциально"
},
"user": {
"name": "sidorova.en",
"full_name": "Сидорова Елена Николаевна",
"domain": "CORP"
},
"related": {
"hosts": ["DESKTOP-FIN02"],
"ip": ["10.1.10.35"],
"user": ["sidorova.en"]
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| sn_version | 8.10.0.1573 | Secret Net Studio version |
| sn_server | SN-SRV01 | Secret Net management server hostname |
| sn_server_ip | 10.1.0.15 | Secret Net management server IP |
| domain | CORP.ACME.COM | Active Directory domain |
| organization | ACME Corp | Organization name |
Related Generators
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.