Skip to content

Commit

Permalink
Merge pull request #2135 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history
Refresh intakes documentation
  • Loading branch information
squioc authored Dec 19, 2024
2 parents 10d9db2 + 3a7d319 commit 0034ed2
Show file tree
Hide file tree
Showing 11 changed files with 284 additions and 21 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,125 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "test_process_with_multiple_attachments.json"

```json

{
"message": "{\"aggregateId\": \"aggId1\", \"processingId\": \"AAA_123\", \"accountId\": \"ACCOUNT1\", \"action\": \"Acc\", \"timestamp\": 1733997069148, \"senderEnvelope\": \"[email protected]\", \"messageId\": \"[email protected]>\", \"subject\": \"TEST SEKOIA\", \"holdReason\": null, \"totalSizeAttachments\": \"183525\", \"numberAttachments\": \"0\", \"attachments\": \"\\\"~WRD0601.jpg\\\", \\\"image001.png\\\", \\\"image002.jpg\\\", \\\"image003.png\\\", \\\"image004.jpg\\\", \\\"image005.jpg\\\", \\\"image006.png\\\", \\\"image007.jpg\\\", \\\"image008.png\\\", \\\"image009.png\\\", \\\"image010.png\\\", \\\"image011.jpg\\\", \\\"image012.png\\\", \\\"image013.jpg\\\", \\\"image014.jpg\\\"\", \"emailSize\": \"204490\", \"type\": \"process\", \"subtype\": \"Acc\", \"_offset\": 292955, \"_partition\": 137}",
"event": {
"action": "Acc",
"category": [
"email"
],
"dataset": "process",
"provider": "Mimecast",
"type": [
"info"
]
},
"@timestamp": "2024-12-12T09:51:09.148000Z",
"email": {
"attachments": [
{
"file": {
"name": "~WRD0601.jpg"
}
},
{
"file": {
"name": "image001.png"
}
},
{
"file": {
"name": "image002.jpg"
}
},
{
"file": {
"name": "image003.png"
}
},
{
"file": {
"name": "image004.jpg"
}
},
{
"file": {
"name": "image005.jpg"
}
},
{
"file": {
"name": "image006.png"
}
},
{
"file": {
"name": "image007.jpg"
}
},
{
"file": {
"name": "image008.png"
}
},
{
"file": {
"name": "image009.png"
}
},
{
"file": {
"name": "image010.png"
}
},
{
"file": {
"name": "image011.jpg"
}
},
{
"file": {
"name": "image012.png"
}
},
{
"file": {
"name": "image013.jpg"
}
},
{
"file": {
"name": "image014.jpg"
}
}
],
"from": {
"address": [
"[email protected]"
]
},
"message_id": "[email protected]",
"to": {
"address": [
"null"
]
}
},
"mimecast": {
"siem": {
"aggregate_id": "aggId1",
"processing_id": "AAA_123"
}
}
}
```


=== "test_receipt.json"

```json
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,33 @@ In this section, you will find examples of raw logs as generated natively by the



=== "test_process_with_multiple_attachments"


```json
{
"aggregateId": "aggId1",
"processingId": "AAA_123",
"accountId": "ACCOUNT1",
"action": "Acc",
"timestamp": 1733997069148,
"senderEnvelope": "[email protected]",
"messageId": "[email protected]>",
"subject": "TEST SEKOIA",
"holdReason": null,
"totalSizeAttachments": "183525",
"numberAttachments": "0",
"attachments": "\"~WRD0601.jpg\", \"image001.png\", \"image002.jpg\", \"image003.png\", \"image004.jpg\", \"image005.jpg\", \"image006.png\", \"image007.jpg\", \"image008.png\", \"image009.png\", \"image010.png\", \"image011.jpg\", \"image012.png\", \"image013.jpg\", \"image014.jpg\"",
"emailSize": "204490",
"type": "process",
"subtype": "Acc",
"_offset": 292955,
"_partition": 137
}
```



=== "test_receipt"


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
]
},
"cloudflare": {
"WAFMatchedVar": "",
"WAFProfile": "unknown",
"WAFRuleID": "",
"WAFRuleMessage": "",
"WorkerCPUTime": 0,
"WorkerStatus": "unknown",
"WorkerSubrequest": false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"@timestamp": "2022-12-01T01:28:31.716000Z",
"cloudflare": {
"ClientIPClass": "noRecord",
"ClientRefererHost": "",
"ClientRefererPath": "",
"ClientRefererQuery": "",
"ClientRefererScheme": "",
"EdgeColoCode": "EWR",
"EdgeResponseStatus": 403,
"Kind": "firewall",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1067,7 +1067,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
},
"@timestamp": "2021-03-01T21:20:13Z",
"cef": {
"Name": "",
"c6a1": "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx",
"c6a1Label": "Device IPv6 Address",
"cat": "match_name1",
Expand Down Expand Up @@ -1190,7 +1189,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
},
"@timestamp": "2021-03-01T21:22:02Z",
"cef": {
"Name": "",
"cnt": 1,
"cs1": "allow-business-apps",
"cs1Label": "Rule",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"port": 443
},
"host": {
"name": "tyR4LrYORLPlEIBp"
},
"http": {
"request": {
"method": "GET",
Expand Down Expand Up @@ -124,9 +121,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"ip": "172.26.8.20",
"port": 80
},
"host": {
"name": "tyR4LrYORLPlEIBp"
},
"http": {
"request": {
"bytes": 549,
Expand Down Expand Up @@ -219,9 +213,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"log_id": "11005607"
}
},
"host": {
"name": "vnx1hO5mF0pK4IR1"
},
"log": {
"hostname": "vnx1hO5mF0pK4IR1",
"level": "notice"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"name": "Malicious File"
}
},
"url": {
"domain": "github.com",
"original": "https://github.com/redcanaryco/atomic-red-team.git",
"path": "/redcanaryco/atomic-red-team.git",
"port": 443,
"registered_domain": "github.com",
"scheme": "https",
"top_level_domain": "com"
},
"user": {
"name": "azureuser"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -780,6 +780,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
},
"process": {
"command_line": "/usr/lib/vmware/healthd/plugins/bin/ssdStorage.py ++group=healthd-plugins,mem=40 -u http://localhost:9996"
},
"url": {
"domain": "localhost",
"original": "http://localhost:9996",
"port": 9996,
"scheme": "http"
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2024-01-15T08:13:47.621+00:00",
"alert_unique_id": "44c633d9-b38d-4acb-87a5-7db9bd8ab38a",
"execution": 0,
"grandparent": {
"process": {
"command_line": "winlogon.exe",
"executable": "C:\\Windows\\System32\\winlogon.exe"
}
},
"groups": [],
"level": "medium",
"status": "new",
Expand Down Expand Up @@ -297,6 +303,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2024-01-17T08:19:06.071+00:00",
"alert_unique_id": "00000000-0000-0000-0000-000000000000",
"execution": 0,
"grandparent": {
"process": {
"command_line": "C:\\Windows\\system32\\userinit.exe",
"executable": "C:\\Windows\\System32\\userinit.exe"
}
},
"groups": [
"{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}"
],
Expand Down Expand Up @@ -403,6 +415,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2024-03-15T16:36:41.300+00:00",
"alert_unique_id": "7202cdc8-0db4-49b6-809b-f5ebca7e55c7",
"execution": 0,
"grandparent": {
"process": {
"command_line": "C:\\Windows\\system32\\svchost.exe-kDcomLaunch",
"executable": "C:\\Windows\\System32\\svchost.exe"
}
},
"groups": [
"{\"id\": \"19d20ee5-e12a-4f61-9321-edee5887ae1f\", \"name\": \"Servers\"}"
],
Expand Down Expand Up @@ -509,6 +527,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2024-11-18T09:18:31.852+00:00",
"alert_unique_id": "11111111-2222-3333-4444-555555555555",
"execution": 0,
"grandparent": {
"process": {
"command_line": "C:\\WINDOWS\\system32\\services.exe",
"executable": "C:\\Windows\\System32\\services.exe"
}
},
"groups": [
"{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}"
],
Expand Down Expand Up @@ -707,6 +731,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2022-03-15T07:26:01.276+00:00",
"alert_unique_id": "00000000-0000-0000-0000-000000000000",
"execution": 0,
"grandparent": {
"process": {
"command_line": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe 1",
"executable": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe"
}
},
"level": "low",
"status": "false_positive"
},
Expand Down Expand Up @@ -1549,6 +1579,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"harfanglab": {
"grandparent": {
"process": {
"command_line": "C:\\Program Files (x86)\\CentraStage\\CagServi.exe",
"executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe"
}
},
Expand Down Expand Up @@ -1729,6 +1760,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"alert_time": "2022-03-15T07:26:01.276+00:00",
"alert_unique_id": "00000000-0000-0000-0000-000000000000",
"execution": 0,
"grandparent": {
"process": {
"command_line": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe 1",
"executable": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe"
}
},
"level": "low",
"status": "false_positive"
},
Expand Down Expand Up @@ -1908,6 +1945,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"C:\\Windows\\test2.exe",
"C:\\Windows\\test3.exe"
],
"command_line": "C:\\Windows\\grandparent_commandline.exe -sLTService",
"executable": "C:\\Windows\\grandparent_image.exe"
}
},
Expand Down Expand Up @@ -3082,6 +3120,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`harfanglab.count.users_impacted` | `number` | Total count of impacted users |
|`harfanglab.execution` | `long` | Execution time |
|`harfanglab.grandparent.process.ancestors` | `keyword` | All process parents |
|`harfanglab.grandparent.process.command_line` | `keyword` | |
|`harfanglab.grandparent.process.executable` | `keyword` | Absolute path to the grandparent process executable |
|`harfanglab.groups` | `keyword` | harfanglab groups |
|`harfanglab.level` | `keyword` | The risk level associated to the event |
Expand Down
Loading

0 comments on commit 0034ed2

Please sign in to comment.