diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md index 98aba189b..3f6f71eb4 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md @@ -160,6 +160,125 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_process_with_multiple_attachments.json" + + ```json + + { + "message": "{\"aggregateId\": \"aggId1\", \"processingId\": \"AAA_123\", \"accountId\": \"ACCOUNT1\", \"action\": \"Acc\", \"timestamp\": 1733997069148, \"senderEnvelope\": \"johndoe@gmail.com\", \"messageId\": \"1@mail.gmail.com>\", \"subject\": \"TEST SEKOIA\", \"holdReason\": null, \"totalSizeAttachments\": \"183525\", \"numberAttachments\": \"0\", \"attachments\": \"\\\"~WRD0601.jpg\\\", \\\"image001.png\\\", \\\"image002.jpg\\\", \\\"image003.png\\\", \\\"image004.jpg\\\", \\\"image005.jpg\\\", \\\"image006.png\\\", \\\"image007.jpg\\\", \\\"image008.png\\\", \\\"image009.png\\\", \\\"image010.png\\\", \\\"image011.jpg\\\", \\\"image012.png\\\", \\\"image013.jpg\\\", \\\"image014.jpg\\\"\", \"emailSize\": \"204490\", \"type\": \"process\", \"subtype\": \"Acc\", \"_offset\": 292955, \"_partition\": 137}", + "event": { + "action": "Acc", + "category": [ + "email" + ], + "dataset": "process", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-12T09:51:09.148000Z", + "email": { + "attachments": [ + { + "file": { + "name": "~WRD0601.jpg" + } + }, + { + "file": { + "name": "image001.png" + } + }, + { + "file": { + "name": "image002.jpg" + } + }, + { + "file": { + "name": "image003.png" + } + }, + { + "file": { + "name": "image004.jpg" + } + }, + { + "file": { + "name": "image005.jpg" + } + }, + { + "file": { + "name": "image006.png" + } + }, + { + "file": { + "name": "image007.jpg" + } + }, + { + "file": { + "name": "image008.png" + } + }, + { + "file": { + "name": "image009.png" + } + }, + { + "file": { + "name": "image010.png" + } + }, + { + "file": { + "name": "image011.jpg" + } + }, + { + "file": { + "name": "image012.png" + } + }, + { + "file": { + "name": "image013.jpg" + } + }, + { + "file": { + "name": "image014.jpg" + } + } + ], + "from": { + "address": [ + "johndoe@gmail.com" + ] + }, + "message_id": "1@mail.gmail.com", + "to": { + "address": [ + "null" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggId1", + "processing_id": "AAA_123" + } + } + } + + ``` + + === "test_receipt.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md index 904e4b937..65db03979 100644 --- a/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md +++ b/_shared_content/operations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c_sample.md @@ -77,6 +77,33 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_process_with_multiple_attachments" + + + ```json + { + "aggregateId": "aggId1", + "processingId": "AAA_123", + "accountId": "ACCOUNT1", + "action": "Acc", + "timestamp": 1733997069148, + "senderEnvelope": "johndoe@gmail.com", + "messageId": "1@mail.gmail.com>", + "subject": "TEST SEKOIA", + "holdReason": null, + "totalSizeAttachments": "183525", + "numberAttachments": "0", + "attachments": "\"~WRD0601.jpg\", \"image001.png\", \"image002.jpg\", \"image003.png\", \"image004.jpg\", \"image005.jpg\", \"image006.png\", \"image007.jpg\", \"image008.png\", \"image009.png\", \"image010.png\", \"image011.jpg\", \"image012.png\", \"image013.jpg\", \"image014.jpg\"", + "emailSize": "204490", + "type": "process", + "subtype": "Acc", + "_offset": 292955, + "_partition": 137 + } + ``` + + + === "test_receipt" diff --git a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md index 9e39cd40a..c356f25c6 100644 --- a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md +++ b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md @@ -105,10 +105,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] }, "cloudflare": { - "WAFMatchedVar": "", "WAFProfile": "unknown", - "WAFRuleID": "", - "WAFRuleMessage": "", "WorkerCPUTime": 0, "WorkerStatus": "unknown", "WorkerSubrequest": false, diff --git a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md index 779ee9073..073dc4dd7 100644 --- a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md +++ b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md @@ -109,10 +109,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "@timestamp": "2022-12-01T01:28:31.716000Z", "cloudflare": { "ClientIPClass": "noRecord", - "ClientRefererHost": "", - "ClientRefererPath": "", - "ClientRefererQuery": "", - "ClientRefererScheme": "", "EdgeColoCode": "EWR", "EdgeResponseStatus": 403, "Kind": "firewall", diff --git a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md index 2219d98cf..3adfdb804 100644 --- a/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md +++ b/_shared_content/operations_center/integrations/generated/1d172ee6-cdc0-4713-9cfd-43f7d9595777.md @@ -1067,7 +1067,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2021-03-01T21:20:13Z", "cef": { - "Name": "", "c6a1": "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx", "c6a1Label": "Device IPv6 Address", "cat": "match_name1", @@ -1190,7 +1189,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "@timestamp": "2021-03-01T21:22:02Z", "cef": { - "Name": "", "cnt": 1, "cs1": "allow-business-apps", "cs1Label": "Rule", diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md index b164ab589..0e2105846 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md @@ -38,9 +38,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "destination": { "port": 443 }, - "host": { - "name": "tyR4LrYORLPlEIBp" - }, "http": { "request": { "method": "GET", @@ -124,9 +121,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "172.26.8.20", "port": 80 }, - "host": { - "name": "tyR4LrYORLPlEIBp" - }, "http": { "request": { "bytes": 549, @@ -219,9 +213,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "11005607" } }, - "host": { - "name": "vnx1hO5mF0pK4IR1" - }, "log": { "hostname": "vnx1hO5mF0pK4IR1", "level": "notice" diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index 4f810ff57..8b5457758 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -502,6 +502,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "Malicious File" } }, + "url": { + "domain": "github.com", + "original": "https://github.com/redcanaryco/atomic-red-team.git", + "path": "/redcanaryco/atomic-red-team.git", + "port": 443, + "registered_domain": "github.com", + "scheme": "https", + "top_level_domain": "com" + }, "user": { "name": "azureuser" } diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index 806b333ea..7679191d5 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -780,6 +780,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "process": { "command_line": "/usr/lib/vmware/healthd/plugins/bin/ssdStorage.py ++group=healthd-plugins,mem=40 -u http://localhost:9996" + }, + "url": { + "domain": "localhost", + "original": "http://localhost:9996", + "port": 9996, + "scheme": "http" } } diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 8fc4a5839..5bd7f9443 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -201,6 +201,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2024-01-15T08:13:47.621+00:00", "alert_unique_id": "44c633d9-b38d-4acb-87a5-7db9bd8ab38a", "execution": 0, + "grandparent": { + "process": { + "command_line": "winlogon.exe", + "executable": "C:\\Windows\\System32\\winlogon.exe" + } + }, "groups": [], "level": "medium", "status": "new", @@ -297,6 +303,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2024-01-17T08:19:06.071+00:00", "alert_unique_id": "00000000-0000-0000-0000-000000000000", "execution": 0, + "grandparent": { + "process": { + "command_line": "C:\\Windows\\system32\\userinit.exe", + "executable": "C:\\Windows\\System32\\userinit.exe" + } + }, "groups": [ "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" ], @@ -403,6 +415,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2024-03-15T16:36:41.300+00:00", "alert_unique_id": "7202cdc8-0db4-49b6-809b-f5ebca7e55c7", "execution": 0, + "grandparent": { + "process": { + "command_line": "C:\\Windows\\system32\\svchost.exe-kDcomLaunch", + "executable": "C:\\Windows\\System32\\svchost.exe" + } + }, "groups": [ "{\"id\": \"19d20ee5-e12a-4f61-9321-edee5887ae1f\", \"name\": \"Servers\"}" ], @@ -509,6 +527,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2024-11-18T09:18:31.852+00:00", "alert_unique_id": "11111111-2222-3333-4444-555555555555", "execution": 0, + "grandparent": { + "process": { + "command_line": "C:\\WINDOWS\\system32\\services.exe", + "executable": "C:\\Windows\\System32\\services.exe" + } + }, "groups": [ "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" ], @@ -707,6 +731,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2022-03-15T07:26:01.276+00:00", "alert_unique_id": "00000000-0000-0000-0000-000000000000", "execution": 0, + "grandparent": { + "process": { + "command_line": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe 1", + "executable": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe" + } + }, "level": "low", "status": "false_positive" }, @@ -1549,6 +1579,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "harfanglab": { "grandparent": { "process": { + "command_line": "C:\\Program Files (x86)\\CentraStage\\CagServi.exe", "executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe" } }, @@ -1729,6 +1760,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "alert_time": "2022-03-15T07:26:01.276+00:00", "alert_unique_id": "00000000-0000-0000-0000-000000000000", "execution": 0, + "grandparent": { + "process": { + "command_line": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe 1", + "executable": "C:\\Program Files (x86)\\EPOS\\EPOS Connect\\EPOSConnect.exe" + } + }, "level": "low", "status": "false_positive" }, @@ -1908,6 +1945,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "C:\\Windows\\test2.exe", "C:\\Windows\\test3.exe" ], + "command_line": "C:\\Windows\\grandparent_commandline.exe -sLTService", "executable": "C:\\Windows\\grandparent_image.exe" } }, @@ -3082,6 +3120,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.count.users_impacted` | `number` | Total count of impacted users | |`harfanglab.execution` | `long` | Execution time | |`harfanglab.grandparent.process.ancestors` | `keyword` | All process parents | +|`harfanglab.grandparent.process.command_line` | `keyword` | | |`harfanglab.grandparent.process.executable` | `keyword` | Absolute path to the grandparent process executable | |`harfanglab.groups` | `keyword` | harfanglab groups | |`harfanglab.level` | `keyword` | The risk level associated to the event | diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md index fd2f84807..45a011b7b 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md @@ -65,7 +65,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "carp": { "advbase": "1", "advskew": "0", - "type": 3, + "type": "3", "version": "2", "vhid": "13" }, @@ -100,6 +100,79 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_ingest_ipv4_carp_logs_1.json" + + ```json + + { + "message": "53,,,1000000202,em1,match,pass,in,4,0xe0,,255,0,0,DF,112,carp,56,1.2.3.4,5.6.7.8,advertise,255,1,2,0,1", + "event": { + "action": "pass", + "category": [ + "network" + ], + "reason": "match", + "type": [ + "allowed" + ] + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "network": { + "bytes": 56, + "direction": "inbound", + "iana_number": "112", + "transport": "carp" + }, + "observer": { + "ingress": { + "interface": { + "name": "em1" + } + } + }, + "openbsd": { + "pf": { + "carp": { + "advbase": "1", + "advskew": "0", + "type": "advertise", + "version": "2", + "vhid": "1" + }, + "event": { + "tracker": { + "id": "1000000202" + } + }, + "routing": { + "class": "0xe0", + "flags": "DF", + "hoplimit": 255, + "offset": 0 + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "id": "53" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + === "test_ingest_ipv4_icmp_logs.json" ```json @@ -352,7 +425,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "carp": { "advbase": "4", "advskew": "3", - "type": 3, + "type": "3", "version": "2", "vhid": "1" }, @@ -634,7 +707,7 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.ingress.interface.name` | `keyword` | Interface name | |`openbsd.pf.carp.advbase` | `keyword` | | |`openbsd.pf.carp.advskew` | `keyword` | | -|`openbsd.pf.carp.type` | `number` | | +|`openbsd.pf.carp.type` | `keyword` | | |`openbsd.pf.carp.version` | `keyword` | | |`openbsd.pf.carp.vhid` | `keyword` | The identifier of the virtual host that the appliance belong to in the CARP virtual group | |`openbsd.pf.event.tracker.id` | `tracker` | tracker ID | diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0_sample.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0_sample.md index dbad6b11a..b17abc920 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0_sample.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0_sample.md @@ -12,6 +12,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_ingest_ipv4_carp_logs_1" + + ``` + 53,,,1000000202,em1,match,pass,in,4,0xe0,,255,0,0,DF,112,carp,56,1.2.3.4,5.6.7.8,advertise,255,1,2,0,1 + ``` + + + === "test_ingest_ipv4_icmp_logs" ```