Refresh intakes documentation

SEKOIA-IO · Oct 3, 2023 · 02105f5 · 02105f5
1 parent 22f6426
commit 02105f5
Showing 1 changed file with 173 additions and 1 deletion.
diff --git a/...perations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md b/...perations_center/integrations/generated/20876735-c423-4bbc-9d19-67edc91fb063.md
@@ -61,6 +61,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                     "firstname": "Admin",
                     "lastname": "Admin"
                 },
+                "event": {
+                    "outcome": "SUCCESS"
+                },
                 "class": " audit.admin.com.rsa.ims.admin.impl.PrincipalAdministrationImpl",
                 "action": {
                     "name": "UPDATE_PRINCIPAL"
@@ -144,6 +147,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                     "firstname": "Admin",
                     "lastname": "Admin"
                 },
+                "event": {
+                    "outcome": "SUCCESS"
+                },
                 "class": " audit.admin.com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl",
                 "action": {
                     "name": "AM_UNLINK_TOKEN_PRINCIPAL"
@@ -184,6 +190,160 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "test_audit_admin_event3.json"
+
+    ```json
+
+    {
+        "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_METHOD_FAILED_SYNTAX_ERROR,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n",
+        "event": {
+            "code": "23008",
+            "reason": "AUTHN_METHOD_FAILED_SYNTAX_ERROR",
+            "category": [
+                "authentication"
+            ],
+            "type": [
+                "start"
+            ]
+        },
+        "observer": {
+            "hostname": " example.intranet",
+            "serial_number": "0e34d92f7c6549b19ed28471c02a049b"
+        },
+        "source": {
+            "ip": "5.6.7.8",
+            "address": "5.6.7.8"
+        },
+        "log": {
+            "level": "ERROR"
+        },
+        "destination": {
+            "ip": "1.2.3.4",
+            "address": "1.2.3.4"
+        },
+        "agent": {
+            "id": "09f1f5fc30e947ce9e564d5a91745091",
+            "name": "source.hostname"
+        },
+        "rsa": {
+            "securid": {
+                "event": {
+                    "outcome": "FAIL"
+                },
+                "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl",
+                "action": {
+                    "name": "AUTHN_LOGIN_EVENT"
+                },
+                "agent": {
+                    "ip": "1.2.3.4",
+                    "domain": {
+                        "id": "000000000000000000001000e0011000"
+                    }
+                },
+                "policy": {
+                    "method": {
+                        "id": "1"
+                    }
+                }
+            }
+        },
+        "user": {
+            "name": "admin"
+        },
+        "related": {
+            "hosts": [
+                " example.intranet"
+            ],
+            "ip": [
+                "1.2.3.4",
+                "5.6.7.8"
+            ],
+            "user": [
+                "admin"
+            ]
+        }
+    }
+    	
+	```
+
+
+=== "test_audit_admin_event4.json"
+
+    ```json
+
+    {
+        "message": "11:26:43,377, example.intranet, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, ERROR, 6b746adf1d0646f7bcc518cd6ae4a16d,0e34d92f7c6549b19ed28471c02a049b,5.6.7.8,1.2.3.4,AUTHN_LOGIN_EVENT,23008,FAIL,AUTHN_PRINCIPAL_LOCKED,,,,,admin,,,09f1f5fc30e947ce9e564d5a91745091,000000000000000000001000e0011000,1.2.3.4,source.hostname,1,,,,,,,1,,,,,,,,\n",
+        "event": {
+            "code": "23008",
+            "reason": "AUTHN_PRINCIPAL_LOCKED",
+            "category": [
+                "authentication"
+            ],
+            "type": [
+                "start"
+            ]
+        },
+        "observer": {
+            "hostname": " example.intranet",
+            "serial_number": "0e34d92f7c6549b19ed28471c02a049b"
+        },
+        "source": {
+            "ip": "5.6.7.8",
+            "address": "5.6.7.8"
+        },
+        "log": {
+            "level": "ERROR"
+        },
+        "destination": {
+            "ip": "1.2.3.4",
+            "address": "1.2.3.4"
+        },
+        "agent": {
+            "id": "09f1f5fc30e947ce9e564d5a91745091",
+            "name": "source.hostname"
+        },
+        "rsa": {
+            "securid": {
+                "event": {
+                    "outcome": "FAIL"
+                },
+                "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl",
+                "action": {
+                    "name": "AUTHN_LOGIN_EVENT"
+                },
+                "agent": {
+                    "ip": "1.2.3.4",
+                    "domain": {
+                        "id": "000000000000000000001000e0011000"
+                    }
+                },
+                "policy": {
+                    "method": {
+                        "id": "1"
+                    }
+                }
+            }
+        },
+        "user": {
+            "name": "admin"
+        },
+        "related": {
+            "hosts": [
+                " example.intranet"
+            ],
+            "ip": [
+                "1.2.3.4",
+                "5.6.7.8"
+            ],
+            "user": [
+                "admin"
+            ]
+        }
+    }
+    	
+	```
+
+
 === "test_audit_runtime_event.json"
 
     ```json
@@ -221,6 +381,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         },
         "rsa": {
             "securid": {
+                "event": {
+                    "outcome": "FAIL"
+                },
                 "class": " audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler",
                 "action": {
                     "name": "AUTH_PRINCIPAL_RESOLUTION"
@@ -298,6 +461,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                 "user": {
                     "firstname": "HDTCO04"
                 },
+                "event": {
+                    "outcome": "SUCCESS"
+                },
                 "class": " audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl",
                 "action": {
                     "name": "AUTHN_LOGIN_EVENT"
@@ -382,6 +548,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
                     "firstname": "Admin",
                     "lastname": "Admin"
                 },
+                "event": {
+                    "outcome": "SUCCESS"
+                },
                 "class": " audit.runtime.com.rsa.ims.session.impl.SessionManagerImpl",
                 "action": {
                     "name": "AUTHN_LOGOUT_EVENT"
@@ -519,6 +688,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         },
         "rsa": {
             "securid": {
+                "event": {
+                    "outcome": "SUCCESS"
+                },
                 "class": " system.com.rsa.ims.configuration.impl.ConfigurationServiceImpl",
                 "action": {
                     "name": "CONF_VALUE_UPDATED"
@@ -551,7 +723,6 @@ The following table lists the fields that are extracted, normalized under the EC
 |`agent.name` | `keyword` | Custom name of the agent. |
 |`destination.ip` | `ip` | IP address of the destination. |
 |`event.code` | `keyword` | Identification code for this event. |
-|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. |
 |`event.reason` | `keyword` | Reason why this event happened, according to the source |
 |`log.level` | `keyword` | Log level of the log event. |
 |`observer.hostname` | `keyword` | Hostname of the observer. |
@@ -563,6 +734,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`rsa.securid.agent.ip` | `keywords` | This field represents the IP address of the agent (server or application) that generated the SecureID event. |
 |`rsa.securid.class` | `keywords` | represents the class or category of an RSA SecureID event. It is a keyword field, which means it can be used to group and filter events based on the SecureID class they belong to. |
 |`rsa.securid.domain.id` | `keywords` | represents the unique ID of the domain or realm associated with a SecureID event. |
+|`rsa.securid.event.outcome` | `keywords` | The outcome of the event |
 |`rsa.securid.objects.id` | `keywords` | represents the unique ID of the object associated with a SecureID event. |
 |`rsa.securid.objects.name` | `keywords` | represents the name of the object associated with a SecureID event. |
 |`rsa.securid.objects.security.id` | `keywords` | represents the unique ID of the security context associated with the object in a SecureID event. |