From f84a7760c1ac4e28ffb52ee5e2fc05dcd9036104 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Wed, 13 Dec 2023 09:49:46 +0000 Subject: [PATCH] Refresh intakes documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 214 ++++++++++++++++- .../fc99c983-3e6c-448c-97e6-7e0948e12415.md | 217 ++++++++++++++++++ 2 files changed, 430 insertions(+), 1 deletion(-) create mode 100644 _shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 0e87eb74a5..95469f90f8 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -35,7 +35,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert`, `enrichment`, `event` | -| Category | `authentication`, `connection`, `email`, `file`, `host`, `iam`, `network`, `process`, `threat` | +| Category | `authentication`, `connection`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `network`, `process`, `threat` | | Type | `indicator`, `info` | @@ -46,6 +46,212 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "test_alert_evidence.json" + + ```json + + { + "message": "{\"time\": \"2023-09-28T16:17:08.7649196Z\", \"tenantId\": \"4b05a653-e372-418d-9bd0-ba2383d1673e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-AlertEvidence\", \"properties\": {\"Timestamp\": \"2023-09-28T16:15:29.9227997Z\", \"AlertId\": \"dadca6b5e5-5ab9-4a96-9dbb-ba2f8e7756e3_1\", \"EntityType\": \"Process\", \"EvidenceRole\": \"Related\", \"SHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"SHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"RemoteIP\": null, \"LocalIP\": null, \"RemoteUrl\": null, \"AccountName\": null, \"AccountDomain\": null, \"AccountSid\": null, \"AccountObjectId\": null, \"DeviceId\": null, \"ThreatFamily\": null, \"EvidenceDirection\": null, \"AdditionalFields\": \"{\\\"$id\\\":\\\"1\\\",\\\"ProcessId\\\":\\\"19060\\\",\\\"CommandLine\\\":\\\"splwow64.exe 8192\\\",\\\"ElevationToken\\\":\\\"Default\\\",\\\"CreationTimeUtc\\\":\\\"2023-09-28T16:15:28.7714877Z\\\",\\\"ImageFile\\\":{\\\"$id\\\":\\\"2\\\",\\\"Directory\\\":\\\"C:\\\\\\\\Windows\\\",\\\"Name\\\":\\\"splwow64.exe\\\",\\\"Host\\\":{\\\"$id\\\":\\\"3\\\",\\\"DnsDomain\\\":\\\"example.org\\\",\\\"HostName\\\":\\\"vm0242\\\",\\\"NetBiosName\\\":\\\"vm0242.example.org\\\",\\\"OSFamily\\\":\\\"Windows\\\",\\\"OSVersion\\\":\\\"10.0\\\",\\\"IsDomainJoined\\\":true,\\\"IpInterfaces\\\":[{\\\"$id\\\":\\\"4\\\",\\\"Address\\\":\\\"10.11.22.33\\\",\\\"Type\\\":\\\"ip\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Address\\\":\\\"22b0:8f31:eff3:7b6e:3277:2f79:ca62:7ec0\\\",\\\"Type\\\":\\\"ip\\\"},{\\\"$id\\\":\\\"6\\\",\\\"Address\\\":\\\"127.0.0.1\\\",\\\"Type\\\":\\\"ip\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Address\\\":\\\"::1\\\",\\\"Type\\\":\\\"ip\\\"}],\\\"RemediationProviders\\\":[{\\\"RemediationState\\\":\\\"Active\\\",\\\"RemediationDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\",\\\"Type\\\":\\\"remediation-provider\\\"}],\\\"LastRemediationState\\\":\\\"Active\\\",\\\"ThreatAnalysisSummary\\\":[{\\\"AnalyzersResult\\\":[],\\\"Verdict\\\":\\\"Suspicious\\\",\\\"AnalysisDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\"}],\\\"LastVerdict\\\":\\\"Suspicious\\\",\\\"Metadata\\\":{\\\"MachineEnrichmentInfo\\\":\\\"{\\\\\\\"MachineId\\\\\\\":\\\\\\\"7e7a44995a4d4f09be53dce4fe9eb1db\\\\\\\",\\\\\\\"HostName\\\\\\\":\\\\\\\"vm0242\\\\\\\",\\\\\\\"DnsDomain\\\\\\\":\\\\\\\"example.org\\\\\\\",\\\\\\\"IpAddress\\\\\\\":null,\\\\\\\"FoundBy\\\\\\\":[3],\\\\\\\"LastSeen\\\\\\\":\\\\\\\"2023-09-28T06:59:18.6059012Z\\\\\\\",\\\\\\\"RbacGroupId\\\\\\\":0,\\\\\\\"MachineTagsJson\\\\\\\":null,\\\\\\\"MachineGroup\\\\\\\":null,\\\\\\\"OsPlatform\\\\\\\":\\\\\\\"Windows10\\\\\\\",\\\\\\\"SenseClientVersion\\\\\\\":\\\\\\\"10.8570.19045.3448\\\\\\\"}\\\"},\\\"Asset\\\":true,\\\"DetailedRoles\\\":[\\\"PrimaryDevice\\\"],\\\"RbacScopes\\\":{\\\"ScopesPerType\\\":{\\\"MachineGroupIds\\\":{\\\"Mode\\\":\\\"Any\\\",\\\"Scopes\\\":[\\\"0\\\"]},\\\"Workloads\\\":{\\\"Mode\\\":\\\"All\\\",\\\"Scopes\\\":[\\\"Mdatp\\\"]}}},\\\"Type\\\":\\\"host\\\",\\\"LeadingHost\\\":true,\\\"Role\\\":0,\\\"MachineId\\\":\\\"7e7a44995a4d4f09be53dce4fe9eb1db\\\",\\\"MachineIdType\\\":3,\\\"HostMachineId\\\":null,\\\"DetectionStatus\\\":\\\"Detected\\\",\\\"SuspicionLevel\\\":\\\"Suspicious\\\",\\\"EnrichmentType\\\":\\\"MachineIpInterfacesEnrichment\\\",\\\"IsIoc\\\":false,\\\"MergeByKey\\\":\\\"6JC4Lo9GK4MkdUKN6MFPCSfA/no=\\\",\\\"MergeByKeyHex\\\":\\\"E890B82E8F462B832475428DE8C14F0927C0FE7A\\\"},\\\"SizeInBytes\\\":163840,\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA1\\\",\\\"Value\\\":\\\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\\\",\\\"Type\\\":\\\"filehash\\\"},{\\\"$id\\\":\\\"9\\\",\\\"Algorithm\\\":\\\"MD5\\\",\\\"Value\\\":\\\"9b77f02583b95c7c5fe59ab2884f2817\\\",\\\"Type\\\":\\\"filehash\\\"},{\\\"$id\\\":\\\"10\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"CreatedTimeUtc\\\":\\\"2023-09-22T07:12:05.262923Z\\\",\\\"Type\\\":\\\"file\\\",\\\"LsHash\\\":\\\"6fe9d57dbf6d9a5a77d9a667ebddf556df977bda6ef576dd7e67b5ae5e95665db77e9bd9fefbdeaae6ba9f55a56eae99b5ef9fa6bdaebfa7b95a5bd9f9df7bfa\\\",\\\"IsPe\\\":true,\\\"LastAccessTimeUtc\\\":\\\"2023-09-28T16:15:28.8773106Z\\\",\\\"LastWriteTimeUtc\\\":\\\"2023-09-22T07:12:05.2726183Z\\\",\\\"Publisher\\\":\\\"Microsoft Corporation\\\",\\\"KnownPrevalence\\\":151790,\\\"FirstSeen\\\":\\\"2023-08-22T17:20:03.9270115\\\"},\\\"Account\\\":{\\\"$id\\\":\\\"11\\\",\\\"Name\\\":\\\"mgarcia\\\",\\\"NTDomain\\\":\\\"EXAMPLE\\\",\\\"UPNSuffix\\\":\\\"example.org\\\",\\\"Host\\\":{\\\"$ref\\\":\\\"3\\\"},\\\"Sid\\\":\\\"S-1-5-21-111111111-222222222-333333333-44444\\\",\\\"AadUserId\\\":\\\"cccf9f83-f960-467d-ab75-69cbee32c59e\\\",\\\"IsDomainJoined\\\":true,\\\"RemediationProviders\\\":[{\\\"RemediationState\\\":\\\"Active\\\",\\\"RemediationDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\",\\\"Type\\\":\\\"remediation-provider\\\"}],\\\"LastRemediationState\\\":\\\"Active\\\",\\\"ThreatAnalysisSummary\\\":[{\\\"AnalyzersResult\\\":[],\\\"Verdict\\\":\\\"Suspicious\\\",\\\"AnalysisDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\"}],\\\"LastVerdict\\\":\\\"Suspicious\\\",\\\"Asset\\\":true,\\\"RbacScopes\\\":{\\\"ScopesPerType\\\":{\\\"MachineGroupIds\\\":{\\\"Mode\\\":\\\"Any\\\",\\\"Scopes\\\":[\\\"0\\\"]},\\\"Workloads\\\":{\\\"Mode\\\":\\\"All\\\",\\\"Scopes\\\":[\\\"Mdatp\\\"]}}},\\\"Type\\\":\\\"account\\\",\\\"UserPrincipalName\\\":\\\"jane.doe@example.org\\\",\\\"Role\\\":0,\\\"ReferenceId\\\":\\\"b64e0541-4393-41d6-8d18-8be31b30daee:ae2bc63238bc\\\",\\\"DetectionStatus\\\":\\\"Detected\\\",\\\"SuspicionLevel\\\":\\\"Suspicious\\\",\\\"IsIoc\\\":true,\\\"MergeByKey\\\":\\\"rRAMCzzVjzarq8zZIW8y9uZLSWg=\\\",\\\"MergeByKeyHex\\\":\\\"AD100C0B3CD58F36ABABCCD9216F32F6E64B4968\\\"},\\\"ParentProcess\\\":{\\\"$id\\\":\\\"12\\\",\\\"ProcessId\\\":\\\"12636\\\",\\\"CreationTimeUtc\\\":\\\"2023-09-28T16:15:23.5645558Z\\\",\\\"ImageFile\\\":{\\\"$id\\\":\\\"13\\\",\\\"Directory\\\":\\\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\",\\\"Name\\\":\\\"AcroRd32.exe\\\",\\\"Host\\\":{\\\"$ref\\\":\\\"3\\\"},\\\"Type\\\":\\\"file\\\"},\\\"Host\\\":{\\\"$ref\\\":\\\"3\\\"},\\\"CreatedTimeUtc\\\":\\\"2023-09-28T16:15:23.5645558Z\\\",\\\"Type\\\":\\\"process\\\"},\\\"Host\\\":{\\\"$ref\\\":\\\"3\\\"},\\\"CreatedTimeUtc\\\":\\\"2023-09-28T16:15:28.7714877Z\\\",\\\"RemediationProviders\\\":[{\\\"RemediationState\\\":\\\"Active\\\",\\\"RemediationDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\",\\\"Type\\\":\\\"remediation-provider\\\"}],\\\"LastRemediationState\\\":\\\"Active\\\",\\\"ThreatAnalysisSummary\\\":[{\\\"AnalyzersResult\\\":[],\\\"Verdict\\\":\\\"Suspicious\\\",\\\"AnalysisDate\\\":\\\"2023-09-28T16:16:56.6015218Z\\\"}],\\\"LastVerdict\\\":\\\"Suspicious\\\",\\\"RbacScopes\\\":{\\\"ScopesPerType\\\":{\\\"MachineGroupIds\\\":{\\\"Mode\\\":\\\"Any\\\",\\\"Scopes\\\":[\\\"0\\\"]},\\\"Workloads\\\":{\\\"Mode\\\":\\\"All\\\",\\\"Scopes\\\":[\\\"Mdatp\\\"]}}},\\\"Type\\\":\\\"process\\\",\\\"ReferenceId\\\":\\\"b64e0541-4393-41d6-8d18-8be31b30daee:12b768c23b3c\\\",\\\"DetectionStatus\\\":\\\"Detected\\\",\\\"SuspicionLevel\\\":\\\"Suspicious\\\",\\\"IsIoc\\\":true,\\\"Role\\\":1,\\\"MergeByKey\\\":\\\"Hzs5K5cl+LUGa+UuGO44Y6a9Z9I=\\\",\\\"MergeByKeyHex\\\":\\\"1F3B392B9725F8B5066BE52E18EE3863A6BD67D2\\\"}\", \"MachineGroup\": null, \"NetworkMessageId\": null, \"ServiceSource\": \"Microsoft Defender for Endpoint\", \"FileName\": \"splwow64.exe\", \"FolderPath\": \"C:\\\\Windows\", \"ProcessCommandLine\": \"splwow64.exe 8192\", \"EmailSubject\": null, \"ApplicationId\": null, \"Application\": null, \"DeviceName\": null, \"FileSize\": 163840, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"AccountUpn\": null, \"OAuthApplicationId\": null, \"Categories\": \"[\\\"InitialAccess\\\"]\", \"Title\": \"Executable content from email blocked\", \"AttackTechniques\": \"[\\\"Masquerading (T1036)\\\",\\\"Taint Shared Content (T1080)\\\",\\\"User Execution (T1204)\\\",\\\"System Binary Proxy Execution (T1218)\\\",\\\"Internal Spearphishing (T1534)\\\",\\\"Spearphishing Attachment (T1566.001)\\\",\\\"Spearphishing via Service (T1566.003)\\\"]\", \"DetectionSource\": \"Antivirus\", \"Severity\": \"Low\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "threat" + ], + "dataset": "alert_evidence", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "@timestamp": "2023-09-28T16:15:29.922799Z", + "action": { + "properties": { + "ServiceSource": "Microsoft Defender for Endpoint" + } + }, + "file": { + "directory": "C:\\Windows", + "hash": { + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "splwow64.exe", + "size": 163840 + }, + "microsoft": { + "defender": { + "alert": { + "id": "dadca6b5e5-5ab9-4a96-9dbb-ba2f8e7756e3_1", + "title": "Executable content from email blocked" + }, + "entity": { + "type": "Process" + }, + "evidence": { + "role": "Related" + }, + "threat": { + "severity": "Low" + } + } + }, + "process": { + "args": [ + "8192" + ], + "command_line": "splwow64.exe 8192" + }, + "related": { + "hash": [ + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + }, + "service": { + "name": "Microsoft Defender for Endpoint", + "type": "Antivirus" + } + } + + ``` + + +=== "test_alert_evidence_2.json" + + ```json + + { + "message": "{\"time\": \"2023-09-26T13:04:41.9797846Z\", \"tenantId\": \"16ed4fbf-027f-47b3-8d1a-a342781dd2d2\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-AlertEvidence\", \"properties\": {\"Timestamp\": \"2023-09-26T13:03:18Z\", \"AlertId\": \"fa72d6f6a8-39e7-2681-d400-08dbbe90c56e\", \"EntityType\": \"MailMessage\", \"EvidenceRole\": \"Related\", \"SHA1\": null, \"SHA256\": null, \"RemoteIP\": null, \"LocalIP\": null, \"RemoteUrl\": null, \"AccountName\": null, \"AccountDomain\": null, \"AccountSid\": null, \"AccountObjectId\": null, \"DeviceId\": null, \"ThreatFamily\": null, \"EvidenceDirection\": null, \"AdditionalFields\": \"{\\\"$id\\\":\\\"1\\\",\\\"Recipient\\\":\\\"john.doe@example.org\\\",\\\"Sender\\\":\\\"no-reply@example.org\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"no-reply@example.org\\\",\\\"ReceivedDate\\\":\\\"2023-09-26T13:02:18Z\\\",\\\"NetworkMessageId\\\":\\\"4081b089-aecd-48de-af84-12c499929a12\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"My little subject\\\",\\\"StartTimeUtc\\\":\\\"2023-09-26T13:01:18Z\\\",\\\"EndTimeUtc\\\":\\\"2023-09-26T13:03:18Z\\\",\\\"EntitySources\\\":[\\\"Alert\\\"],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":null,\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\",\\\"SourceEntityType\\\":\\\"MalwareFamily\\\",\\\"SourceEntityId\\\":\\\"e93240a2-06fe-40fa-8224-16a01d087268-1\\\",\\\"SourceThreatType\\\":\\\"Phish, Malicious\\\",\\\"SourceThreatName\\\":\\\"Phish, Malicious\\\",\\\"Role\\\":1,\\\"AttachmentCount\\\":0,\\\"UrlCount\\\":0,\\\"MergeByKey\\\":\\\"XI3qGjU8yzWpxMk1QhDqq5R13s4=\\\",\\\"MergeByKeyHex\\\":\\\"5C8DEA1A353CCB35A9C4C9354210EAAB9475DECE\\\"}\", \"MachineGroup\": null, \"NetworkMessageId\": \"4081b089-aecd-48de-af84-12c499929a12\", \"ServiceSource\": \"Microsoft Defender for Office 365\", \"FileName\": null, \"FolderPath\": null, \"ProcessCommandLine\": null, \"EmailSubject\": \"My little subject\", \"ApplicationId\": null, \"Application\": null, \"DeviceName\": null, \"FileSize\": null, \"RegistryKey\": null, \"RegistryValueName\": null, \"RegistryValueData\": null, \"AccountUpn\": null, \"OAuthApplicationId\": null, \"Categories\": \"[\\\"InitialAccess\\\"]\", \"Title\": \"Phish delivered due to an IP allow policy\", \"AttackTechniques\": \"[\\\"Phishing (T1566)\\\"]\", \"DetectionSource\": \"Microsoft Defender for Office 365\", \"Severity\": \"Informational\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "threat" + ], + "dataset": "alert_evidence", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "@timestamp": "2023-09-26T13:03:18Z", + "action": { + "properties": { + "AttachmentCount": 0, + "ServiceSource": "Microsoft Defender for Office 365", + "UrlCount": 0 + } + }, + "email": { + "local_id": "4081b089-aecd-48de-af84-12c499929a12", + "message_id": "e1ea248a-f53f-4f1b-a601-5b2f1fbad48cbc0bb8d-bd55-466f-92ec-46cc66108821b@intranet.domain", + "sender": { + "address": "no-reply@example.org" + }, + "subject": "My little subject", + "to": { + "address": [ + "john.doe@example.org" + ] + } + }, + "microsoft": { + "defender": { + "alert": { + "id": "fa72d6f6a8-39e7-2681-d400-08dbbe90c56e", + "title": "Phish delivered due to an IP allow policy" + }, + "entity": { + "type": "MailMessage" + }, + "evidence": { + "role": "Related" + }, + "threat": { + "severity": "Informational" + } + } + }, + "service": { + "name": "Microsoft Defender for Office 365", + "type": "Microsoft Defender for Office 365" + } + } + + ``` + + +=== "test_cloud_app.json" + + ```json + + { + "message": "{\"time\": \"2023-09-29T11:45:09.7408937Z\", \"tenantId\": \"4b05a653-e372-418d-9bd0-ba2383d1673e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-CloudAppEvents\", \"properties\": {\"ActionType\": \"AirInvestigationData\", \"ApplicationId\": 11161, \"AccountDisplayName\": \"airinvestigation\", \"AccountObjectId\": null, \"AccountId\": \"airinvestigation\", \"DeviceType\": null, \"OSPlatform\": null, \"IPAddress\": null, \"IsAnonymousProxy\": null, \"CountryCode\": null, \"City\": null, \"ISP\": null, \"UserAgent\": null, \"IsAdminOperation\": false, \"ActivityObjects\": [{\"Type\": \"Account\", \"Role\": \"Actor\", \"Name\": \"airinvestigation\", \"Id\": \"airinvestigation\", \"ApplicationId\": 11161, \"ApplicationInstance\": 0}], \"AdditionalFields\": {}, \"ActivityType\": \"Basic\", \"ObjectName\": null, \"ObjectType\": null, \"ObjectId\": null, \"AppInstanceId\": 0, \"AccountType\": \"Regular\", \"IsExternalUser\": false, \"IsImpersonated\": false, \"IPTags\": null, \"IPCategory\": null, \"UserAgentTags\": null, \"RawEventData\": {\"Actions\": [], \"CreationTime\": \"2023-09-29T11:40:30Z\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"4b1820ec-39dc-45f3-abf6-5ee80df51fd2\\\",\\\"StartTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"EndTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"TimeGenerated\\\":\\\"2023-09-29T09:29:39.09Z\\\",\\\"ProcessingEndTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"Status\\\":\\\"Resolved\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"652fe57f-98e6-47df-b298-808b45a00db2\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\",\\\"InvestigationStatus\\\":\\\"FullyRemediated\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"4b05a653-e372-418d-9bd0-ba2383d1673e\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious file removed after delivery\\\",\\\"Description\\\":\\\"Emails with malicious file that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"4\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"Malicious Payload\\\"}],\\\"Recipient\\\":\\\"john.doe@example.com\\\",\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"malicous@organization.com\\\",\\\"P1Sender\\\":\\\"malicious@organization.com\\\",\\\"P1SenderDomain\\\":\\\"organization.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"malicious@organization.com\\\",\\\"P2SenderDisplayName\\\":\\\"Payroll\\\",\\\"P2SenderDomain\\\":\\\"organization.com\\\",\\\"ReceivedDate\\\":\\\"2023-09-28T22:07:30\\\",\\\"NetworkMessageId\\\":\\\"1f775e39-ff91-4872-a3e1-dd761e41a2ee\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"FileReputation\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"6\\\",\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"170d8411-e4c0-4b27-8ac4-59dbe8db8ccf\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"\\\",\\\"Urn\\\":\\\"urn:FileEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"fbeee67e-838a-4aae-9653-385094b83fb8\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;1.2.3.4;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( ((AttachmentFileHash:\\\\\\\"7H0f0FriZCDeHlHy8xXgf5pK9aSoGtQ73efHDvRa3mg=\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"FileHashThreatIndicator\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"AttachmentFileHash;ContentType\\\",\\\"ClusterByValue\\\":\\\"22222222222222222222222222222222222222222222;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:44444444444444444444444444444444\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;organization.com;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"36d28877-7954-43fb-9f8f-fe26f23bcf34\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;organization.com;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:4d298ccfc6e344df8a199c74a5466290\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"},{\\\"$id\\\":\\\"13\\\",\\\"NetworkMessageIds\\\":[\\\"5a65b4e6-c8f3-468b-8ee6-4c7f817e6bfa\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;1.2.3.4;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cb4c1a4b96883fbdb1dad10b231cfa00\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"}],\\\"LogCreationTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"MachineName\\\":\\\"DBAEUR03BG403\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"EndTimeUtc\": \"2023-09-29T11:34:37Z\", \"Id\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"InvestigationId\": \"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationName\": \"Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationType\": \"ZappedFileInvestigation\", \"LastUpdateTimeUtc\": \"2023-09-29T10:54:43Z\", \"ObjectId\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"4b05a653-e372-418d-9bd0-ba2383d1673e\", \"RecordType\": 64, \"RunningTime\": 6762, \"StartTimeUtc\": \"2023-09-29T09:44:07Z\", \"Status\": \"Remediated\", \"UserId\": \"AirInvestigation\", \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\"}, \"ReportId\": \"60913494_11161_8a7cc032-8634-4117-bae4-371071ce0ce5\", \"Timestamp\": \"2023-09-29T11:40:30Z\", \"Application\": \"Microsoft 365\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "intrusion_detection" + ], + "dataset": "cloud_app_events", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-29T11:40:30Z", + "action": { + "properties": { + "Application": "Microsoft 365", + "ApplicationId": "11161", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"Actions\": [], \"CreationTime\": \"2023-09-29T11:40:30Z\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"4b1820ec-39dc-45f3-abf6-5ee80df51fd2\\\",\\\"StartTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"EndTimeUtc\\\":\\\"2023-09-29T09:07:30.656729Z\\\",\\\"TimeGenerated\\\":\\\"2023-09-29T09:29:39.09Z\\\",\\\"ProcessingEndTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"Status\\\":\\\"Resolved\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"652fe57f-98e6-47df-b298-808b45a00db2\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\",\\\"InvestigationStatus\\\":\\\"FullyRemediated\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"4b05a653-e372-418d-9bd0-ba2383d1673e\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious file removed after delivery\\\",\\\"Description\\\":\\\"Emails with malicious file that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=7310d370-60ed-3bb9-d200-08dbc0cb706a\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"4\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"Malicious Payload\\\"}],\\\"Recipient\\\":\\\"john.doe@example.com\\\",\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"HighConfPhish\\\"],\\\"Sender\\\":\\\"malicous@organization.com\\\",\\\"P1Sender\\\":\\\"malicious@organization.com\\\",\\\"P1SenderDomain\\\":\\\"organization.com\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"malicious@organization.com\\\",\\\"P2SenderDisplayName\\\":\\\"Payroll\\\",\\\"P2SenderDomain\\\":\\\"organization.com\\\",\\\"ReceivedDate\\\":\\\"2023-09-28T22:07:30\\\",\\\"NetworkMessageId\\\":\\\"1f775e39-ff91-4872-a3e1-dd761e41a2ee\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"FileReputation\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"6\\\",\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"170d8411-e4c0-4b27-8ac4-59dbe8db8ccf\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Name\\\":\\\"pix.png\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"\\\",\\\"Urn\\\":\\\"urn:FileEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T09:44:12\\\"},{\\\"$id\\\":\\\"9\\\",\\\"NetworkMessageIds\\\":[\\\"fbeee67e-838a-4aae-9653-385094b83fb8\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,SenderIp\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;SenderIp;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;1.2.3.4;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"10\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( ((AttachmentFileHash:\\\\\\\"7H0f0FriZCDeHlHy8xXgf5pK9aSoGtQ73efHDvRa3mg=\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"FileHashThreatIndicator\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"AttachmentFileHash;ContentType\\\",\\\"ClusterByValue\\\":\\\"22222222222222222222222222222222222222222222;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:44444444444444444444444444444444\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"11\\\",\\\"NetworkMessageIds\\\":[\\\"4c8bc40b-45ac-49d4-9ef3-b2c30a59d754\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;organization.com;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:27\\\"},{\\\"$id\\\":\\\"12\\\",\\\"NetworkMessageIds\\\":[\\\"36d28877-7954-43fb-9f8f-fe26f23bcf34\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (BodyFingerprintBin1:\\\\\\\"4011247127\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"organization.com\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"BodyFingerprintBin1,P2SenderDomain\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"BodyFingerprintBin1;P2SenderDomain;ContentType\\\",\\\"ClusterByValue\\\":\\\"4011247127;organization.com;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:4d298ccfc6e344df8a199c74a5466290\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"},{\\\"$id\\\":\\\"13\\\",\\\"NetworkMessageIds\\\":[\\\"5a65b4e6-c8f3-468b-8ee6-4c7f817e6bfa\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":1,\\\"Phish\\\":0,\\\"Malware\\\":0,\\\"Spam\\\":0},\\\"CountByProtectionStatus\\\":{\\\"Blocked\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"Quarantine\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"Doom shared a file \\\\\\\"\\\\\\\"Payroll entry\\\\\\\"\\\\\\\" with you.\\\\\\\") ) AND ( (SenderIp:\\\\\\\"1.2.3.4\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2023-09-29T10:14:35.7365899Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"Doom shared a file \\\\\\\"Payroll entry\\\\\\\" with you.;1.2.3.4;1;1\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:cb4c1a4b96883fbdb1dad10b231cfa00\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2023-09-29T10:15:28\\\"}],\\\"LogCreationTime\\\":\\\"2023-09-29T11:36:50.0093899Z\\\",\\\"MachineName\\\":\\\"DBAEUR03BG403\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"EndTimeUtc\": \"2023-09-29T11:34:37Z\", \"Id\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"InvestigationId\": \"urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationName\": \"Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd\", \"InvestigationType\": \"ZappedFileInvestigation\", \"LastUpdateTimeUtc\": \"2023-09-29T10:54:43Z\", \"ObjectId\": \"8a7cc032-8634-4117-bae4-371071ce0ce5\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"4b05a653-e372-418d-9bd0-ba2383d1673e\", \"RecordType\": 64, \"RunningTime\": 6762, \"StartTimeUtc\": \"2023-09-29T09:44:07Z\", \"Status\": \"Remediated\", \"UserId\": \"AirInvestigation\", \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\"}" + }, + "type": "AirInvestigationData" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "EC7D1FD05AE26420DE1E51F2F315E07F9A4AF5A4A81AD43BDDE7C70EF45ADE68" + }, + "name": "pix.png" + } + } + ] + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "airinvestigation", + "Name": "airinvestigation", + "Role": "Actor", + "Type": "Account" + } + ], + "type": "Basic" + }, + "investigation": { + "id": "urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd", + "name": "Mail with malicious file is zapped - urn:ZappedFileInvestigation:13e4f3241b8e49faa8c8adcdb3d620dd", + "status": "Remediated", + "type": "ZappedFileInvestigation" + }, + "report": { + "id": "60913494_11161_8a7cc032-8634-4117-bae4-371071ce0ce5" + } + } + }, + "user": { + "full_name": "airinvestigation" + } + } + + ``` + + === "test_detection_source.json" ```json @@ -1203,9 +1409,11 @@ The following table lists the fields that are extracted, normalized under the EC |`container.runtime` | `keyword` | Runtime managing this container. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | +|`email.attachments` | `nested` | List of objects describing the attachments. | |`email.from.address` | `keyword` | The email address of the sender, typically from the RFC 5322 From: header field | |`email.local_id` | `keyword` | Unique identifier given to the email by the source that created the event | |`email.message_id` | `keyword` | Identifier from the RFC 5322 Message-ID: email header that refers to a particular email message | +|`email.sender.address` | `keyword` | Address of the message sender. | |`email.subject` | `keyword` | A brief summary of the topic of the message | |`email.to.address` | `keyword` | The email address of recipient | |`event.action` | `keyword` | The action captured by the event. | @@ -1253,6 +1461,10 @@ The following table lists the fields that are extracted, normalized under the EC |`microsoft.defender.host.os.version` | `keyword` | Additional information about the OS version, such as the popular name, code name, or version number | |`microsoft.defender.host.subtype` | `keyword` | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute | |`microsoft.defender.host.vendor` | `keyword` | Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute | +|`microsoft.defender.investigation.id` | `keyword` | Investigation id | +|`microsoft.defender.investigation.name` | `keyword` | Investigation name | +|`microsoft.defender.investigation.status` | `keyword` | Investigation status | +|`microsoft.defender.investigation.type` | `keyword` | Investigation type | |`microsoft.defender.network.tunnel.protocol` | `keyword` | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | |`microsoft.defender.observer.interface.dhcp.ipv4` | `keyword` | IPv4 address of DHCP server | |`microsoft.defender.observer.interface.dhcp.ipv6` | `keyword` | IPv6 address of DHCP server | diff --git a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md new file mode 100644 index 0000000000..db62c2a542 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md @@ -0,0 +1,217 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web logs` | Web visitor logs coming from CloudFront | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `web` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "miss_record.json" + + ```json + + { + "message": "{\"date\":\"2023-12-05\",\"time\":\"16:15:33\",\"x-edge-location\":\"test-P1\",\"sc-bytes\":\"484\",\"c-ip\":\"0000:111:222:3333:4444:5555:6666:7777\",\"cs-method\":\"GET\",\"cs(Host)\":\"dtest.cloudfront.net\",\"cs-uri-stem\":\"/\",\"sc-status\":\"302\",\"cs(Referer)\":\"-\",\"cs(User-Agent)\":\"Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/17.1%20Safari/605.1.15\",\"cs-uri-query\":\"-\",\"cs(Cookie)\":\"-\",\"x-edge-result-type\":\"Miss\",\"x-edge-request-id\":\"Dw16HXgISOWLclFzkdTDjdlWWwg==\",\"x-host-header\":\"test.cloudfront.net\",\"cs-protocol\":\"https\",\"cs-bytes\":\"258\",\"time-taken\":\"0.358\",\"x-forwarded-for\":\"-\",\"ssl-protocol\":\"TLSv1.3\",\"ssl-cipher\":\"TLS_SHA256\",\"x-edge-response-result-type\":\"Miss\",\"cs-protocol-version\":\"HTTP/2.0\",\"fle-status\":\"-\",\"fle-encrypted-fields\":\"-\",\"c-port\":\"58622\",\"time-to-first-byte\":\"0.358\",\"x-edge-detailed-result-type\":\"Miss\",\"sc-content-type\":\"text/html;%20charset=UTF-8\",\"sc-content-len\":\"0\",\"sc-range-start\":\"-\",\"sc-range-end\":\"-\",\"count\":\"3\"}", + "event": { + "action": "Miss", + "category": [ + "web" + ], + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2023-12-05T16:15:33Z", + "cloud": { + "provider": "aws", + "service": { + "name": "cloudfront" + } + }, + "destination": { + "address": "dtest.cloudfront.net", + "domain": "dtest.cloudfront.net", + "registered_domain": "cloudfront.net", + "subdomain": "dtest", + "top_level_domain": "net" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 302 + } + }, + "network": { + "protocol": "https" + }, + "related": { + "hosts": [ + "dtest.cloudfront.net" + ], + "ip": [ + "0:111:222:3333:4444:5555:6666:7777" + ] + }, + "sekoiaio": { + "repeat": { + "count": "3" + } + }, + "server": { + "geo": { + "name": "test-P1" + } + }, + "source": { + "address": "0:111:222:3333:4444:5555:6666:7777", + "ip": "0:111:222:3333:4444:5555:6666:7777", + "port": 58622 + }, + "url": { + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Safari", + "original": "Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/17.1%20Safari/605.1.15", + "os": { + "name": "Other" + }, + "version": "17.1" + } + } + + ``` + + +=== "refresh_record.json" + + ```json + + { + "message": "{\"date\":\"2023-12-05\",\"time\":\"16:15:33\",\"x-edge-location\":\"test-P1\",\"sc-bytes\":\"484\",\"c-ip\":\"0000:111:222:3333:4444:5555:6666:7777\",\"cs-method\":\"GET\",\"cs(Host)\":\"dtest.cloudfront.net\",\"cs-uri-stem\":\"/\",\"sc-status\":\"302\",\"cs(Referer)\":\"-\",\"cs(User-Agent)\":\"Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/17.1%20Safari/605.1.15\",\"cs-uri-query\":\"-\",\"cs(Cookie)\":\"-\",\"x-edge-result-type\":\"Miss\",\"x-edge-request-id\":\"Dw16HXgISOWLclFzkdTDjdlWWwg==\",\"x-host-header\":\"test.cloudfront.net\",\"cs-protocol\":\"https\",\"cs-bytes\":\"258\",\"time-taken\":\"0.358\",\"x-forwarded-for\":\"-\",\"ssl-protocol\":\"TLSv1.3\",\"ssl-cipher\":\"TLS_SHA256\",\"x-edge-response-result-type\":\"RefreshHit\",\"cs-protocol-version\":\"HTTP/2.0\",\"fle-status\":\"-\",\"fle-encrypted-fields\":\"-\",\"c-port\":\"58622\",\"time-to-first-byte\":\"0.358\",\"x-edge-detailed-result-type\":\"Miss\",\"sc-content-type\":\"text/html;%20charset=UTF-8\",\"sc-content-len\":\"0\",\"sc-range-start\":\"-\",\"sc-range-end\":\"-\"}", + "event": { + "action": "RefreshHit", + "category": [ + "web" + ], + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2023-12-05T16:15:33Z", + "cloud": { + "provider": "aws", + "service": { + "name": "cloudfront" + } + }, + "destination": { + "address": "dtest.cloudfront.net", + "domain": "dtest.cloudfront.net", + "registered_domain": "cloudfront.net", + "subdomain": "dtest", + "top_level_domain": "net" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 302 + } + }, + "network": { + "protocol": "https" + }, + "related": { + "hosts": [ + "dtest.cloudfront.net" + ], + "ip": [ + "0:111:222:3333:4444:5555:6666:7777" + ] + }, + "server": { + "geo": { + "name": "test-P1" + } + }, + "source": { + "address": "0:111:222:3333:4444:5555:6666:7777", + "ip": "0:111:222:3333:4444:5555:6666:7777", + "port": 58622 + }, + "url": { + "path": "/" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Safari", + "original": "Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_15_7)%20AppleWebKit/605.1.15%20(KHTML,%20like%20Gecko)%20Version/17.1%20Safari/605.1.15", + "os": { + "name": "Other" + }, + "version": "17.1" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.protocol` | `keyword` | Application protocol name. | +|`server.geo.name` | `keyword` | User-defined description of a location. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | +