Merge pull request #1699 from SEKOIA-IO/update-intake-documentation

Refresh intakes documentation

_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md

@@ -941,9 +941,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "ip": "192.168.120.41",
             "port": 2525
         },
-        "network": {
-            "direction": "outbound"
-        },
         "host": {
             "domain": "EXAMPLE",
             "hostname": "EXCHANGE",
@@ -956,6 +953,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "log": {
             "hostname": "EXCHANGE"
         },
+        "network": {
+            "direction": "outbound"
+        },
         "process": {
             "executable": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\MSExchangeHMWorker.exe",
             "pid": 14228
@@ -1010,9 +1010,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "ip": "172.31.9.222",
             "port": 3389
         },
-        "network": {
-            "direction": "inbound"
-        },
         "host": {
             "domain": "WORKGROUP",
             "hostname": "REDACTED",
@@ -1025,6 +1022,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "log": {
             "hostname": "REDACTED"
         },
+        "network": {
+            "direction": "inbound"
+        },
         "process": {
             "executable": "C:\\Windows\\System32\\svchost.exe",
             "pid": 1004
@@ -1594,6 +1594,40 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "threat_log.json"
+
+    ```json
+
+    {
+        "message": "{\"impacted_user_count\":3,\"destination\":\"syslog\",\"level\":\"high\",\"id\":829,\"status\":\"new\",\"@version\":\"1\",\"last_seen\":\"2024-03-13T06:25:00-05:00\",\"log_type\":\"threat\",\"rule_count\":4,\"@timestamp\":\"2024-03-13T11:26:29.606617060Z\",\"groups\":[{\"name\":\"MyGroup!\",\"id\":\"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\"}],\"agents\":[{\"agent_hostname\":\"DESKTOP_0001\",\"agent_ostype\":\"macos\",\"security_event_count\":17662,\"agent_id\":\"215fe295-905f-4a8d-8347-e9d438d4e415\"},{\"agent_hostname\":\"DESKTOP_0020\",\"agent_ostype\":\"macos\",\"security_event_count\":9903,\"agent_id\":\"999ba0c7-96b8-4c57-bf0e-63b24813c873\"}],\"agent_count\":2,\"rules\":[{\"security_event_count\":44,\"rule_id\":\"3daba65e-a7e6-4211-8294-01816f11d659\",\"rule_level\":\"medium\",\"rule_name\":\"NewLaunchDaemonaddedviacommandline\"},{\"security_event_count\":38236,\"rule_id\":\"c502ee75-e425-4100-a8c8-927bc0c1080c\",\"rule_level\":\"low\",\"rule_name\":\"Discovery:Users(macOS)\"},{\"security_event_count\":13,\"rule_id\":\"6915ff50-36b9-43fb-8368-b07f5a702767\",\"rule_level\":\"medium\",\"rule_name\":\"Discovery:Who(macOS)\"},{\"security_event_count\":1525,\"rule_id\":\"7da2cbac-fd59-4ea1-a95b-5f717822ebaa\",\"rule_level\":\"medium\",\"rule_name\":\"Timestompingfilewithtouch(macOS)\"}],\"impacted_users\":[{\"user_sid\":\"root\",\"security_event_count\":39432,\"user_name\":\"root\"},{\"user_sid\":\"john-doe\",\"security_event_count\":8,\"user_name\":\"john-doe\"},{\"user_sid\":\"janedoe\",\"security_event_count\":1,\"user_name\":\"janedoe\"}],\"creation_date\":\"2024-02-07T09:18:21.799384-06:00\",\"last_update\":\"2024-03-13T06:26:29.162934-05:00\",\"total_security_event_count\":40061,\"first_seen\":\"2024-02-07T09:18:00-06:00\",\"tenant\":\"111111111111111\"}",
+        "event": {
+            "dataset": "threat",
+            "end": "2024-03-13T11:25:00Z",
+            "start": "2024-02-07T15:18:00Z"
+        },
+        "agent": {
+            "name": "harfanglab"
+        },
+        "harfanglab": {
+            "count": {
+                "rules": 4,
+                "users_impacted": 3
+            },
+            "groups": [
+                "{\"id\": \"c4274875-9fb2-4b25-a4e0-a61bb3c0a3a8\", \"name\": \"MyGroup!\"}"
+            ],
+            "level": "high",
+            "status": "new",
+            "threat_id": "829"
+        },
+        "user": {
+            "roles": "MyGroup!"
+        }
+    }
+    	
+	```
+
+
 === "wineeventlog-event.json"
 
     ```json
@@ -2047,9 +2081,11 @@ The following table lists the fields that are extracted, normalized under the EC
 |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
 |`event.code` | `keyword` | Identification code for this event. |
 |`event.dataset` | `keyword` | Name of the dataset. |
+|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
 |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
 |`event.provider` | `keyword` | Source of the event. |
 |`event.reason` | `keyword` | Reason why this event happened, according to the source |
+|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
 |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
 |`file.hash.md5` | `keyword` | MD5 hash. |
 |`file.hash.sha1` | `keyword` | SHA1 hash. |
@@ -2067,14 +2103,17 @@ The following table lists the fields that are extracted, normalized under the EC
 |`harfanglab.alert_subtype` | `keyword` | The subtype of the alert |
 |`harfanglab.alert_time` | `keyword` | The timestamp of the alert |
 |`harfanglab.alert_unique_id` | `keyword` | The identifier of the alert |
+|`harfanglab.count.rules` | `number` | Total count of rules |
+|`harfanglab.count.users_impacted` | `number` | Total count of impacted users |
 |`harfanglab.execution` | `long` | Execution time  |
 |`harfanglab.grandparent.process.ancestors` | `keyword` | All process parents |
 |`harfanglab.grandparent.process.command_line` | `keyword` | Command line that started the grandparent process |
 |`harfanglab.grandparent.process.executable` | `keyword` | Absolute path to the grandparent process executable |
 |`harfanglab.groups` | `keyword` | harfanglab groups |
-|`harfanglab.level` | `keyword` | The risk level associated to the alert |
+|`harfanglab.level` | `keyword` | The risk level associated to the event |
 |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed |
-|`harfanglab.status` | `keyword` | The status of the alert |
+|`harfanglab.status` | `keyword` | The status of the event |
+|`harfanglab.threat_id` | `keyword` | Id of the threat |
 |`host.domain` | `keyword` | Name of the directory the group is a member of. |
 |`host.hostname` | `keyword` | Hostname of the host. |
 |`host.name` | `keyword` | Name of the host. |

_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md

@@ -653,6 +653,83 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "event_pua_detected_2.json"
+
+    ```json
+
+    {
+        "message": "{\"appSha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"source_info\": {\"ip\": \"1.2.3.4\"}, \"customer_id\": \"d9b11461-9678-4448-ab88-4b5211d2bf5e\", \"endpoint_id\": \"61092e0b-b6f5-46c5-b0a7-68ee3b2dc822\", \"endpoint_type\": \"computer\", \"threat\": \"Generic Reputation PUA\", \"origin\": \"ML\", \"type\": \"Event::Endpoint::CorePuaDetection\", \"id\": \"c39307f6-0c51-4a55-af23-f2ac7905416d\", \"group\": \"PUA\", \"rt\": \"2023-08-07T21:55:28.843Z\", \"severity\": \"medium\", \"duid\": \"63ed3118d043e176065be9ba\", \"end\": \"2023-08-07T21:55:27.508Z\", \"name\": \"PUA detected: 'Generic Reputation PUA' at 'C:\\\\Users\\\\John Doe\\\\Documents\\\\suspicious.zip'\", \"dhost\": \"LAPTOP-01\", \"suser\": \"LAPTOP-01\\\\John Doe\"}",
+        "event": {
+            "action": "detected",
+            "category": [
+                "file"
+            ],
+            "code": "Event::Endpoint::CorePuaDetection",
+            "end": "2023-08-07T21:55:27.508000Z",
+            "kind": "event",
+            "reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'",
+            "type": [
+                "info"
+            ]
+        },
+        "@timestamp": "2023-08-07T21:55:28.843000Z",
+        "file": {
+            "directory": "C:\\Users\\John Doe\\Documents",
+            "hash": {
+                "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+            },
+            "name": "suspicious.zip",
+            "path": "C:\\Users\\John Doe\\Documents\\suspicious.zip"
+        },
+        "host": {
+            "hostname": "LAPTOP-01",
+            "name": "LAPTOP-01"
+        },
+        "log": {
+            "level": "medium"
+        },
+        "observer": {
+            "ip": "1.2.3.4"
+        },
+        "related": {
+            "hash": [
+                "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
+            ],
+            "hosts": [
+                "LAPTOP-01"
+            ],
+            "ip": [
+                "1.2.3.4"
+            ],
+            "user": [
+                "John Doe"
+            ]
+        },
+        "rule": {
+            "name": "Generic Reputation PUA"
+        },
+        "sophos": {
+            "customer": {
+                "id": "d9b11461-9678-4448-ab88-4b5211d2bf5e"
+            },
+            "endpoint": {
+                "id": "61092e0b-b6f5-46c5-b0a7-68ee3b2dc822",
+                "type": "computer"
+            },
+            "event": {
+                "group": "PUA"
+            }
+        },
+        "user": {
+            "domain": "LAPTOP-01",
+            "id": "63ed3118d043e176065be9ba",
+            "name": "John Doe"
+        }
+    }
+    	
+	```
+
+
 === "event_registered.json"
 
     ```json
@@ -1087,6 +1164,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
 |`event.reason` | `keyword` | Reason why this event happened, according to the source |
 |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
+|`file.hash.sha256` | `keyword` | SHA256 hash. |
 |`file.path` | `keyword` | Full path to the file, including the file name. |
 |`file.size` | `long` | File size in bytes. |
 |`host.hostname` | `keyword` | Hostname of the host. |