diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md
index 80f1d6d5ab..c774012bdd 100644
--- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md
+++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md
@@ -373,7 +373,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json
{
- "message": "2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)",
+ "message": "2023-05-11T10:22:26.181+0000: 23134193.224: [GC (Allocation Failure)]",
"event": {
"category": [
"network"
@@ -393,30 +393,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
-=== "others_events_type4.json"
-
- ```json
-
- {
- "message": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)",
- "event": {
- "category": [
- "network"
- ],
- "reason": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)",
- "type": [
- "connection"
- ]
- },
- "observer": {
- "product": "VCenter",
- "vendor": "VMWare"
- }
- }
-
- ```
-
-
=== "others_events_type5.json"
```json
@@ -545,7 +521,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "reason": "WeakReference, 0 refs, 0.0000061 secs]",
+ "reason": "WeakReference, 0 refs, 0.0000061 secs",
"type": [
"connection"
]
@@ -570,7 +546,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "reason": "FinalReference, 150 refs, 0.0004388 secs]",
+ "reason": "FinalReference, 150 refs, 0.0004388 secs",
"type": [
"connection"
]
@@ -595,7 +571,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs]",
+ "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs",
"type": [
"connection"
]
@@ -620,7 +596,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "reason": "JNI Weak Reference, 0.0000149 secs]",
+ "reason": "JNI Weak Reference, 0.0000149 secs",
"type": [
"connection"
]
@@ -645,7 +621,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "reason": "SoftReference, 0 refs, 0.0000457 secs]",
+ "reason": "SoftReference, 0 refs, 0.0000457 secs",
"type": [
"connection"
]
diff --git a/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md
new file mode 100644
index 0000000000..88954c8f17
--- /dev/null
+++ b/_shared_content/operations_center/integrations/generated/2ffff1fd-fed7-4a24-927a-d619f2bb584a.md
@@ -0,0 +1,1056 @@
+
+## Event Categories
+
+
+The following table lists the data source offered by this integration.
+
+| Data Source | Description |
+| ----------- | ------------------------------------ |
+| `Network device logs` | Logs from devices connected to the ESET Protect platform |
+| `Authentication logs` | Log in/Log out logs |
+| `Host network interface` | Some interface logs |
+| `Web application firewall logs` | Logs from the web application firewall |
+
+
+
+
+
+In details, the following table denotes the type of events produced by this integration.
+
+| Name | Values |
+| ---- | ------ |
+| Kind | `alert` |
+| Category | `intrusion_detection`, `malware`, `network` |
+| Type | `info` |
+
+
+
+
+## Event Samples
+
+Find below few samples of events and how they are normalized by Sekoia.io.
+
+
+=== "test_alert_1.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"ESET Inspect Alert\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"desktop01.example.com\",\n \"os_name\": \"Microsoft Windows Server 2012 R2 Standard\",\n \"group_name\": \"Example/Domain Controllers\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"20-May-2024 09:08:10\",\n \"severity\": \"Warning\",\n \"processname\": \"%SYSTEM%\\\\nslookup.exe\",\n \"username\": \"nt authority\\\\system\",\n \"rulename\": \"Nslookup wrote a file [F0500]\",\n \"count\": 1,\n \"hash\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"eialarmid\": \"1234\",\n \"eiconsolelink\": \"https://dark.example.org:443/console/detection/1234\",\n \"computer_severity_score\": \"60\",\n \"severity_score\": \"46\"\n}",
+ "event": {
+ "category": [
+ "intrusion_detection"
+ ],
+ "dataset": "ESET Inspect Alert",
+ "kind": "alert",
+ "reference": "https://dark.example.org:443/console/detection/1234",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-20T09:08:10Z",
+ "eset": {
+ "protect": {
+ "eialarmid": "1234"
+ }
+ },
+ "host": {
+ "domain": "Example/Domain Controllers",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "desktop01.example.com",
+ "os": {
+ "full": "Microsoft Windows Server 2012 R2 Standard"
+ }
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "%SYSTEM%\\nslookup.exe",
+ "name": "nslookup.exe"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ },
+ "rule": {
+ "name": "Nslookup wrote a file [F0500]"
+ }
+ }
+
+ ```
+
+
+=== "test_alert_2.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"ESET Inspect Alert\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"desktop01.example.com\",\n \"os_name\": \"Microsoft Windows Server 2012 R2 Standard\",\n \"group_name\": \"Example/Domain Controllers\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"20-May-2024 09:08:10\",\n \"severity\": \"Warning\",\n \"processname\": \"%SYSTEM%\\\\nslookup.exe\",\n \"username\": \"nt authority\\\\system\",\n \"rule_name\": \"Nslookup wrote a file [F0500]\",\n \"count\": 1,\n \"hash\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"eialarmid\": \"1234\",\n \"eiconsolelink\": \"https://dark.example.org:443/console/detection/1234\",\n \"computer_severity_score\": \"60\",\n \"severity_score\": \"46\"\n}",
+ "event": {
+ "category": [
+ "intrusion_detection"
+ ],
+ "dataset": "ESET Inspect Alert",
+ "kind": "alert",
+ "reference": "https://dark.example.org:443/console/detection/1234",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-20T09:08:10Z",
+ "eset": {
+ "protect": {
+ "eialarmid": "1234"
+ }
+ },
+ "host": {
+ "domain": "Example/Domain Controllers",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "desktop01.example.com",
+ "os": {
+ "full": "Microsoft Windows Server 2012 R2 Standard"
+ }
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "%SYSTEM%\\nslookup.exe",
+ "name": "nslookup.exe"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ },
+ "rule": {
+ "name": "Nslookup wrote a file [F0500]"
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_1.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"20-May-2024 09:05:05\",\n \"severity\": \"Information\",\n \"domain\": \"Update modules\",\n \"action\": \"Update\",\n \"detail\": \"Modules successfully updated.\",\n \"user\": \"jdoe\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Update",
+ "category": [
+ "package"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Modules successfully updated.",
+ "type": [
+ "change"
+ ]
+ },
+ "@timestamp": "2024-05-20T09:05:05Z",
+ "eset": {
+ "protect": {
+ "domain": "Update modules"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ],
+ "user": [
+ "jdoe"
+ ]
+ },
+ "user": {
+ "name": "jdoe"
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_2.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"20-May-2024 09:14:03\",\n \"severity\": \"Information\",\n \"domain\": \"Native user\",\n \"action\": \"Logout\",\n \"target\": \"Administrator\",\n \"detail\": \"Logging out native user 'Administrator'.\",\n \"user\": \"Administrator\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Logout",
+ "category": [
+ "authentication"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Logging out native user 'Administrator'.",
+ "type": [
+ "end"
+ ]
+ },
+ "@timestamp": "2024-05-20T09:14:03Z",
+ "eset": {
+ "protect": {
+ "domain": "Native user"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ],
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "name": "Administrator"
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_3.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:59:26\",\n \"severity\": \"Information\",\n \"domain\": \"ESET INSPECT\",\n \"action\": \"Marked as Resolved\",\n \"target\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"detail\": \"Resolved via ESET INSPECT\",\n \"user\": \"Administrator\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Marked as Resolved",
+ "category": [
+ "host"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Resolved via ESET INSPECT",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:59:26Z",
+ "eset": {
+ "protect": {
+ "domain": "ESET INSPECT"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ],
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "name": "Administrator"
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_4.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"os_name\": \"Microsoft Windows Server 2019 Datacenter Evaluation\",\n \"group_name\": \"EXAMPLE/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:58:28\",\n \"severity\": \"Information\",\n \"domain\": \"ESET INSPECT\",\n \"action\": \"Detections\",\n \"target\": \"00000000-0000-0000-7002-000000000002\",\n \"detail\": \"Detection \\\"Rule; Suspicious Service Executed [B0902]\\\" resolved\",\n \"user\": \"Administrator\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Detections",
+ "category": [
+ "host"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Detection \"Rule; Suspicious Service Executed [B0902]\" resolved",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:58:28Z",
+ "eset": {
+ "protect": {
+ "domain": "ESET INSPECT"
+ }
+ },
+ "host": {
+ "domain": "EXAMPLE/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat",
+ "os": {
+ "full": "Microsoft Windows Server 2019 Datacenter Evaluation"
+ }
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ],
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "name": "Administrator"
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_5.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:55:05\",\n \"severity\": \"Information\",\n \"domain\": \"Single-sign-on token\",\n \"action\": \"Single sign on token issue\",\n \"detail\": \"Single Sign On Session Token '********' issued for native user 'Administrator'.\",\n \"user\": \"\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Single sign on token issue",
+ "category": [
+ "authentication"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Single Sign On Session Token '********' issued for native user 'Administrator'.",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:55:05Z",
+ "eset": {
+ "protect": {
+ "domain": "Single-sign-on token"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_6.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:55:05\",\n \"severity\": \"Information\",\n \"domain\": \"Single-sign-on token\",\n \"action\": \"Single sign on token issue\",\n \"cause\": \"Single Sign On Session Token '********' issued for native user 'Administrator'.\",\n \"user\": \"\",\n \"result\": \"Success\"\n}",
+ "event": {
+ "action": "Single sign on token issue",
+ "category": [
+ "authentication"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "success",
+ "reason": "Single Sign On Session Token '********' issued for native user 'Administrator'.",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:55:05Z",
+ "eset": {
+ "protect": {
+ "domain": "Single-sign-on token"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_7.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:55:05\",\n \"severity\": \"Information\",\n \"domain\": \"Single-sign-on token\",\n \"action\": \"Single sign on token issue\",\n \"cause\": \"Single Sign On Session Token '********' issued for native user 'Administrator'.\",\n \"user\": \"\",\n \"result\": \"Failure\"\n}",
+ "event": {
+ "action": "Single sign on token issue",
+ "category": [
+ "authentication"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "failure",
+ "reason": "Single Sign On Session Token '********' issued for native user 'Administrator'.",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:55:05Z",
+ "eset": {
+ "protect": {
+ "domain": "Single-sign-on token"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_audit_event_8.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Audit_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"auvergnat\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"10-May-2024 10:55:05\",\n \"severity\": \"Information\",\n \"domain\": \"Single-sign-on token\",\n \"action\": \"Single sign on token issue\",\n \"cause\": \"Single Sign On Session Token '********' issued for native user 'Administrator'.\",\n \"user\": \"john.doe@example.com\",\n \"result\": \"Failure\"\n}",
+ "event": {
+ "action": "Single sign on token issue",
+ "category": [
+ "authentication"
+ ],
+ "dataset": "Audit_Event",
+ "outcome": "failure",
+ "reason": "Single Sign On Session Token '********' issued for native user 'Administrator'.",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-10T10:55:05Z",
+ "eset": {
+ "protect": {
+ "domain": "Single-sign-on token"
+ }
+ },
+ "host": {
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "auvergnat"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ],
+ "user": [
+ "john.doe"
+ ]
+ },
+ "user": {
+ "domain": "example.com",
+ "name": "john.doe"
+ }
+ }
+
+ ```
+
+
+=== "test_firewall_1.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"FirewallAggregated_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"EXAMPLE/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"07-May-2024 07:42:01\",\n \"severity\": \"Fatal\",\n \"event\": \"Suspected botnet detected\",\n \"source_address\": \"1.2.3.4\",\n \"source_address_type\": \"IPv4\",\n \"source_port\": 22089,\n \"target_address\": \"5.6.7.8\",\n \"target_address_type\": \"IPv4\",\n \"target_port\": 57178,\n \"protocol\": \"TCP\",\n \"action\": \"Blocked\",\n \"handled\": true,\n \"process_name\": \"C:\\\\Windows\\\\Temp\\\\tmpseajke.exe\",\n \"inbound\": true,\n \"threat_name\": \"Win32/RiskWare.Meterpreter.A\",\n \"aggregate_count\": 1\n}",
+ "event": {
+ "action": "Blocked",
+ "category": [
+ "network"
+ ],
+ "dataset": "FirewallAggregated_Event",
+ "reason": "Suspected botnet detected",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2024-05-07T07:42:01Z",
+ "eset": {
+ "protect": {
+ "threat_name": "Win32/RiskWare.Meterpreter.A"
+ }
+ },
+ "host": {
+ "domain": "EXAMPLE/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "network": {
+ "protocol": "TCP"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Windows\\Temp\\tmpseajke.exe",
+ "name": "tmpseajke.exe"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "3.4.5.6"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 22089
+ }
+ }
+
+ ```
+
+
+=== "test_firewall_2.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"FirewallAggregated_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"EXAMPLE/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"07-May-2024 07:42:01\",\n \"severity\": \"Fatal\",\n \"event\": \"Suspected botnet detected\",\n \"source_address\": \"1.2.3.4\",\n \"source_address_type\": \"IPv4\",\n \"source_port\": 22089,\n \"target_address\": \"5.6.7.8\",\n \"target_address_type\": \"IPv4\",\n \"target_port\": 57178,\n \"protocol\": \"TCP\",\n \"action\": \"Blocked\",\n \"handled\": true,\n \"processname\": \"C:\\\\Windows\\\\Temp\\\\tmpseajke.exe\",\n \"inbound\": true,\n \"threat_name\": \"Win32/RiskWare.Meterpreter.A\",\n \"aggregate_count\": 1\n}",
+ "event": {
+ "action": "Blocked",
+ "category": [
+ "network"
+ ],
+ "dataset": "FirewallAggregated_Event",
+ "reason": "Suspected botnet detected",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2024-05-07T07:42:01Z",
+ "eset": {
+ "protect": {
+ "threat_name": "Win32/RiskWare.Meterpreter.A"
+ }
+ },
+ "host": {
+ "domain": "EXAMPLE/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "network": {
+ "protocol": "TCP"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Windows\\Temp\\tmpseajke.exe",
+ "name": "tmpseajke.exe"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "3.4.5.6"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 22089
+ }
+ }
+
+ ```
+
+
+=== "test_firewall_3.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"FirewallAggregated_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"EXAMPLE/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"07-May-2024 07:42:01\",\n \"severity\": \"Fatal\",\n \"event\": \"Suspected botnet detected\",\n \"source_address\": \"1.2.3.4\",\n \"source_address_type\": \"IPv4\",\n \"source_port\": 22089,\n \"target_address\": \"5.6.7.8\",\n \"target_address_type\": \"IPv4\",\n \"target_port\": 57178,\n \"protocol\": \"TCP\",\n \"action\": \"Blocked\",\n \"handled\": true,\n \"processname\": \"C:\\\\Windows\\\\Temp\\\\tmpseajke.exe\",\n \"inbound\": true,\n \"threat_name\": \"Win32/RiskWare.Meterpreter.A\",\n \"aggregate_count\": 1\n}",
+ "event": {
+ "action": "Blocked",
+ "category": [
+ "network"
+ ],
+ "dataset": "FirewallAggregated_Event",
+ "reason": "Suspected botnet detected",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2024-05-07T07:42:01Z",
+ "eset": {
+ "protect": {
+ "threat_name": "Win32/RiskWare.Meterpreter.A"
+ }
+ },
+ "host": {
+ "domain": "EXAMPLE/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "network": {
+ "protocol": "TCP"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Windows\\Temp\\tmpseajke.exe",
+ "name": "tmpseajke.exe"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "3.4.5.6"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 22089
+ }
+ }
+
+ ```
+
+
+=== "test_firewall_4.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"FirewallAggregated_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"EXAMPLE/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"07-May-2024 07:42:01\",\n \"severity\": \"Fatal\",\n \"event\": \"Suspected botnet detected\",\n \"destination_address\": \"1.2.3.4\",\n \"source_address_type\": \"IPv4\",\n \"destination_port\": 22089,\n \"target_address\": \"5.6.7.8\",\n \"target_address_type\": \"IPv4\",\n \"target_port\": 57178,\n \"protocol\": \"TCP\",\n \"action\": \"Blocked\",\n \"handled\": true,\n \"process_name\": \"C:\\\\Windows\\\\Temp\\\\tmpseajke.exe\",\n \"inbound\": true,\n \"threat_name\": \"Win32/RiskWare.Meterpreter.A\",\n \"aggregate_count\": 1\n}",
+ "event": {
+ "action": "Blocked",
+ "category": [
+ "network"
+ ],
+ "dataset": "FirewallAggregated_Event",
+ "reason": "Suspected botnet detected",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2024-05-07T07:42:01Z",
+ "destination": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 22089
+ },
+ "eset": {
+ "protect": {
+ "threat_name": "Win32/RiskWare.Meterpreter.A"
+ }
+ },
+ "host": {
+ "domain": "EXAMPLE/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "network": {
+ "protocol": "TCP"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Windows\\Temp\\tmpseajke.exe",
+ "name": "tmpseajke.exe"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_hips_1.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"HipsAggregated_Event\",\n \"ipv4\": \"192.168.30.181\",\n \"hostname\": \"test-w10-uefi\",\n \"group_name\": \"Lost & found\",\n \"source_uuid\": \"5dbe31ae-4ca7-4e8c-972f-15c197d12474\",\n \"occured\": \"21-Jun-2021 11:53:21\",\n \"severity\": \"Critical\",\n \"application\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\es_pack_to_test\\\\test\\\\java.exe\",\n \"operation\": \"Attempt to run a suspicious object\",\n \"target\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\es_pack_to_test\\\\test\\\\trojan.exe\",\n \"action\": \"blocked\",\n \"handled\": true,\n \"rule_id\": \"Suspicious attempt to launch an application\",\n \"aggregate_count\": 2\n}",
+ "event": {
+ "action": "blocked",
+ "category": [
+ "intrusion_detection"
+ ],
+ "dataset": "HipsAggregated_Event",
+ "reason": "Attempt to run a suspicious object",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2021-06-21T11:53:21Z",
+ "host": {
+ "domain": "Lost & found",
+ "id": "5dbe31ae-4ca7-4e8c-972f-15c197d12474",
+ "ip": [
+ "192.168.30.181"
+ ],
+ "name": "test-w10-uefi"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\trojan.exe",
+ "name": "trojan.exe",
+ "parent": {
+ "executable": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\java.exe",
+ "name": "java.exe"
+ }
+ },
+ "related": {
+ "ip": [
+ "192.168.30.181"
+ ]
+ },
+ "rule": {
+ "id": "Suspicious attempt to launch an application"
+ }
+ }
+
+ ```
+
+
+=== "test_hips_2.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"HipsAggregated_Event\",\n \"ipv4\": \"192.168.30.181\",\n \"hostname\": \"test-w10-uefi\",\n \"group_name\": \"Lost & found\",\n \"source_uuid\": \"5dbe31ae-4ca7-4e8c-972f-15c197d12474\",\n \"occured\": \"21-Jun-2021 11:53:21\",\n \"severity\": \"Critical\",\n \"application\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\es_pack_to_test\\\\test\\\\java.exe\",\n \"operation\": \"Attempt to run a suspicious object\",\n \"target\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\es_pack_to_test\\\\test\\\\trojan.exe\",\n \"action\": \"blocked\",\n \"handled\": true,\n \"rule_id\": \"Suspicious attempt to launch an application\",\n \"aggregate_count\": 2\n}",
+ "event": {
+ "action": "blocked",
+ "category": [
+ "intrusion_detection"
+ ],
+ "dataset": "HipsAggregated_Event",
+ "reason": "Attempt to run a suspicious object",
+ "type": [
+ "denied"
+ ]
+ },
+ "@timestamp": "2021-06-21T11:53:21Z",
+ "host": {
+ "domain": "Lost & found",
+ "id": "5dbe31ae-4ca7-4e8c-972f-15c197d12474",
+ "ip": [
+ "192.168.30.181"
+ ],
+ "name": "test-w10-uefi"
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "process": {
+ "executable": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\trojan.exe",
+ "name": "trojan.exe",
+ "parent": {
+ "executable": "C:\\Users\\Administrator\\Desktop\\es_pack_to_test\\test\\java.exe",
+ "name": "java.exe"
+ }
+ },
+ "related": {
+ "ip": [
+ "192.168.30.181"
+ ]
+ },
+ "rule": {
+ "id": "Suspicious attempt to launch an application"
+ }
+ }
+
+ ```
+
+
+=== "test_threat_1.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Threat_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"Example/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"07-May-2024 08:21:10\",\n \"severity\": \"Warning\",\n \"threat_type\": \"Trojan\",\n \"threat_name\": \"Win32/ShellcodeRunner.B\",\n \"threat_flags\": \"Variant\",\n \"scanner_id\": \"Idle scanner\",\n \"scan_id\": \"ndl3714149360.dat\",\n \"engine_version\": \"29184 (20240507)\",\n \"object_type\": \"File\",\n \"object_uri\": \"file:///C:/Windows/Temp/tmpsesusx.exe\",\n \"action_taken\": \"Cleaned by deleting\",\n \"threat_handled\": true,\n \"need_restart\": false,\n \"username\": \"EXAMPLE NT\\\\SYSTEM\",\n \"firstseen\": \"07-May-2024 07:44:39\",\n \"hash\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\"\n}",
+ "event": {
+ "action": "Cleaned by deleting",
+ "category": [
+ "malware"
+ ],
+ "dataset": "Threat_Event",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-07T08:21:10Z",
+ "eset": {
+ "protect": {
+ "scan_id": "ndl3714149360.dat",
+ "scanner_id": "Idle scanner",
+ "threat_flags": "Variant",
+ "threat_name": "Win32/ShellcodeRunner.B",
+ "threat_type": "Trojan"
+ }
+ },
+ "file": {
+ "directory": "file:///C:/Windows/Temp",
+ "name": "tmpsesusx.exe",
+ "path": "file:///C:/Windows/Temp/tmpsesusx.exe"
+ },
+ "host": {
+ "domain": "Example/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_threat_2.json"
+
+ ```json
+
+ {
+ "message": "{\n \"event_type\": \"Threat_Event\",\n \"ipv4\": \"3.4.5.6\",\n \"hostname\": \"server01.example.org\",\n \"os_name\": \"Microsoft Windows 10 Pro\",\n \"group_name\": \"Example/Outer\",\n \"source_uuid\": \"7c94f9e1-5a7f-4f69-8f33-8e8316798b0b\",\n \"occured\": \"06-May-2024 14:39:17\",\n \"severity\": \"Warning\",\n \"threat_type\": \"Trojan\",\n \"threat_name\": \"Win32/ShellcodeRunner.B\",\n \"threat_flags\": \"Variant\",\n \"scanner_id\": \"On-demand scanner\",\n \"scan_id\": \"ndl1556677733.dat\",\n \"engine_version\": \"29180 (20240506)\",\n \"object_type\": \"Operating memory\",\n \"object_uri\": \"file:///\",\n \"action_taken\": \"Contained infected files\",\n \"threat_handled\": true,\n \"need_restart\": false,\n \"username\": \"Example\\\\jdoe\"\n}",
+ "event": {
+ "action": "Contained infected files",
+ "category": [
+ "malware"
+ ],
+ "dataset": "Threat_Event",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-05-06T14:39:17Z",
+ "eset": {
+ "protect": {
+ "scan_id": "ndl1556677733.dat",
+ "scanner_id": "On-demand scanner",
+ "threat_flags": "Variant",
+ "threat_name": "Win32/ShellcodeRunner.B",
+ "threat_type": "Trojan"
+ }
+ },
+ "host": {
+ "domain": "Example/Outer",
+ "id": "7c94f9e1-5a7f-4f69-8f33-8e8316798b0b",
+ "ip": [
+ "3.4.5.6"
+ ],
+ "name": "server01.example.org",
+ "os": {
+ "full": "Microsoft Windows 10 Pro"
+ }
+ },
+ "observer": {
+ "product": "ESET Protect",
+ "type": "sensor",
+ "vendor": "ESET"
+ },
+ "related": {
+ "ip": [
+ "3.4.5.6"
+ ]
+ }
+ }
+
+ ```
+
+
+
+
+
+## Extracted Fields
+
+The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
+
+| Name | Type | Description |
+| ---- | ---- | ---------------------------|
+|`@timestamp` | `date` | Date/time when the event originated. |
+|`destination.ip` | `ip` | IP address of the destination. |
+|`destination.port` | `long` | Port of the destination. |
+|`eset.protect.domain` | `keyword` | ESET Protect event category |
+|`eset.protect.eialarmid` | `keyword` | ESET Protect event id |
+|`eset.protect.scan_id` | `keyword` | ESET Protect scan id |
+|`eset.protect.scanner_id` | `keyword` | ESET Protect scanner id |
+|`eset.protect.threat_flags` | `keyword` | ESET Protect threat flags |
+|`eset.protect.threat_name` | `keyword` | ESET Protect threat name |
+|`eset.protect.threat_type` | `keyword` | ESET Protect threat type |
+|`event.action` | `keyword` | The action captured by the event. |
+|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
+|`event.dataset` | `keyword` | Name of the dataset. |
+|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
+|`event.reason` | `keyword` | Reason why this event happened, according to the source |
+|`event.reference` | `keyword` | Event reference URL |
+|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
+|`file.path` | `keyword` | Full path to the file, including the file name. |
+|`host.domain` | `keyword` | Name of the directory the group is a member of. |
+|`host.id` | `keyword` | Unique host id. |
+|`host.ip` | `ip` | Host ip addresses. |
+|`host.name` | `keyword` | Name of the host. |
+|`host.os.full` | `keyword` | Operating system name, including the version or code name. |
+|`network.protocol` | `keyword` | Application protocol name. |
+|`observer.product` | `keyword` | The product name of the observer. |
+|`observer.type` | `keyword` | The type of the observer the data is coming from. |
+|`observer.vendor` | `keyword` | Vendor name of the observer. |
+|`process.executable` | `keyword` | Absolute path to the process executable. |
+|`process.name` | `keyword` | Process name. |
+|`process.parent.executable` | `keyword` | Absolute path to the process executable. |
+|`process.parent.name` | `keyword` | Process name. |
+|`rule.id` | `keyword` | Rule ID |
+|`rule.name` | `keyword` | Rule name |
+|`source.ip` | `ip` | IP address of the source. |
+|`source.port` | `long` | Port of the source. |
+|`user.domain` | `keyword` | Name of the directory the user is a member of. |
+|`user.name` | `keyword` | Short name or login of the user. |
+
diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
index 9edd4dbc2d..3cffd17068 100644
--- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
+++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md
@@ -1198,6 +1198,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "SFRTAOA"
},
+ "organization": {
+ "id": "0198bff0ef04d4a8"
+ },
"process": {
"command_line": "C:\\windows\\system32\\cmd.exe /c wmic /namespace:\\\\root\\Microsoft\\Windows\\Defender path MSFT_MpComputerStatus get /format:list",
"executable": "C:\\Windows\\System32\\cmd.exe",
@@ -1565,6 +1568,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "jdoe"
},
+ "organization": {
+ "id": "6685e1111111"
+ },
"process": {
"command_line": "test1 query type= service",
"executable": "C:\\Windows\\test.exe",
@@ -1670,6 +1676,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "SARTE03"
},
+ "organization": {
+ "id": "8029547657723b01"
+ },
"related": {
"hosts": [
"SARTE03"
@@ -1707,6 +1716,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"rule_level": "critical",
"status": "new",
"threat_id": "55"
+ },
+ "organization": {
+ "id": "11111111111111111111"
}
}
@@ -1740,6 +1752,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"status": "new",
"threat_id": "829"
},
+ "organization": {
+ "id": "111111111111111"
+ },
"user": {
"roles": "MyGroup!"
}
@@ -1826,6 +1841,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "sfreort"
},
+ "organization": {
+ "id": "2222222222222222"
+ },
"related": {
"hosts": [
"sfreort"
@@ -2228,6 +2246,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log": {
"hostname": "DS01"
},
+ "organization": {
+ "id": "1111111111111111"
+ },
"related": {
"hosts": [
"DS01"
diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
index c053317081..a870810865 100644
--- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
+++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md
@@ -64,12 +64,19 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
+ "ossrc": {
+ "parent": {
+ "storyline_id": "0F91E6E7AB538ED5"
+ }
+ },
"parent": {
"command_line": "taskhostw.exe",
"executable": {
"name": "C:\\Windows\\System32\\taskhostw.exe"
- }
- }
+ },
+ "storyline_id": "3ED9E6E7AB538ED5"
+ },
+ "storyline_id": "3ED9E6E7AB538ED5"
},
"script": {
"app_name": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1",
@@ -216,12 +223,20 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50"
},
"name": "backgroundTaskHost.exe",
+ "ossrc": {
+ "parent": {
+ "storyline_id": "5696E5E7AB538ED5"
+ },
+ "storyline_id": "AC96E5E7AB538ED5"
+ },
"parent": {
"command_line": "sihost.exe",
"executable": {
"name": "C:\\Windows\\System32\\sihost.exe"
- }
- }
+ },
+ "storyline_id": "BE98E5E7AB538ED5"
+ },
+ "storyline_id": "6EB4E5E7AB538ED5"
}
},
"dns": {
@@ -364,6 +379,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "4735E7E7AB538ED5"
+ },
+ "storyline_id": "4735E7E7AB538ED5"
}
},
"file": {
@@ -482,6 +503,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "0447E5E7AB538ED5"
+ },
+ "storyline_id": "DA84E5E7AB538ED5"
}
},
"file": {
@@ -613,7 +640,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa"
},
- "name": "msedge.exe"
+ "name": "msedge.exe",
+ "ossrc": {
+ "storyline_id": "14C2E6E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "96BFE6E7AB538ED5"
+ },
+ "storyline_id": "14C2E6E7AB538ED5"
}
},
"file": {
@@ -736,6 +770,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "D7D0E5E7AB538ED5"
+ },
+ "storyline_id": "85D1E5E7AB538ED5"
}
},
"file": {
@@ -859,7 +899,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"sha1": "8b3d7f4397dd79d66b753745a676da89439ed38e"
},
"path": "C:\\Users\\john.doe\\Desktop\\test.reg"
- }
+ },
+ "parent": {
+ "storyline_id": "96BFE6E7AB538ED5"
+ },
+ "storyline_id": "8EE6E6E7AB538ED5"
}
},
"host": {
@@ -971,6 +1015,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012}, Privilege Escalation {T1055.012}",
"metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
"name": "PreloadInjection"
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "2D1EE6E7AB538ED5"
+ },
+ "storyline_id": "2D1EE6E7AB538ED5"
}
},
"host": {
@@ -1079,6 +1129,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "EE96E5E7AB538ED5"
+ },
+ "storyline_id": "EE96E5E7AB538ED5"
}
},
"destination": {
@@ -1208,6 +1264,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "0591E6E7AB538ED5"
+ },
+ "storyline_id": "1B91E6E7AB538ED5"
}
},
"destination": {
@@ -1337,6 +1399,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "B491E6E7AB538ED5"
+ },
+ "storyline_id": "B491E6E7AB538ED5"
}
},
"destination": {
@@ -1474,6 +1542,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca"
+ },
+ "storyline_id": "55a4d014-9141-dea7-0774-371da18a6469"
}
},
"host": {
@@ -1597,6 +1671,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd"
+ },
+ "storyline_id": "55d21a33-24e0-2280-8049-e395c2fe0885"
}
},
"host": {
@@ -1708,6 +1788,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"process": {
+ "parent": {
+ "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e"
+ },
+ "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"target": {
"command_line": " ip -6 -a -o address",
"executable": "/usr/bin/ip",
@@ -1715,6 +1799,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f"
},
"name": "ip",
+ "storyline_id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"title": "ip",
"working_directory": "/usr/bin"
}
@@ -1849,7 +1934,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88"
},
- "name": "svchost.exe"
+ "name": "svchost.exe",
+ "ossrc": {
+ "storyline_id": "4A96E5E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "4896E5E7AB538ED5"
+ },
+ "storyline_id": "6196E5E7AB538ED5"
}
},
"host": {
@@ -1993,7 +2085,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88"
},
- "name": "svchost.exe"
+ "name": "svchost.exe",
+ "ossrc": {
+ "storyline_id": "AD36E7E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "AB36E7E7AB538ED5"
+ },
+ "storyline_id": "C136E7E7AB538ED5"
}
},
"host": {
@@ -2130,12 +2229,20 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50"
},
"name": "backgroundTaskHost.exe",
+ "ossrc": {
+ "parent": {
+ "storyline_id": "5696E5E7AB538ED5"
+ },
+ "storyline_id": "5696E5E7AB538ED5"
+ },
"parent": {
"command_line": "sihost.exe",
"executable": {
"name": "C:\\Windows\\System32\\sihost.exe"
- }
+ },
+ "storyline_id": "BE98E5E7AB538ED5"
},
+ "storyline_id": "86B6E5E7AB538ED5",
"target": {
"command_line": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding",
"executable": "C:\\Windows\\System32\\RuntimeBroker.exe",
@@ -2145,6 +2252,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628"
},
"name": "RuntimeBroker.exe",
+ "storyline_id": "86B6E5E7AB538ED5",
"title": "Runtime Broker",
"working_directory": "C:\\Windows\\System32"
}
@@ -2262,6 +2370,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "14C2E6E7AB538ED5"
+ },
+ "storyline_id": "14C2E6E7AB538ED5"
}
},
"host": {
@@ -2380,6 +2494,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "B91AE6E7AB538ED5"
+ },
+ "storyline_id": "B91AE6E7AB538ED5"
}
},
"host": {
@@ -2506,7 +2626,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9"
},
- "name": "WaAppAgent.exe"
+ "name": "WaAppAgent.exe",
+ "ossrc": {
+ "storyline_id": "F31AE6E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "381AE6E7AB538ED5"
+ },
+ "storyline_id": "B91AE6E7AB538ED5"
}
},
"host": {
@@ -2624,6 +2751,21 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "381AE6E7AB538ED5"
+ },
+ "storyline_id": "C21AE6E7AB538ED5"
+ },
+ "registry": {
+ "old": {
+ "data": {
+ "strings": [
+ "0x01D95E36B1CF068C"
+ ]
+ }
+ }
}
},
"host": {
@@ -2750,7 +2892,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e"
},
- "name": "mmc.exe"
+ "name": "mmc.exe",
+ "ossrc": {
+ "storyline_id": "4E1AE6E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "FA1CE6E7AB538ED5"
+ },
+ "storyline_id": "5084E6E7AB538ED5"
},
"scheduled_task": {
"name": "\\Task John"
@@ -2874,7 +3023,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"hash": {
"sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa"
},
- "name": "rundll32.exe"
+ "name": "rundll32.exe",
+ "ossrc": {
+ "storyline_id": "1F91E6E7AB538ED5"
+ },
+ "parent": {
+ "storyline_id": "4E1AE6E7AB538ED5"
+ },
+ "storyline_id": "7322E6E7AB538ED5"
},
"scheduled_task": {
"name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask"
@@ -3006,6 +3162,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"os": {
"revision": "19044"
}
+ },
+ "process": {
+ "parent": {
+ "storyline_id": "F81CE6E7AB538ED5"
+ },
+ "storyline_id": "FA1CE6E7AB538ED5"
}
},
"host": {
@@ -3132,17 +3294,23 @@ The following table lists the fields that are extracted, normalized under the EC
|`deepvisibility.process.executable.name` | `keyword` | |
|`deepvisibility.process.hash.sha256` | `keyword` | |
|`deepvisibility.process.name` | `keyword` | |
+|`deepvisibility.process.ossrc.parent.storyline_id` | `keyword` | |
+|`deepvisibility.process.ossrc.storyline_id` | `keyword` | |
|`deepvisibility.process.parent.activecontent.path` | `keyword` | |
|`deepvisibility.process.parent.command_line` | `keyword` | |
|`deepvisibility.process.parent.executable.name` | `keyword` | |
+|`deepvisibility.process.parent.storyline_id` | `keyword` | |
+|`deepvisibility.process.storyline_id` | `keyword` | |
|`deepvisibility.process.target.command_line` | `keyword` | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. |
|`deepvisibility.process.target.executable` | `keyword` | Absolute path to the process executable. |
|`deepvisibility.process.target.hash.md5` | `keyword` | MD5 hash. |
|`deepvisibility.process.target.hash.sha1` | `keyword` | SHA1 hash. |
|`deepvisibility.process.target.hash.sha256` | `keyword` | SHA256 hash. |
|`deepvisibility.process.target.name` | `keyword` | Process name. |
+|`deepvisibility.process.target.storyline_id` | `keyword` | |
|`deepvisibility.process.target.title` | `keyword` | |
|`deepvisibility.process.target.working_directory` | `keyword` | The working directory of the process. |
+|`deepvisibility.registry.old.data.strings` | `keyword` | |
|`deepvisibility.scheduled_task.name` | `keyword` | Scheduled task name |
|`deepvisibility.script.app_name` | `keyword` | |
|`deepvisibility.script.content` | `keyword` | |
diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md
index 9ac0238313..2806ab91d0 100644
--- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md
+++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md
@@ -2557,7 +2557,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"destination": {
"address": "2.2.2.2",
- "bytes": 202,
+ "bytes": 52,
"ip": "2.2.2.2",
"port": 1522
},
@@ -2590,7 +2590,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"source": {
"address": "1.1.1.1",
- "bytes": 52,
+ "bytes": 202,
"ip": "1.1.1.1",
"port": 55390
}
@@ -2621,7 +2621,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"destination": {
"address": "3.3.3.3",
- "bytes": 48,
+ "bytes": 144,
"ip": "3.3.3.3",
"nat": {
"ip": "2.2.2.2",
@@ -2663,7 +2663,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"source": {
"address": "1.1.1.1",
- "bytes": 144,
+ "bytes": 48,
"ip": "1.1.1.1",
"packets": 1,
"port": 49260
@@ -2695,7 +2695,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"destination": {
"address": "52.53.140.235",
- "bytes": 3652,
+ "bytes": 146668,
"ip": "52.53.140.235",
"port": 443
},
@@ -2732,7 +2732,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"source": {
"address": "10.1.100.11",
- "bytes": 146668,
+ "bytes": 3652,
"ip": "10.1.100.11",
"nat": {
"ip": "172.16.200.1",
@@ -2767,7 +2767,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"destination": {
"address": "3.3.3.3",
- "bytes": 398,
+ "bytes": 1605,
"domain": "3.3.3.3",
"ip": "3.3.3.3",
"packets": 5,
@@ -2810,7 +2810,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"source": {
"address": "2.2.2.2",
- "bytes": 1605,
+ "bytes": 398,
"domain": "2.2.2.2",
"ip": "2.2.2.2",
"nat": {
@@ -3713,7 +3713,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"destination": {
"address": "185.230.61.185",
- "bytes": 96,
+ "bytes": 0,
"domain": "ambrishsriv.wixsite.com",
"ip": "185.230.61.185",
"port": 80,
@@ -3764,7 +3764,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"source": {
"address": "10.1.100.11",
- "bytes": 0,
+ "bytes": 96,
"ip": "10.1.100.11",
"port": 59194
},
diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md
index 36464b5c58..2c4460d82b 100644
--- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md
+++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md
@@ -176,9 +176,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-02-28T18:20:54Z",
+ "action": {
+ "type": "radius"
+ },
"destination": {
"user": {
- "name": "paloaltonetwork\\\\xxxxx"
+ "domain": "paloaltonetwork",
+ "name": "xxxxx"
}
},
"host": {
@@ -224,7 +228,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"xxxxx"
],
"user": [
- "paloaltonetwork\\\\xxxxx"
+ "xxxxx"
]
}
}
@@ -252,6 +256,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T20:35:54Z",
+ "action": {
+ "type": "end"
+ },
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
@@ -261,7 +268,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"port": 20122,
"user": {
- "name": "paloaltonetwork\\\\\\\\xxxxx"
+ "domain": "paloaltonetwork",
+ "name": "xxxxx"
}
},
"log": {
@@ -299,7 +307,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.1.1.1"
],
"user": [
- "paloaltonetwork\\\\\\\\xxxxx"
+ "xxxxx"
]
},
"rule": {
@@ -315,11 +323,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"port": 16524,
"user": {
- "name": "paloaltonetwork\\\\\\\\xxxxx"
+ "domain": "paloaltonetwork",
+ "name": "xxxxx"
}
},
"user": {
- "name": "paloaltonetwork\\\\\\\\xxxxx"
+ "domain": "paloaltonetwork",
+ "name": "xxxxx"
}
}
@@ -346,6 +356,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T21:06:06Z",
+ "action": {
+ "type": "file"
+ },
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
@@ -429,6 +442,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domain\\pusername,userdest,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,15,tcp,allow,2346,1974,372,9,90,16,30,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -487,7 +501,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"5.6.7.8"
],
"user": [
- "domain\\pusername",
+ "pusername",
"userdest"
]
},
@@ -506,11 +520,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"packets": 6,
"port": 51413,
"user": {
- "name": "domain\\pusername"
+ "domain": "domain",
+ "name": "pusername"
}
},
"user": {
- "name": "domain\\pusername"
+ "domain": "domain",
+ "name": "pusername"
}
}
@@ -524,6 +540,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "1,2023/06/16 10:41:44,001701003551,TRAFFIC,end,2305,2023/06/16 10:41:44,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,GEN_WINLOG_Users,domainusername,destuser,windows-remote-management,vsys1,PDT_STD,INFRA_ADM,aaa.111,aaa.111,Syslog_Test,2023/06/16 10:41:44,234981,1,51413,5985,0,0,0x1c,tcp,allow,2346,1974,372,9,2023/06/16 10:41:26,16,not-resolved,0,69678105127,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,3,tcp-fin,0,0,0,0,,FWPA01,from-policy,,,0,,0,,N/A,0,0,0,0,5e7eca5b-f585-4633-bbd4-9ed431f7f95b,0,0,,,,,,,",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -632,6 +649,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T20:35:54Z",
+ "action": {
+ "name": "satellite-gateway-update-route",
+ "type": "globalprotect"
+ },
"host": {
"hostname": "machine_name2",
"name": "machine_name2",
@@ -666,16 +687,18 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"machine_name2"
],
"user": [
- "xxxxx\\\\\\\\xxxxx"
+ "xxxxx"
]
},
"source": {
"user": {
- "name": "xxxxx\\\\\\\\xxxxx"
+ "domain": "xxxxx",
+ "name": "xxxxx"
}
},
"user": {
- "name": "xxxxx\\\\\\\\xxxxx"
+ "domain": "xxxxx",
+ "name": "xxxxx"
}
}
@@ -805,7 +828,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"88.120.236.74"
],
"user": [
- "example.org\\\\test"
+ "test"
]
},
"source": {
@@ -815,11 +838,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"ip": "88.120.236.74",
"user": {
- "name": "example.org\\\\test"
+ "domain": "example.org",
+ "name": "test"
}
},
"user": {
- "name": "example.org\\\\test"
+ "domain": "example.org",
+ "name": "test"
},
"user_agent": {
"os": {
@@ -914,6 +939,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "<14>Sep 16 10:00:02 PP 1,9/16/19 10:00,1801017000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,1.2.3.4,10.0.1.2,PING,,,ping,vsys,AAAAA,Zone1,ethernet1/1,ae2.11,Secure,9/16/19 10:00,24100,3,0,0,0,0,0x500000,icmp,allow,222,222,0,3,9/16/19 10:00,0,any,0,50660388939,0x0,Spain,France,0,3,0,n/a,0,0,0,0,,PA,from-policy,,,0,,0,,N/A,0,0,0,0",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -1007,6 +1033,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T21:20:13Z",
+ "action": {
+ "type": "iptag"
+ },
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
@@ -1209,6 +1238,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "<14>Sep 16 10:00:02 PA-1 1,9/16/19 10:00,1801016000,TRAFFIC,start,2049,9/16/19 10:00,1.2.3.4,4.3.2.1,0.0.0.0,0.0.0.0,proxy1,,,web-browsing,vsys1234,v10213,zone1,a.1,b.2,Secure,9/16/19 10:00,60000,1,61000,80,0,0,0x0,tcp,allow,800,700,70,2,9/16/19 10:00,0,any,0,50660381839,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,2,1,n/a,0,0,0,0,,PP,from-policy,,,0,,0,,N/A,0,0,0,0",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -1449,6 +1479,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"TimeReceived\": \"2024-02-06T18:17:09.000000Z\", \"DeviceSN\": \"no-serial\", \"LogType\": \"THREAT\", \"Subtype\": \"file\", \"SubType\": \"file\", \"ConfigVersion\": \"10.2\", \"TimeGenerated\": \"2024-02-06T18:17:02.000000Z\", \"SourceAddress\": \"1.2.3.4\", \"DestinationAddress\": \"5.6.7.8\", \"NATSource\": \"9.10.11.12\", \"NATDestination\": \"5.6.7.8\", \"Rule\": \"Global_Outbound_internet_access\", \"SourceUser\": \"john.doe@example.com\", \"DestinationUser\": null, \"Application\": \"web-browsing\", \"VirtualLocation\": \"vsys1\", \"FromZone\": \"trust\", \"ToZone\": \"untrust\", \"InboundInterface\": \"tunnel.1\", \"OutboundInterface\": \"ethernet1/1\", \"LogSetting\": \"default\", \"SessionID\": 1450762, \"RepeatCount\": 1, \"SourcePort\": 53514, \"DestinationPort\": 80, \"NATSourcePort\": 22444, \"NATDestinationPort\": 80, \"Protocol\": \"tcp\", \"Action\": \"alert\", \"FileName\": \"some_file_name\", \"URLCategory\": \"computer-and-internet-info\", \"VendorSeverity\": \"Low\", \"DirectionOfAttack\": \"server to client\", \"SequenceNo\": 7292474944208657622, \"SourceLocation\": \"Prisma-Mobile-Users-EMEA\", \"DestinationLocation\": \"US\", \"PacketID\": 0, \"FileHash\": null, \"ReportID\": 0, \"DGHierarchyLevel1\": 463, \"DGHierarchyLevel2\": 467, \"DGHierarchyLevel3\": 0, \"DGHierarchyLevel4\": 0, \"VirtualSystemName\": \"\", \"DeviceName\": \"GP cloud service\", \"SourceUUID\": null, \"DestinationUUID\": null, \"IMSI\": 0, \"IMEI\": null, \"ParentSessionID\": 0, \"ParentStartTime\": \"1970-01-01T00:00:00.000000Z\", \"Tunnel\": \"N/A\", \"ContentVersion\": \"577053022\", \"SigFlags\": 0, \"RuleUUID\": \"c38e111b-43fc-4de4-a17c-c372af557193\", \"HTTP2Connection\": 0, \"DynamicUserGroup\": null, \"X-Forwarded-ForIP\": null, \"SourceDeviceCategory\": null, \"SourceDeviceProfile\": null, \"SourceDeviceModel\": null, \"SourceDeviceVendor\": null, \"SourceDeviceOSFamily\": null, \"SourceDeviceOSVersion\": null, \"SourceDeviceHost\": null, \"SourceDeviceMac\": null, \"DestinationDeviceCategory\": null, \"DestinationDeviceProfile\": null, \"DestinationDeviceModel\": null, \"DestinationDeviceVendor\": null, \"DestinationDeviceOSFamily\": null, \"DestinationDeviceOSVersion\": null, \"DestinationDeviceHost\": null, \"DestinationDeviceMac\": null, \"ContainerID\": null, \"ContainerNameSpace\": null, \"ContainerName\": null, \"SourceEDL\": null, \"DestinationEDL\": null, \"HostID\": null, \"EndpointSerialNumber\": null, \"DomainEDL\": null, \"SourceDynamicAddressGroup\": null, \"DestinationDynamicAddressGroup\": null, \"PartialHash\": 0, \"TimeGeneratedHighResolution\": \"2024-02-06T18:17:02.077000Z\", \"ReasonForDataFilteringAction\": null, \"Justification\": null, \"NSSAINetworkSliceType\": null}",
"event": {
+ "action": "alert",
"category": [
"file"
],
@@ -1595,7 +1626,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.2.3.4"
],
"user": [
- "test.fr\\JDOE"
+ "JDOE"
]
},
"source": {
@@ -1605,11 +1636,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"ip": "1.2.3.4",
"user": {
- "name": "test.fr\\JDOE"
+ "domain": "test.fr",
+ "name": "JDOE"
}
},
"user": {
- "name": "test.fr\\JDOE"
+ "domain": "test.fr",
+ "name": "JDOE"
},
"user_agent": {
"os": {
@@ -2435,6 +2468,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "1,2024/01/12 11:21:15,016201000000,THREAT,url,2562,2024/01/12 11:21:15,1.2.3.4,5.6.7.8,9.10.11.12,0.0.0.0,SAAS vers log,,,ssl,vsys1,Outside,test-Externe,a11.30,a11.25,Panorama,2024/01/12 11:21:15,200000,1,58444,2222,58444,2222,0x50b444,tcp,alert,\"test.fr:9999/\",(9999),test,informational,client-to-server,55555555555555555555,0x8000000000000000,US,France,,,0,,,0,,,,,,,,0,0,0,0,0,,TEST-01,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"test,low-risk\",96eeeef8-bd9c-4145,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-01-12T11:21:15.190+01:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,",
"event": {
+ "action": "alert",
"category": [
"network"
],
@@ -2460,10 +2494,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"port": 2222
},
- "file": {
- "name": "test.fr:9999/",
- "path": "test.fr:9999/"
- },
"host": {
"name": "TEST-01"
},
@@ -2489,6 +2519,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"VirtualLocation": "vsys1"
},
"related": {
+ "hosts": [
+ "test.fr"
+ ],
"ip": [
"0.0.0.0",
"1.2.3.4",
@@ -2511,6 +2544,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"port": 58444
},
"port": 58444
+ },
+ "url": {
+ "domain": "test.fr",
+ "port": 9999,
+ "registered_domain": "test.fr",
+ "top_level_domain": "fr"
}
}
@@ -2570,6 +2609,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187101,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17635,\"SessionStartTime\": \"2023-02-03T16:46:00.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:46:07.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:46:07.584000Z\",\"TimeReceived\": \"2023-02-03T16:46:14.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -2661,6 +2701,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"Action\": \"allow\",\"ActionSource\": \"from-policy\",\"Application\": \"incomplete\",\"Bytes\": 74,\"BytesReceived\": 0,\"BytesSent\": 74,\"ChunksReceived\": 0,\"ChunksSent\": 0,\"ChunksTotal\": 0,\"ConfigVersion\": \"10.1\",\"ContainerID\": null,\"ContainerName\": null,\"ContainerNameSpace\": null,\"DGHierarchyLevel1\": 0,\"DGHierarchyLevel2\": 0,\"DGHierarchyLevel3\": 0,\"DGHierarchyLevel4\": 0,\"DestinationAddress\": \"5.6.7.8\",\"DestinationDeviceCategory\": null,\"DestinationDeviceHost\": null,\"DestinationDeviceMac\": null,\"DestinationDeviceModel\": null,\"DestinationDeviceOSFamily\": null,\"DestinationDeviceOSVersion\": null,\"DestinationDeviceProfile\": null,\"DestinationDeviceVendor\": null,\"DestinationDynamicAddressGroup\": null,\"DestinationEDL\": null,\"DestinationLocation\": \"US\",\"DestinationPort\": 443,\"DestinationUUID\": null,\"DestinationUser\": null,\"DeviceName\": \"PA-VM\",\"DeviceSN\": \"007954000351998\",\"DynamicUserGroupName\": null,\"EndpointAssociationID\": 0,\"EndpointSerialNumber\": null,\"FromZone\": \"untrusted\",\"GPHostID\": null,\"HASessionOwner\": null,\"HTTP2Connection\": 0,\"IMEI\": null,\"IMSI\": 0,\"InboundInterface\": \"ethernet1/1\",\"LinkChangeCount\": 0,\"LinkSwitches\": null,\"LogSetting\": \"default\",\"LogType\": \"TRAFFIC\",\"NATDestination\": \"\",\"NATDestinationPort\": 0,\"NATSource\": \"\",\"NATSourcePort\": 0,\"NSSAINetworkSliceDifferentiator\": null,\"NSSAINetworkSliceType\": null,\"OutboundInterface\": \"ethernet1/1\",\"PacketsReceived\": 0,\"PacketsSent\": 1,\"PacketsTotal\": 1,\"ParentSessionID\": 0,\"ParentStarttime\": \"1970-01-01T00:00:00.000000Z\",\"Protocol\": \"tcp\",\"RepeatCount\": 1,\"Rule\": \"intrazone-default\",\"RuleUUID\": \"f903db52-4b89-4610-b908-67be412704f0\",\"SDWANCluster\": null,\"SDWANClusterType\": null,\"SDWANDeviceType\": null,\"SDWANPolicyName\": null,\"SDWANSite\": null,\"SequenceNo\": 7195838274152187100,\"SessionDuration\": 0,\"SessionEndReason\": \"aged-out\",\"SessionID\": 17634,\"SessionStartTime\": \"2023-02-03T16:45:44.000000Z\",\"SourceAddress\": \"1.2.3.4\",\"SourceDeviceCategory\": null,\"SourceDeviceHost\": null,\"SourceDeviceMac\": null,\"SourceDeviceModel\": null,\"SourceDeviceOSFamily\": null,\"SourceDeviceOSVersion\": null,\"SourceDeviceProfile\": null,\"SourceDeviceVendor\": null,\"SourceDynamicAddressGroup\": null,\"SourceEDL\": null,\"SourceLocation\": \"1.2.0.0-1.2.255.255\",\"SourcePort\": 59087,\"SourceUUID\": null,\"SourceUser\": null,\"Subtype\": \"end\",\"TimeGenerated\": \"2023-02-03T16:45:52.000000Z\",\"TimeGeneratedHighResolution\": \"2023-02-03T16:45:52.582000Z\",\"TimeReceived\": \"2023-02-03T16:45:56.000000Z\",\"ToZone\": \"untrusted\",\"Tunnel\": \"N/A\",\"URLCategory\": \"any\",\"VirtualLocation\": \"vsys1\",\"VirtualSystemName\": \"\",\"X-Forwarded-ForIP\": null}",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -2950,7 +2991,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.2.3.4"
],
"user": [
- "test.fr\\JDOE"
+ "JDOE"
]
},
"source": {
@@ -2959,7 +3000,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"port": 0
},
"user": {
- "name": "test.fr\\JDOE"
+ "domain": "test.fr",
+ "name": "JDOE"
}
}
@@ -3081,6 +3123,110 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "threat-url-xff.json"
+
+ ```json
+
+ {
+ "message": "1,2024/03/12 15:02:32,016401004874,THREAT,url,2816,2024/03/12 15:02:32,10.0.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule-internet,x-fwd-for: 11.22.33.44,,web-browsing,vsys,env,zone2,a1.1,aec.2,default,2024/03/12 15:02:32,1384927,1,49802,80,0,0,0x8b000,tcp,alert,\"www.sekoia.io:443/catalog/integrations?query=this\",(9999),any,informational,client-to-server,7324220311048193508,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,,,0,,,10,Mozilla/4.0 (compatible; ms-office; MSOffice 16),,\"11.22.33.44\",,,,,0,0,0,0,0,VSYS,FW,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"Sekoia,cybertech,low-risk\",ea3431a2-6869-4d9f-ad41-1858d80b406c,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-03-12T15:02:32.650+01:00,,,,internet-utility,general-internet,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,web-browsing,no,no,,,NonProxyTraffic",
+ "event": {
+ "action": "alert",
+ "category": [
+ "network"
+ ],
+ "dataset": "threat",
+ "outcome": "success",
+ "reason": "(9999)",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2024-03-12T14:02:32.650000Z",
+ "action": {
+ "name": "alert",
+ "outcome": "success",
+ "type": "url"
+ },
+ "destination": {
+ "address": "192.168.0.1",
+ "ip": "192.168.0.1",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 0
+ },
+ "port": 80
+ },
+ "host": {
+ "name": "FW"
+ },
+ "http": {
+ "request": {
+ "method": "get"
+ }
+ },
+ "log": {
+ "hostname": "FW",
+ "level": "informational",
+ "logger": "threat"
+ },
+ "network": {
+ "application": "web-browsing",
+ "forwarded_ip": "11.22.33.44",
+ "transport": "tcp"
+ },
+ "observer": {
+ "product": "PAN-OS",
+ "serial_number": "016401004874"
+ },
+ "paloalto": {
+ "DGHierarchyLevel1": "0",
+ "DGHierarchyLevel2": "0",
+ "DGHierarchyLevel3": "0",
+ "DGHierarchyLevel4": "0",
+ "Threat_ContentType": "url",
+ "VirtualLocation": "vsys",
+ "VirtualSystemName": "VSYS"
+ },
+ "related": {
+ "hosts": [
+ "www.sekoia.io"
+ ],
+ "ip": [
+ "0.0.0.0",
+ "10.0.0.2",
+ "192.168.0.1"
+ ]
+ },
+ "rule": {
+ "name": "rule-internet",
+ "uuid": "ea3431a2-6869-4d9f-ad41-1858d80b406c"
+ },
+ "source": {
+ "address": "10.0.0.2",
+ "ip": "10.0.0.2",
+ "nat": {
+ "ip": "0.0.0.0",
+ "port": 0
+ },
+ "port": 49802
+ },
+ "url": {
+ "domain": "www.sekoia.io",
+ "path": "catalog/integrations",
+ "port": 443,
+ "query": "query=this",
+ "registered_domain": "sekoia.io",
+ "subdomain": "www",
+ "top_level_domain": "io"
+ },
+ "user_agent": {
+ "name": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)"
+ }
+ }
+
+ ```
+
+
=== "threat_cef.json"
```json
@@ -3101,6 +3247,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T20:48:21Z",
+ "action": {
+ "type": "spyware"
+ },
"destination": {
"geo": {
"country_iso_code": "BR"
@@ -3219,7 +3368,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "1,2021/08/31 14:00:02,001701000000,THREAT,vulnerability,2049,2021/08/31 14:00:02,10.0.0.2,10.2.0.1,0.0.0.0,0.0.0.0,abcd,,,web-browsing,vsys,env,zone2,a1.1,aec.2,podl,2021/08/31 14:00:02,279429,2,12345,80,0,0,0x2000,tcp,alert,\"EXAMPLE.PDF\",PDF Exploit Evasion Found(34805),any,informational,server-to-client,1320000,0x2000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,,,1,,,,,,,,0,0,0,0,0,,FW,,,,,0,,0,,N/A,code-execution,AppThreat-0000-1111,0x0,0,422342342,",
"event": {
- "action": "code-execution",
+ "action": "alert",
"category": [
"vulnerability"
],
@@ -3319,6 +3468,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2022-07-31T12:46:24Z",
+ "action": {
+ "type": "end"
+ },
"destination": {
"address": "5.6.7.8",
"bytes": 5651,
@@ -3427,6 +3579,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2022-08-02T06:42:20Z",
+ "action": {
+ "type": "end"
+ },
"destination": {
"address": "1.1.1.1",
"bytes": 2755,
@@ -3539,6 +3694,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-02-27T20:16:21Z",
+ "action": {
+ "type": "end"
+ },
"destination": {
"address": "1.1.1.1",
"bytes": 400448,
@@ -3670,6 +3828,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,",
"event": {
+ "action": "allow",
"category": [
"network"
],
@@ -3752,6 +3911,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "<14>Sep 16 10:00:00 PA 1,9/16/19 10:00,1801017000,TRAFFIC,deny,2049,9/16/19 10:00,10.0.0.2,1.2.3.4,5.4.4.3,5.4.3.2,DENYALL,,,protection,vsys1,DNS,AAAAA,ae2.503,ethernet1/1,Secure,9/16/19 10:00,11111,1,130000,53,6379,53,0x400000,udp,reset-both,284,284,0,1,9/16/19 10:00,0,any,0,50660381851,0x0,10.0.0.0-10.255.255.255,Spain,0,1,0,policy-deny,0,0,0,0,,PA-1,from-application,,,0,,0,,N/A,0,0,0,0",
"event": {
+ "action": "reset-both",
"category": [
"network"
],
@@ -3847,6 +4007,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T20:48:21Z",
+ "action": {
+ "type": "url"
+ },
"destination": {
"address": "1.1.1.1",
"geo": {
@@ -3980,6 +4143,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2021-03-01T21:06:02Z",
+ "action": {
+ "type": "logout"
+ },
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1",
@@ -4045,6 +4211,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"TimeReceived\":\"2023-05-30T06:54:42.000000Z\",\"DeviceSN\":\"111111111111\",\"LogType\":\"THREAT\",\"Subtype\":\"wildfire\",\"ConfigVersion\":\"10.1\",\"TimeGenerated\":\"2023-05-30T06:52:13.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"Normal Internet Access browser\",\"SourceUser\":\"john.doe@example.org\",\"DestinationUser\":null,\"Application\":\"web-browsing\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"Trust\",\"ToZone\":\"Untrust\",\"InboundInterface\":\"ethernet1/20\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Panorama_CDL\",\"SessionID\":444444,\"RepeatCount\":1,\"SourcePort\":55555,\"DestinationPort\":80,\"NATSourcePort\":40114,\"NATDestinationPort\":80,\"Protocol\":\"tcp\",\"Action\":\"block\",\"FileName\":\"mp3.exe\",\"ThreatID\":\"Windows Executable (EXE)(52020)\",\"VendorSeverity\":\"Informational\",\"DirectionOfAttack\":\"server to client\",\"SequenceNo\":7117268851537282868,\"SourceLocation\":\"10.0.0.0-10.255.255.255\",\"DestinationLocation\":\"CN\",\"PacketID\":0,\"FileHash\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"ApplianceOrCloud\":\"wildfire.paloaltonetworks.com\\u0000\",\"URLCounter\":1,\"FileType\":\"pe\",\"SenderEmail\":null,\"EmailSubject\":null,\"RecipientEmail\":null,\"ReportID\":33333333333,\"DGHierarchyLevel1\":997,\"DGHierarchyLevel2\":738,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"MyDevice\",\"SourceUUID\":null,\"DestinationUUID\":null,\"IMSI\":0,\"IMEI\":null,\"ParentSessionID\":0,\"ParentStarttime\":\"1970-01-01T00:00:00.000000Z\",\"Tunnel\":\"N/A\",\"ThreatCategory\":\"unknown\",\"ContentVersion\":\"0\",\"SigFlags\":\"0x0\",\"RuleUUID\":\"50afdf91-0d37-4729-8052-1382912d9895\",\"HTTP2Connection\":0,\"DynamicUserGroupName\":null,\"X-Forwarded-ForIP\":null,\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"HostID\":null,\"EndpointSerialNumber\":\"xxxxxxxxxxx\",\"DomainEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"PartialHash\":0,\"TimeGeneratedHighResolution\":\"2023-05-30T06:52:14.052000Z\",\"NSSAINetworkSliceType\":null}\n",
"event": {
+ "action": "block",
"category": [
"malware"
],
@@ -4166,6 +4333,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`destination.nat.port` | `long` | Destination NAT Port |
|`destination.packets` | `long` | Packets sent from the destination to the source. |
|`destination.port` | `long` | Port of the destination. |
+|`destination.user.domain` | `keyword` | Name of the directory the user is a member of. |
|`destination.user.name` | `keyword` | Short name or login of the user. |
|`email.from.address` | `keyword` | Email address from |
|`email.subject` | `keyword` | Subject |
@@ -4196,6 +4364,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`log.logger` | `keyword` | Name of the logger. |
|`network.application` | `keyword` | Application level protocol name. |
|`network.bytes` | `long` | Total bytes transferred in both directions. |
+|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. |
|`network.packets` | `long` | Total packets transferred in both directions. |
|`network.protocol` | `keyword` | Application protocol name. |
|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. |
@@ -4227,7 +4396,14 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.nat.port` | `long` | Source NAT port |
|`source.packets` | `long` | Packets sent from the source to the destination. |
|`source.port` | `long` | Port of the source. |
+|`source.user.domain` | `keyword` | Name of the directory the user is a member of. |
|`source.user.name` | `keyword` | Short name or login of the user. |
+|`url.domain` | `keyword` | Domain of the url. |
+|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
+|`url.path` | `wildcard` | Path of the request, such as "/search". |
+|`url.port` | `long` | Port of the request, such as 443. |
+|`url.query` | `keyword` | Query string of the request. |
+|`user.domain` | `keyword` | Name of the directory the user is a member of. |
|`user.name` | `keyword` | Short name or login of the user. |
|`user_agent.name` | `keyword` | Name of the user agent. |
|`user_agent.os.name` | `keyword` | Operating system name, without the version. |
diff --git a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md
index 8d924458d3..4e3e92a6e5 100644
--- a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md
+++ b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md
@@ -48,7 +48,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "CONNECT"
},
"response": {
- "bytes": 1000,
"status_code": 200
},
"version": "1.1"
@@ -60,7 +59,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"olfeo": {
"request": {
- "type": "Business Services"
+ "type": "Business Services",
+ "type_id": 1000
}
},
"related": {
@@ -111,7 +111,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "POST"
},
"response": {
- "bytes": 12,
"status_code": 400
},
"version": "1.1"
@@ -123,7 +122,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"olfeo": {
"request": {
- "type": "Advertising"
+ "type": "Advertising",
+ "type_id": 12
}
},
"related": {
@@ -168,7 +168,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "PUT"
},
"response": {
- "bytes": 512,
"status_code": 300
},
"version": "1.1"
@@ -180,7 +179,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"olfeo": {
"request": {
- "type": "Shopping"
+ "type": "Shopping",
+ "type_id": 512
}
},
"related": {
@@ -218,13 +218,13 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`http.request.method` | `keyword` | HTTP request method. |
-|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). |
|`http.response.status_code` | `long` | HTTP response status code. |
|`http.version` | `keyword` | HTTP version. |
|`observer.product` | `keyword` | The product name of the observer. |
|`observer.type` | `keyword` | The type of the observer the data is coming from. |
|`observer.vendor` | `keyword` | Vendor name of the observer. |
|`olfeo.request.type` | `keyword` | Olfeo request url category |
+|`olfeo.request.type_id` | `long` | Olfeo request url category id |
|`source.ip` | `ip` | IP address of the source. |
|`source.user.name` | `keyword` | Short name or login of the user. |
|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md
new file mode 100644
index 0000000000..4022c45d5b
--- /dev/null
+++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md
@@ -0,0 +1,1809 @@
+
+## Event Categories
+
+
+The following table lists the data source offered by this integration.
+
+| Data Source | Description |
+| ----------- | ------------------------------------ |
+| `File monitoring` | None |
+| `Network device logs` | None |
+| `Process monitoring` | None |
+
+
+
+
+
+In details, the following table denotes the type of events produced by this integration.
+
+| Name | Values |
+| ---- | ------ |
+| Kind | `alert`, `event` |
+| Category | `` |
+| Type | `` |
+
+
+
+
+## Event Samples
+
+Find below few samples of events and how they are normalized by Sekoia.io.
+
+
+=== "test_account_change_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}",
+ "event": {
+ "action": "create",
+ "category": [
+ "iam"
+ ],
+ "kind": "event",
+ "provider": "CloudTrail",
+ "severity": 1,
+ "type": [
+ "creation",
+ "info",
+ "user"
+ ]
+ },
+ "@timestamp": "2023-03-17T17:07:59Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Create",
+ "class_name": "Account Change",
+ "class_uid": 3001
+ },
+ "related": {
+ "ip": [
+ "52.95.4.21"
+ ]
+ },
+ "source": {
+ "address": "52.95.4.21",
+ "ip": "52.95.4.21"
+ },
+ "user": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user",
+ "target": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "AROA2W7SOKHEXAMPLE:Admin-user",
+ "name": "test_user2"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "AWS Internal",
+ "os": {
+ "name": "Other"
+ }
+ }
+ }
+
+ ```
+
+
+=== "test_api_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}",
+ "event": {
+ "action": "read",
+ "category": [
+ "web"
+ ],
+ "kind": "event",
+ "provider": "CloudTrail",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2023-09-21T22:22:52Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "ocsf": {
+ "activity_id": 2,
+ "activity_name": "Read",
+ "class_name": "API Activity",
+ "class_uid": 6003
+ },
+ "package": {
+ "description": [],
+ "name": [],
+ "type": []
+ },
+ "related": {
+ "ip": [
+ "205.8.181.128"
+ ],
+ "user": [
+ "Level6"
+ ]
+ },
+ "source": {
+ "address": "205.8.181.128",
+ "ip": "205.8.181.128"
+ },
+ "user": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "arn:aws:iam::1111111111111:user/Level6",
+ "name": "Level6"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Spider"
+ },
+ "name": "Boto3",
+ "original": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2",
+ "os": {
+ "name": "Linux",
+ "version": "5.6.3"
+ },
+ "version": "1.15.2"
+ }
+ }
+
+ ```
+
+
+=== "test_api_activity_2.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}",
+ "event": {
+ "action": "create",
+ "category": [
+ "web"
+ ],
+ "kind": "event",
+ "reason": "ResponseComplete",
+ "severity": 1,
+ "start": "2021-09-07T20:37:30.502000Z",
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2021-09-07T20:37:30.642000Z",
+ "cloud": {
+ "account": {
+ "id": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901"
+ },
+ "provider": "AWS"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Create",
+ "class_name": "API Activity",
+ "class_uid": 6003
+ },
+ "package": {
+ "description": [],
+ "name": [],
+ "type": []
+ },
+ "related": {
+ "user": [
+ "system:node:ip-192-001-02-03.ec2.internal"
+ ]
+ },
+ "url": {
+ "path": "/api/v1/nodes"
+ },
+ "user": {
+ "group": {
+ "id": [],
+ "name": [
+ "system:authenticated",
+ "system:bootstrappers",
+ "system:nodes"
+ ]
+ },
+ "id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE",
+ "name": "system:node:ip-192-001-02-03.ec2.internal"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc",
+ "os": {
+ "name": "Linux"
+ }
+ }
+ }
+
+ ```
+
+
+=== "test_authentication_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}",
+ "event": {
+ "action": "logon",
+ "category": [
+ "authentication"
+ ],
+ "code": "AwsConsoleSignIn",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "CloudTrail",
+ "severity": 1,
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "@timestamp": "2023-11-10T16:24:34Z",
+ "cloud": {
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "network": {
+ "application": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Logon",
+ "class_name": "Authentication",
+ "class_uid": 3002
+ },
+ "related": {
+ "ip": [
+ "192.0.2.0"
+ ],
+ "user": [
+ "anaya"
+ ]
+ },
+ "source": {
+ "address": "192.0.2.0",
+ "ip": "192.0.2.0"
+ },
+ "user": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "arn:aws:iam::111122223333:user/anaya",
+ "name": "anaya",
+ "target": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "arn:aws:iam::111122223333:user/anaya"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Chrome",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.11.6"
+ },
+ "version": "67.0.3396"
+ }
+ }
+
+ ```
+
+
+=== "test_authentication_2.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}",
+ "event": {
+ "action": "logon",
+ "category": [
+ "authentication"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "reason": "An account was successfully logged on.",
+ "severity": 1,
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "@timestamp": "2021-03-12T15:48:14Z",
+ "destination": {
+ "address": "win-dc-725.attackrange.local",
+ "domain": "win-dc-725.attackrange.local",
+ "subdomain": "win-dc-725.attackrange"
+ },
+ "file": {
+ "directory": "C:\\Windows\\System32",
+ "name": "services.exe",
+ "path": "C:\\Windows\\System32\\services.exe",
+ "type": "Regular File"
+ },
+ "host": {
+ "hostname": "win-dc-725.attackrange.local",
+ "name": "win-dc-725.attackrange.local",
+ "os": {
+ "name": "Windows",
+ "type": "Windows"
+ },
+ "type": "Unknown"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Logon",
+ "class_name": "Authentication",
+ "class_uid": 3002
+ },
+ "process": {
+ "pid": 848
+ },
+ "related": {
+ "hosts": [
+ "win-dc-725.attackrange.local"
+ ],
+ "user": [
+ "WIN-DC-725$"
+ ]
+ },
+ "source": {
+ "port": 0
+ },
+ "user": {
+ "domain": "ATTACKRANGE",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NT AUTHORITY\\SYSTEM",
+ "name": "WIN-DC-725$",
+ "target": {
+ "domain": "NT AUTHORITY",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NT AUTHORITY\\SYSTEM",
+ "name": "SYSTEM"
+ }
+ }
+ }
+
+ ```
+
+
+=== "test_authentication_3.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}",
+ "event": {
+ "action": "logon",
+ "category": [
+ "authentication"
+ ],
+ "kind": "event",
+ "outcome": "failure",
+ "reason": "An account failed to log on.",
+ "severity": 1,
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "@timestamp": "2020-10-08T16:41:47Z",
+ "destination": {
+ "address": "EC2AMAZ-6KJ2BPP",
+ "domain": "EC2AMAZ-6KJ2BPP"
+ },
+ "file": {
+ "type": "Regular File"
+ },
+ "host": {
+ "hostname": "EC2AMAZ-6KJ2BPP",
+ "name": "EC2AMAZ-6KJ2BPP",
+ "os": {
+ "name": "Windows",
+ "type": "Windows"
+ },
+ "type": "Unknown"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Logon",
+ "class_name": "Authentication",
+ "class_uid": 3002
+ },
+ "process": {
+ "pid": 0
+ },
+ "related": {
+ "hosts": [
+ "EC2AMAZ-6KJ2BPP"
+ ]
+ },
+ "source": {
+ "port": 0
+ },
+ "user": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NULL SID",
+ "target": {
+ "domain": "EC2AMAZ-6KJ2BPP",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NULL SID",
+ "name": "Administrator"
+ }
+ }
+ }
+
+ ```
+
+
+=== "test_compliance_finding_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}",
+ "event": {
+ "action": "update",
+ "category": [],
+ "severity": 3,
+ "type": []
+ },
+ "@timestamp": "2023-07-21T18:11:53.060000Z",
+ "cloud": {
+ "account": {
+ "id": "111111111111"
+ },
+ "provider": "AWS",
+ "region": "us-east-2"
+ },
+ "ocsf": {
+ "activity_id": 2,
+ "activity_name": "Update",
+ "class_name": "Compliance Finding",
+ "class_uid": 2003
+ }
+ }
+
+ ```
+
+
+=== "test_detection_finding_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}",
+ "event": {
+ "action": "create",
+ "category": [],
+ "severity": 2,
+ "type": []
+ },
+ "@timestamp": "2023-09-19T15:05:22.487000Z",
+ "cloud": {
+ "account": {
+ "id": "111111111111"
+ },
+ "provider": "AWS",
+ "region": "us-east-2"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Create",
+ "class_name": "Detection Finding",
+ "class_uid": 2004
+ }
+ }
+
+ ```
+
+
+=== "test_dns_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}",
+ "event": {
+ "action": "traffic",
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "severity": 1,
+ "type": [
+ "info",
+ "protocol"
+ ]
+ },
+ "@timestamp": "2022-10-13T21:02:36Z",
+ "cloud": {
+ "account": {
+ "id": "123456789012"
+ },
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "dns": {
+ "answers": {
+ "class": [
+ "IN"
+ ],
+ "ttl": [],
+ "type": [
+ "A"
+ ]
+ },
+ "id": [],
+ "question": {
+ "class": [
+ "IN"
+ ],
+ "name": "ip-127-0-0-62.alert.firewall.canary.",
+ "subdomain": "ip-127-0-0-62.alert.firewall",
+ "type": [
+ "A"
+ ]
+ },
+ "response_code": "NoError"
+ },
+ "network": {
+ "direction": [
+ "unknown"
+ ]
+ },
+ "ocsf": {
+ "activity_id": 6,
+ "activity_name": "Traffic",
+ "class_name": "DNS Activity",
+ "class_uid": 4003
+ },
+ "related": {
+ "hosts": [
+ "ip-127-0-0-62.alert.firewall.canary."
+ ],
+ "ip": [
+ "10.200.21.100"
+ ]
+ },
+ "source": {
+ "address": "10.200.21.100",
+ "ip": "10.200.21.100",
+ "port": 15083
+ }
+ }
+
+ ```
+
+
+=== "test_http_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}",
+ "event": {
+ "action": "get",
+ "category": [
+ "api"
+ ],
+ "kind": "event",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "cloud": {
+ "provider": "AWS"
+ },
+ "destination": {
+ "address": "/CanaryTest",
+ "domain": "/CanaryTest"
+ },
+ "http": {
+ "request": {
+ "id": "Ed0AiHF_CGYF-DA=",
+ "method": "GET"
+ },
+ "version": "HTTP/1.1"
+ },
+ "network": {
+ "application": "APIGW"
+ },
+ "ocsf": {
+ "activity_id": 3,
+ "activity_name": "Get",
+ "class_name": "HTTP Activity",
+ "class_uid": 4002
+ },
+ "related": {
+ "hosts": [
+ "/CanaryTest"
+ ],
+ "ip": [
+ "52.46.82.45"
+ ]
+ },
+ "source": {
+ "address": "52.46.82.45",
+ "geo": {
+ "country_iso_code": "FR"
+ },
+ "ip": "52.46.82.45"
+ },
+ "url": {
+ "path": "/CanaryTest"
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}",
+ "event": {
+ "action": "traffic",
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2022-05-22T06:15:00Z",
+ "cloud": {
+ "availability_zone": "use2-az2",
+ "provider": "AWS",
+ "region": "us-west-2"
+ },
+ "destination": {
+ "address": "192.168.1.20",
+ "ip": "192.168.1.20",
+ "port": 443
+ },
+ "network": {
+ "application": "amazon-ec2",
+ "bytes": 85,
+ "iana_number": "17",
+ "packets": 10
+ },
+ "ocsf": {
+ "activity_id": 5,
+ "activity_name": "Traffic",
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "192.168.1.10",
+ "192.168.1.20"
+ ]
+ },
+ "source": {
+ "address": "192.168.1.10",
+ "ip": "192.168.1.10",
+ "port": 8080
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_2.json"
+
+ ```json
+
+ {
+ "message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}",
+ "event": {
+ "action": "refuse",
+ "category": [
+ "network"
+ ],
+ "end": "2022-04-12T00:03:08Z",
+ "kind": "event",
+ "severity": 1,
+ "start": "2022-04-12T00:02:12Z",
+ "type": [
+ "denied",
+ "info"
+ ]
+ },
+ "@timestamp": "2022-04-12T00:02:12Z",
+ "cloud": {
+ "account": {
+ "id": "123456789012"
+ },
+ "availability_zone": "use1-az1",
+ "provider": "AWS",
+ "region": "us-east-1"
+ },
+ "destination": {
+ "address": "172.31.2.52",
+ "ip": "172.31.2.52",
+ "port": 39938
+ },
+ "network": {
+ "bytes": 40,
+ "direction": [
+ "inbound"
+ ],
+ "iana_number": "6",
+ "packets": 1
+ },
+ "ocsf": {
+ "activity_id": 5,
+ "activity_name": "Refuse",
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "172.31.2.52"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 56858
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_3.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}",
+ "event": {
+ "action": "traffic",
+ "category": [
+ "network"
+ ],
+ "duration": 6000.0,
+ "end": "2015-06-17T00:00:00.089000Z",
+ "kind": "event",
+ "severity": 1,
+ "start": "2015-06-17T00:00:00.083000Z",
+ "type": [
+ "info"
+ ]
+ },
+ "destination": {
+ "address": "10.0.40.21",
+ "ip": "10.0.40.21",
+ "port": 443
+ },
+ "network": {
+ "bytes": 344,
+ "direction": [
+ "outbound"
+ ],
+ "iana_number": "6",
+ "packets": 8
+ },
+ "ocsf": {
+ "activity_id": 6,
+ "activity_name": "Traffic",
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "10.0.40.21",
+ "192.168.40.20"
+ ]
+ },
+ "source": {
+ "address": "192.168.40.20",
+ "ip": "192.168.40.20",
+ "port": 63975
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_4.json"
+
+ ```json
+
+ {
+ "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "duration": 66851.85432434082,
+ "kind": "event",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2020-06-05T14:39:59.305988Z",
+ "destination": {
+ "address": "192.168.4.1",
+ "ip": "192.168.4.1",
+ "port": 53
+ },
+ "ocsf": {
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "192.168.4.1",
+ "192.168.4.76"
+ ]
+ },
+ "source": {
+ "address": "192.168.4.76",
+ "ip": "192.168.4.76",
+ "port": 36844
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_5.json"
+
+ ```json
+
+ {
+ "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "duration": 66851.85432434082,
+ "kind": "event",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2020-06-05T14:39:59.305988Z",
+ "destination": {
+ "address": "192.168.4.1",
+ "ip": "192.168.4.1",
+ "port": 53
+ },
+ "ocsf": {
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "192.168.4.1",
+ "192.168.4.76"
+ ]
+ },
+ "source": {
+ "address": "192.168.4.76",
+ "ip": "192.168.4.76",
+ "port": 36844
+ }
+ }
+
+ ```
+
+
+=== "test_network_activity_6.json"
+
+ ```json
+
+ {
+ "message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2020-08-25T17:43:11.921726Z",
+ "destination": {
+ "address": "13.32.202.10",
+ "ip": "13.32.202.10",
+ "port": 443
+ },
+ "ocsf": {
+ "class_name": "Network Activity",
+ "class_uid": 4001
+ },
+ "related": {
+ "ip": [
+ "13.32.202.10",
+ "192.168.4.49"
+ ]
+ },
+ "source": {
+ "address": "192.168.4.49",
+ "ip": "192.168.4.49",
+ "port": 56718
+ },
+ "tls": {
+ "server": {
+ "certificate_chain": [
+ "F2XEvj1CahhdhtfvT4",
+ "F7vklpOKI4yX9wmvh",
+ "FAnbnR32nIIr2j9XV",
+ "FZ7ygD3ERPfEVVohG9"
+ ]
+ }
+ }
+ }
+
+ ```
+
+
+=== "test_process_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}",
+ "event": {
+ "action": "launch",
+ "category": [
+ "process"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "reason": "A new process has been created.",
+ "severity": 1,
+ "type": [
+ "info",
+ "start"
+ ]
+ },
+ "@timestamp": "2021-03-12T15:48:14Z",
+ "file": {
+ "directory": "C:\\Windows\\System32",
+ "name": "reg.exe",
+ "path": "C:\\Windows\\System32\\reg.exe",
+ "type": "Regular File"
+ },
+ "host": {
+ "hostname": "win-dc-725.attackrange.local",
+ "name": "win-dc-725.attackrange.local",
+ "os": {
+ "name": "Windows",
+ "type": "Windows"
+ },
+ "type": "Unknown"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Launch",
+ "class_name": "Process Activity",
+ "class_uid": 1007
+ },
+ "process": {
+ "command_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ",
+ "pid": 4696,
+ "user": {
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": [
+ "NULL SID"
+ ]
+ }
+ },
+ "related": {
+ "hosts": [
+ "win-dc-725.attackrange.local"
+ ],
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "domain": "ATTACKRANGE",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "ATTACKRANGE\\Administrator",
+ "name": "Administrator"
+ }
+ }
+
+ ```
+
+
+=== "test_process_activity_2.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}",
+ "event": {
+ "action": "terminate",
+ "category": [
+ "process"
+ ],
+ "kind": "event",
+ "outcome": "success",
+ "reason": "A process has exited.",
+ "severity": 1,
+ "type": [
+ "end",
+ "info"
+ ]
+ },
+ "@timestamp": "2019-09-05T15:22:49Z",
+ "file": {
+ "directory": "C:\\Generate_Security_Events1",
+ "name": "auditon.exe",
+ "path": "C:\\Generate_Security_Events1\\auditon.exe",
+ "type": "Regular File"
+ },
+ "host": {
+ "hostname": "dcc1.Logistics.local",
+ "name": "dcc1.Logistics.local",
+ "os": {
+ "name": "Windows",
+ "type": "Windows"
+ },
+ "type": "Unknown"
+ },
+ "ocsf": {
+ "activity_id": 2,
+ "activity_name": "Terminate",
+ "class_name": "Process Activity",
+ "class_uid": 1007
+ },
+ "process": {
+ "exit_code": 0,
+ "pid": 1524
+ },
+ "related": {
+ "hosts": [
+ "dcc1.Logistics.local"
+ ],
+ "user": [
+ "Administrator"
+ ]
+ },
+ "user": {
+ "domain": "LOGISTICS",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "S-1-5-21-1135140816-2109348461-2107143693-500",
+ "name": "Administrator"
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}",
+ "event": {
+ "action": "generate",
+ "category": [],
+ "kind": "alert",
+ "reason": "Linux Kernel Module Injection Detected",
+ "severity": 3,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2023-01-03T15:11:39.558000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Generate",
+ "class_uid": 2001
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_2.json"
+
+ ```json
+
+ {
+ "message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}",
+ "event": {
+ "action": "create",
+ "category": [
+ "malware"
+ ],
+ "end": "2023-04-29T15:10:10Z",
+ "kind": "alert",
+ "provider": "IBM QRadar",
+ "reason": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n",
+ "risk_score": 3,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2023-04-24T14:44:23.218000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Create",
+ "class_name": "Security Finding",
+ "class_uid": 2001
+ },
+ "vulnerability": {
+ "category": [
+ "DDOS"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_3.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}",
+ "event": {
+ "action": "generate",
+ "category": [
+ "malware"
+ ],
+ "kind": "alert",
+ "reason": "Infection found on 1.183.190.110",
+ "reference": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2022-11-15T17:59:59.945000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Generate",
+ "class_name": "Security Finding",
+ "class_uid": 2001
+ },
+ "vulnerability": {
+ "category": [
+ "Potentially vulnerable application"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_4.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}",
+ "event": {
+ "action": "generate",
+ "category": [
+ "malware"
+ ],
+ "kind": "alert",
+ "reason": "Infection found on 59.11.81.231",
+ "reference": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2022-11-15T17:59:59.946000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Generate",
+ "class_name": "Security Finding",
+ "class_uid": 2001
+ },
+ "vulnerability": {
+ "category": [
+ "Potentially vulnerable application"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_5.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}",
+ "event": {
+ "action": "generate",
+ "category": [
+ "malware"
+ ],
+ "kind": "alert",
+ "reason": "Infection found on 190.109.227.80",
+ "reference": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2022-11-15T17:59:59.947000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Generate",
+ "class_name": "Security Finding",
+ "class_uid": 2001
+ },
+ "vulnerability": {
+ "category": [
+ "Potentially vulnerable application"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_security_finding_6.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}",
+ "event": {
+ "action": "generate",
+ "category": [
+ "malware"
+ ],
+ "kind": "alert",
+ "reason": "Infection found on 38.7.186.198",
+ "reference": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198",
+ "severity": 1,
+ "type": [
+ "info"
+ ]
+ },
+ "@timestamp": "2022-11-15T17:59:59.948000Z",
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Generate",
+ "class_name": "Security Finding",
+ "class_uid": 2001
+ },
+ "vulnerability": {
+ "category": [
+ "Adware"
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_system_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}",
+ "event": {
+ "category": [],
+ "outcome": "success",
+ "reason": "A handle to an object was requested.",
+ "severity": 1,
+ "type": []
+ },
+ "@timestamp": "2019-01-09T05:46:00Z",
+ "file": {
+ "directory": "C:\\Windows\\System32",
+ "name": "lsass.exe",
+ "path": "C:\\Windows\\System32\\lsass.exe"
+ },
+ "host": {
+ "hostname": "STLDIRDC1.dir.solutia.com",
+ "name": "STLDIRDC1.dir.solutia.com",
+ "os": {
+ "name": "Windows"
+ }
+ },
+ "ocsf": {
+ "activity_id": 99,
+ "class_uid": 1010
+ },
+ "process": {
+ "pid": 492
+ },
+ "related": {
+ "hosts": [
+ "STLDIRDC1.dir.solutia.com"
+ ],
+ "user": [
+ "STLDIRDC1$"
+ ]
+ },
+ "user": {
+ "domain": "DIR",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NT AUTHORITY\\SYSTEM",
+ "name": "STLDIRDC1$"
+ }
+ }
+
+ ```
+
+
+=== "test_system_activity_2.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}",
+ "event": {
+ "category": [],
+ "outcome": "failure",
+ "reason": "A privileged service was called.",
+ "severity": 1,
+ "type": []
+ },
+ "@timestamp": "2022-01-28T21:12:19Z",
+ "file": {
+ "directory": "C:\\Windows",
+ "name": "explorer.exe",
+ "path": "C:\\Windows\\explorer.exe"
+ },
+ "host": {
+ "hostname": "SesWin2019DC1.SesTest.local",
+ "name": "SesWin2019DC1.SesTest.local",
+ "os": {
+ "name": "Windows"
+ }
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "class_uid": 1010
+ },
+ "process": {
+ "pid": 1704
+ },
+ "related": {
+ "hosts": [
+ "SesWin2019DC1.SesTest.local"
+ ],
+ "user": [
+ "splunker"
+ ]
+ },
+ "user": {
+ "domain": "SESTEST",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "SESTEST\\splunker",
+ "name": "splunker"
+ }
+ }
+
+ ```
+
+
+=== "test_vulnerability_finding_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}",
+ "event": {
+ "action": "update",
+ "category": [],
+ "severity": 3,
+ "type": []
+ },
+ "@timestamp": "2024-01-26T22:19:14Z",
+ "cloud": {
+ "account": {
+ "id": "111111111111"
+ },
+ "provider": "AWS",
+ "region": "us-east-2"
+ },
+ "ocsf": {
+ "activity_id": 2,
+ "activity_name": "Update",
+ "class_name": "Vulnerability Finding",
+ "class_uid": 2002
+ },
+ "vulnerability": {
+ "description": [
+ ""
+ ],
+ "id": [
+ "CVE-2023-1255"
+ ],
+ "scanner": {
+ "vendor": [
+ "NVD"
+ ]
+ },
+ "score": {
+ "version": [
+ ""
+ ]
+ },
+ "severity": [
+ ""
+ ]
+ }
+ }
+
+ ```
+
+
+=== "test_windows_resource_activity_1.json"
+
+ ```json
+
+ {
+ "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}",
+ "event": {
+ "action": "access",
+ "category": [],
+ "outcome": "success",
+ "reason": "An attempt was made to access an object.",
+ "severity": 1,
+ "type": []
+ },
+ "@timestamp": "2015-01-15T01:30:54Z",
+ "file": {
+ "directory": "C:\\Windows\\System32",
+ "name": "services.exe",
+ "path": "C:\\Windows\\System32\\services.exe",
+ "type": "Regular File"
+ },
+ "host": {
+ "hostname": "szusoidc1.soi.dir.acme080.com",
+ "name": "szusoidc1.soi.dir.acme080.com",
+ "os": {
+ "name": "Windows",
+ "type": "Windows"
+ },
+ "type": "Unknown"
+ },
+ "ocsf": {
+ "activity_id": 1,
+ "activity_name": "Access",
+ "class_name": "Windows Resource Activity",
+ "class_uid": 201003
+ },
+ "process": {
+ "pid": 532
+ },
+ "related": {
+ "hosts": [
+ "szusoidc1.soi.dir.acme080.com"
+ ],
+ "user": [
+ "SZUSOIDC1$"
+ ]
+ },
+ "user": {
+ "domain": "SOI",
+ "group": {
+ "id": [],
+ "name": []
+ },
+ "id": "NT AUTHORITY\\SYSTEM",
+ "name": "SZUSOIDC1$"
+ }
+ }
+
+ ```
+
+
+
+
+
+## Extracted Fields
+
+The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
+
+| Name | Type | Description |
+| ---- | ---- | ---------------------------|
+|`@timestamp` | `date` | Date/time when the event originated. |
+|`cloud.account.id` | `keyword` | The cloud account or organization id. |
+|`cloud.account.name` | `keyword` | The cloud account name. |
+|`cloud.availability_zone` | `keyword` | Availability zone in which this host, resource, or service is located. |
+|`cloud.project.id` | `keyword` | The cloud project id. |
+|`cloud.provider` | `keyword` | Name of the cloud provider. |
+|`cloud.region` | `keyword` | Region in which this host, resource, or service is located. |
+|`container.id` | `keyword` | Unique container id. |
+|`container.image.name` | `keyword` | Name of the image the container was built on. |
+|`container.image.tag` | `keyword` | Container image tags. |
+|`container.labels` | `object` | Image labels. |
+|`container.name` | `keyword` | Container name. |
+|`container.runtime` | `keyword` | Runtime managing this container. |
+|`destination.bytes` | `long` | Bytes sent from the destination to the source. |
+|`destination.domain` | `keyword` | The domain name of the destination. |
+|`destination.geo.city_name` | `keyword` | City name. |
+|`destination.geo.continent_name` | `keyword` | Name of the continent. |
+|`destination.geo.country_iso_code` | `keyword` | Country ISO code. |
+|`destination.geo.name` | `keyword` | User-defined description of a location. |
+|`destination.geo.postal_code` | `keyword` | Postal code. |
+|`destination.geo.region_iso_code` | `keyword` | Region ISO code. |
+|`destination.ip` | `ip` | IP address of the destination. |
+|`destination.mac` | `keyword` | MAC address of the destination. |
+|`destination.packets` | `long` | Packets sent from the destination to the source. |
+|`destination.port` | `long` | Port of the destination. |
+|`dns.answers.class` | `keyword` | The class of DNS data contained in this resource record. |
+|`dns.answers.ttl` | `long` | The time interval in seconds that this resource record may be cached before it should be discarded. |
+|`dns.answers.type` | `keyword` | The type of data contained in this resource record. |
+|`dns.id` | `keyword` | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. |
+|`dns.question.class` | `keyword` | The class of records being queried. |
+|`dns.question.name` | `keyword` | The name being queried. |
+|`dns.question.type` | `keyword` | The type of record being queried. |
+|`dns.response_code` | `keyword` | The DNS response code. |
+|`email.attachments.file.name` | `keyword` | Name of the attachment file. |
+|`email.attachments.file.size` | `long` | Attachment file size. |
+|`email.cc.address` | `keyword` | Email address of CC recipient |
+|`email.from.address` | `keyword` | The sender's email address. |
+|`email.local_id` | `keyword` | Unique identifier given by the source. |
+|`email.message_id` | `wildcard` | Value from the Message-ID header. |
+|`email.reply_to.address` | `keyword` | Address replies should be delivered to. |
+|`email.subject` | `keyword` | The subject of the email message. |
+|`email.to.address` | `keyword` | Email address of recipient |
+|`event.action` | `keyword` | The action captured by the event. |
+|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
+|`event.code` | `keyword` | Identification code for this event. |
+|`event.duration` | `long` | Duration of the event in nanoseconds. |
+|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
+|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
+|`event.provider` | `keyword` | Source of the event. |
+|`event.reason` | `keyword` | Reason why this event happened, according to the source |
+|`event.reference` | `keyword` | Event reference URL |
+|`event.risk_score` | `float` | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
+|`event.sequence` | `long` | Sequence number of the event. |
+|`event.severity` | `long` | Numeric severity of the event. |
+|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
+|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
+|`file.accessed` | `date` | Last time the file was accessed. |
+|`file.created` | `date` | File creation time. |
+|`file.directory` | `keyword` | Directory where the file is located. |
+|`file.hash.md5` | `keyword` | MD5 hash. |
+|`file.hash.sha1` | `keyword` | SHA1 hash. |
+|`file.hash.sha256` | `keyword` | SHA256 hash. |
+|`file.hash.sha512` | `keyword` | SHA512 hash. |
+|`file.hash.ssdeep` | `keyword` | SSDEEP hash. |
+|`file.hash.tlsh` | `keyword` | TLSH hash. |
+|`file.inode` | `keyword` | Inode representing the file in the filesystem. |
+|`file.mime_type` | `keyword` | Media type of file, document, or arrangement of bytes. |
+|`file.mtime` | `date` | Last time the file content was modified. |
+|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
+|`file.owner` | `keyword` | File owner's username. |
+|`file.path` | `keyword` | Full path to the file, including the file name. |
+|`file.size` | `long` | File size in bytes. |
+|`file.type` | `keyword` | File type (file, dir, or symlink). |
+|`file.uid` | `keyword` | The user ID (UID) or security identifier (SID) of the file owner. |
+|`file.x509.issuer.distinguished_name` | `keyword` | Distinguished name (DN) of issuing certificate authority. |
+|`file.x509.not_after` | `date` | Time at which the certificate is no longer considered valid. |
+|`file.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. |
+|`file.x509.subject.distinguished_name` | `keyword` | Distinguished name (DN) of the certificate subject entity. |
+|`file.x509.version_number` | `keyword` | Version of x509 format. |
+|`group.id` | `keyword` | Unique identifier for the group on the system/platform. |
+|`group.name` | `keyword` | Name of the group. |
+|`host.domain` | `keyword` | Name of the directory the group is a member of. |
+|`host.geo.city_name` | `keyword` | City name. |
+|`host.geo.continent_name` | `keyword` | Name of the continent. |
+|`host.geo.country_iso_code` | `keyword` | Country ISO code. |
+|`host.geo.name` | `keyword` | User-defined description of a location. |
+|`host.geo.postal_code` | `keyword` | Postal code. |
+|`host.geo.region_iso_code` | `keyword` | Region ISO code. |
+|`host.hostname` | `keyword` | Hostname of the host. |
+|`host.id` | `keyword` | Unique host id. |
+|`host.ip` | `ip` | Host ip addresses. |
+|`host.mac` | `keyword` | Host MAC addresses. |
+|`host.os.name` | `keyword` | Operating system name, without the version. |
+|`host.os.type` | `keyword` | Which commercial OS family (one of: linux, macos, unix or windows). |
+|`host.os.version` | `keyword` | Operating system version as a raw string. |
+|`host.type` | `keyword` | Type of host. |
+|`http.request.id` | `keyword` | HTTP request ID. |
+|`http.request.method` | `keyword` | HTTP request method. |
+|`http.request.referrer` | `keyword` | Referrer for this HTTP request. |
+|`http.response.body.bytes` | `long` | Size in bytes of the response body. |
+|`http.response.body.content` | `wildcard` | The full HTTP response body. |
+|`http.response.status_code` | `long` | HTTP response status code. |
+|`http.version` | `keyword` | HTTP version. |
+|`network.application` | `keyword` | Application level protocol name. |
+|`network.bytes` | `long` | Total bytes transferred in both directions. |
+|`network.direction` | `keyword` | Direction of the network traffic. |
+|`network.iana_number` | `keyword` | IANA Protocol Number. |
+|`network.packets` | `long` | Total packets transferred in both directions. |
+|`network.vlan.id` | `keyword` | VLAN ID as reported by the observer. |
+|`observer.hostname` | `keyword` | Hostname of the observer. |
+|`observer.ip` | `ip` | IP addresses of the observer. |
+|`observer.mac` | `keyword` | MAC addresses of the observer. |
+|`observer.name` | `keyword` | Custom name of the observer. |
+|`observer.type` | `keyword` | The type of the observer the data is coming from. |
+|`ocsf.activity_id` | `long` | The normalized identifier of the activity that triggered the event. |
+|`ocsf.activity_name` | `keyword` | The event activity name, as defined by the activity_id. |
+|`ocsf.class_name` | `keyword` | The event class name, as defined by class_uid value: Security Finding. |
+|`ocsf.class_uid` | `long` | The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. |
+|`orchestrator.type` | `keyword` | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). |
+|`organization.id` | `keyword` | Unique identifier for the organization. |
+|`organization.name` | `keyword` | Organization name. |
+|`package.description` | `keyword` | Description of the package. |
+|`package.name` | `keyword` | Package name |
+|`package.type` | `keyword` | Package type |
+|`process.command_line` | `wildcard` | Full command line that started the process. |
+|`process.end` | `date` | The time the process ended. |
+|`process.entity_id` | `keyword` | Unique identifier for the process. |
+|`process.exit_code` | `long` | The exit code of the process. |
+|`process.group.id` | `keyword` | |
+|`process.group.name` | `keyword` | |
+|`process.name` | `keyword` | Process name. |
+|`process.parent.command_line` | `wildcard` | Full command line that started the process. |
+|`process.parent.end` | `date` | The time the process ended. |
+|`process.parent.entity_id` | `keyword` | Unique identifier for the process. |
+|`process.parent.name` | `keyword` | Process name. |
+|`process.parent.pid` | `long` | Process id. |
+|`process.parent.start` | `date` | The time the process started. |
+|`process.parent.thread.id` | `long` | Thread ID. |
+|`process.parent.user.domain` | `keyword` | |
+|`process.parent.user.email` | `keyword` | |
+|`process.parent.user.full_name` | `keyword` | |
+|`process.parent.user.group.id` | `keyword` | |
+|`process.parent.user.group.name` | `keyword` | |
+|`process.pid` | `long` | Process id. |
+|`process.start` | `date` | The time the process started. |
+|`process.thread.id` | `long` | Thread ID. |
+|`process.user.domain` | `keyword` | |
+|`process.user.email` | `keyword` | |
+|`process.user.full_name` | `keyword` | |
+|`process.user.group.id` | `keyword` | |
+|`process.user.group.name` | `keyword` | |
+|`rule.category` | `keyword` | Rule category |
+|`rule.description` | `keyword` | Rule description |
+|`rule.name` | `keyword` | Rule name |
+|`rule.uuid` | `keyword` | Rule UUID |
+|`rule.version` | `keyword` | Rule version |
+|`service.id` | `keyword` | Unique identifier of the running service. |
+|`service.name` | `keyword` | Name of the service. |
+|`service.version` | `keyword` | Version of the service. |
+|`source.bytes` | `long` | Bytes sent from the source to the destination. |
+|`source.domain` | `keyword` | The domain name of the source. |
+|`source.geo.city_name` | `keyword` | City name. |
+|`source.geo.continent_name` | `keyword` | Name of the continent. |
+|`source.geo.country_iso_code` | `keyword` | Country ISO code. |
+|`source.geo.location` | `geo_point` | Longitude and latitude. |
+|`source.geo.name` | `keyword` | User-defined description of a location. |
+|`source.geo.postal_code` | `keyword` | Postal code. |
+|`source.geo.region_iso_code` | `keyword` | Region ISO code. |
+|`source.ip` | `ip` | IP address of the source. |
+|`source.mac` | `keyword` | MAC address of the source. |
+|`source.packets` | `long` | Packets sent from the source to the destination. |
+|`source.port` | `long` | Port of the source. |
+|`threat.technique.id` | `keyword` | Threat technique id. |
+|`threat.technique.name` | `keyword` | Threat technique name. |
+|`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. |
+|`tls.client.ja3` | `keyword` | A hash that identifies clients based on how they perform an SSL/TLS handshake. |
+|`tls.client.server_name` | `keyword` | Hostname the client is trying to connect to. Also called the SNI. |
+|`tls.client.supported_ciphers` | `keyword` | Array of ciphers offered by the client during the client hello. |
+|`tls.client.x509.alternative_names` | `keyword` | List of subject alternative names (SAN). |
+|`tls.client.x509.issuer.distinguished_name` | `keyword` | Distinguished name (DN) of issuing certificate authority. |
+|`tls.client.x509.not_after` | `date` | Time at which the certificate is no longer considered valid. |
+|`tls.client.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. |
+|`tls.client.x509.subject.distinguished_name` | `keyword` | Distinguished name (DN) of the certificate subject entity. |
+|`tls.client.x509.version_number` | `keyword` | Version of x509 format. |
+|`tls.server.certificate_chain` | `keyword` | Array of PEM-encoded certificates that make up the certificate chain offered by the server. |
+|`tls.server.ja3s` | `keyword` | A hash that identifies servers based on how they perform an SSL/TLS handshake. |
+|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. |
+|`url.domain` | `keyword` | Domain of the url. |
+|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
+|`url.path` | `wildcard` | Path of the request, such as "/search". |
+|`url.port` | `long` | Port of the request, such as 443. |
+|`url.query` | `keyword` | Query string of the request. |
+|`url.scheme` | `keyword` | Scheme of the url. |
+|`url.subdomain` | `keyword` | The subdomain of the domain. |
+|`user.changes.domain` | `keyword` | Name of the directory the user is a member of. |
+|`user.changes.email` | `keyword` | User email address. |
+|`user.changes.full_name` | `keyword` | User's full name, if available. |
+|`user.changes.group.id` | `keyword` | Unique identifier for the group on the system/platform. |
+|`user.changes.group.name` | `keyword` | Name of the group. |
+|`user.changes.id` | `keyword` | Unique identifier of the user. |
+|`user.changes.name` | `keyword` | Short name or login of the user. |
+|`user.domain` | `keyword` | Name of the directory the user is a member of. |
+|`user.email` | `keyword` | User email address. |
+|`user.full_name` | `keyword` | User's full name, if available. |
+|`user.group.id` | `keyword` | Unique identifier for the group on the system/platform. |
+|`user.group.name` | `keyword` | Name of the group. |
+|`user.id` | `keyword` | Unique identifier of the user. |
+|`user.name` | `keyword` | Short name or login of the user. |
+|`user.target.domain` | `keyword` | Name of the directory the user is a member of. |
+|`user.target.email` | `keyword` | User email address. |
+|`user.target.full_name` | `keyword` | User's full name, if available. |
+|`user.target.group.id` | `keyword` | Unique identifier for the group on the system/platform. |
+|`user.target.group.name` | `keyword` | Name of the group. |
+|`user.target.id` | `keyword` | Unique identifier of the user. |
+|`user.target.name` | `keyword` | Short name or login of the user. |
+|`user_agent.original` | `keyword` | Unparsed user_agent string. |
+|`vulnerability.category` | `keyword` | Category of a vulnerability. |
+|`vulnerability.description` | `keyword` | Description of the vulnerability. |
+|`vulnerability.id` | `keyword` | ID of the vulnerability. |
+|`vulnerability.scanner.vendor` | `keyword` | Name of the scanner vendor. |
+|`vulnerability.score.base` | `float` | Vulnerability Base score. |
+|`vulnerability.score.version` | `keyword` | CVSS version. |
+|`vulnerability.severity` | `keyword` | Severity of the vulnerability. |
+
diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md
index 6dafddcef4..3f2a42856a 100644
--- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md
+++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md
@@ -17,8 +17,8 @@ In details, the following table denotes the type of events produced by this inte
| Name | Values |
| ---- | ------ |
| Kind | `` |
-| Category | `authentication`, `network`, `session` |
-| Type | `end`, `protocol`, `start` |
+| Category | `authentication`, `configuration`, `library`, `network`, `session` |
+| Type | `end`, `info`, `protocol`, `start` |
@@ -338,6 +338,107 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "accepted_rsa.json"
+
+ ```json
+
+ {
+ "message": " Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /home/star/.ssh/authorized_keys:2",
+ "event": {
+ "category": [
+ "authentication"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "session",
+ "outcome": "success",
+ "outcome_reason": "Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /home/star/.ssh/authorized_keys:2",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
+=== "accepted_rsa_2.json"
+
+ ```json
+
+ {
+ "message": " Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /usr/local/nagios/.ssh/authorized_keys:1",
+ "event": {
+ "category": [
+ "authentication"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "session",
+ "outcome": "success",
+ "outcome_reason": "Accepted key RSA SHA256:3cOMdwjvSk5BnU2zs6397YpKn/SNSVSAMtsQchY8dOo found at /usr/local/nagios/.ssh/authorized_keys:1",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
+=== "auth_method_disabled.json"
+
+ ```json
+
+ {
+ "message": "main: sshd: ssh-rsa algorithm is disabled",
+ "event": {
+ "category": [
+ "configuration"
+ ],
+ "outcome": "success",
+ "type": [
+ "info"
+ ]
+ },
+ "action": {
+ "outcome_reason": "main: sshd: ssh-rsa algorithm is disabled"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
=== "authentication_attempts_exceeded.json"
```json
@@ -593,6 +694,50 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "connection_closed_2.json"
+
+ ```json
+
+ {
+ "message": " Connection closed by 127.0.0.1",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "outcome": "success",
+ "type": [
+ "end"
+ ]
+ },
+ "action": {
+ "name": "connection",
+ "outcome": "success",
+ "outcome_reason": "Connection closed by 127.0.0.1",
+ "target": "user",
+ "type": "close"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ }
+ }
+
+ ```
+
+
=== "connection_closed_authenticating_user.json"
```json
@@ -845,6 +990,56 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "connection_from.json"
+
+ ```json
+
+ {
+ "message": " Connection from 127.0.0.1 port 58752 on 127.0.0.1 port 22",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "connection",
+ "outcome": "success",
+ "outcome_reason": "Connection from 127.0.0.1 port 58752 on 127.0.0.1 port 22",
+ "target": "user",
+ "type": "open"
+ },
+ "destination": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1",
+ "port": 22
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1",
+ "port": 58752
+ }
+ }
+
+ ```
+
+
=== "connection_reset.json"
```json
@@ -1756,12 +1951,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
-=== "pam_more_auth_failure.json"
+=== "pam_faillock_consecutive_failures.json"
```json
{
- "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root",
+ "message": "pam_faillock(sshd:auth): Consecutive login failures for user JDOE account temporarily locked",
"event": {
"category": [
"authentication"
@@ -1774,7 +1969,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"action": {
"name": "sshd:auth",
"outcome": "failure",
- "outcome_reason": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root",
+ "outcome_reason": "Consecutive login failures for user JDOE account temporarily locked",
"target": "user",
"type": "authentication"
},
@@ -1787,51 +1982,44 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "sshd"
},
"related": {
- "ip": [
- "1.2.3.4"
- ],
"user": [
- "root"
+ "JDOE"
]
},
"source": {
- "address": "1.2.3.4",
- "ip": "1.2.3.4",
"user": {
- "name": "root"
+ "name": "JDOE"
}
},
"user": {
- "euid": "0",
- "id": "0",
- "name": "root"
+ "name": "JDOE"
}
}
```
-=== "pam_service_ignoring_max_retries.json"
+=== "pam_faillock_user_unknown.json"
```json
{
- "message": "PAM service(sshd) ignoring max retries; 6 > 3",
+ "message": "pam_faillock(sshd:auth): User unknown",
"event": {
"category": [
- "session"
+ "authentication"
],
"outcome": "failure",
"type": [
- "start"
+ "end"
]
},
"action": {
- "name": "connection",
+ "name": "sshd:auth",
"outcome": "failure",
- "outcome_reason": "ignoring max retries; 6 > 3",
+ "outcome_reason": "User unknown",
"target": "user",
- "type": "open"
+ "type": "authentication"
},
"observer": {
"product": "openssh",
@@ -1846,27 +2034,27 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
-=== "pam_session_closed.json"
+=== "pam_faulty_module.json"
```json
{
- "message": " pam_unix(sshd:session): session closed for user ubuntu",
+ "message": "PAM adding faulty module: pam_cracklib.so",
"event": {
"category": [
- "session"
+ "library"
],
- "outcome": "success",
+ "outcome": "failure",
"type": [
- "end"
+ "start"
]
},
"action": {
- "name": "sshd:session",
- "outcome": "success",
- "outcome_reason": "pam_unix(sshd:session): session closed for user ubuntu",
- "target": "user",
- "type": "close"
+ "outcome": "failure",
+ "outcome_reason": "PAM adding faulty module: pam_cracklib.so"
+ },
+ "dll": {
+ "name": "pam_cracklib.so"
},
"observer": {
"product": "openssh",
@@ -1875,46 +2063,33 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"process": {
"name": "sshd"
- },
- "related": {
- "user": [
- "ubuntu"
- ]
- },
- "source": {
- "user": {
- "name": "ubuntu"
- }
- },
- "user": {
- "name": "ubuntu"
}
}
```
-=== "pam_session_opened.json"
+=== "pam_more_auth_failure.json"
```json
{
- "message": " pam_unix(sshd:session): session opened for user ubuntu by (uid=0)",
+ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root",
"event": {
"category": [
- "session"
+ "authentication"
],
- "outcome": "success",
+ "outcome": "failure",
"type": [
- "start"
+ "end"
]
},
"action": {
- "name": "sshd:session",
- "outcome": "success",
- "outcome_reason": "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)",
+ "name": "sshd:auth",
+ "outcome": "failure",
+ "outcome_reason": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=root",
"target": "user",
- "type": "open"
+ "type": "authentication"
},
"observer": {
"product": "openssh",
@@ -1925,40 +2100,213 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "sshd"
},
"related": {
+ "ip": [
+ "1.2.3.4"
+ ],
"user": [
- "ubuntu"
+ "root"
]
},
"source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
"user": {
- "name": "ubuntu"
+ "name": "root"
}
},
"user": {
- "name": "ubuntu"
+ "euid": "0",
+ "id": "0",
+ "name": "root"
}
}
```
-=== "pam_session_opened_2.json"
+=== "pam_service_ignoring_max_retries.json"
```json
{
- "message": " pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)",
+ "message": "PAM service(sshd) ignoring max retries; 6 > 3",
"event": {
"category": [
"session"
],
- "outcome": "success",
+ "outcome": "failure",
"type": [
"start"
]
},
"action": {
- "name": "sshd:session",
+ "name": "connection",
+ "outcome": "failure",
+ "outcome_reason": "ignoring max retries; 6 > 3",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
+=== "pam_session_closed.json"
+
+ ```json
+
+ {
+ "message": " pam_unix(sshd:session): session closed for user ubuntu",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "success",
+ "type": [
+ "end"
+ ]
+ },
+ "action": {
+ "name": "sshd:session",
+ "outcome": "success",
+ "outcome_reason": "pam_unix(sshd:session): session closed for user ubuntu",
+ "target": "user",
+ "type": "close"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "user": [
+ "ubuntu"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "ubuntu"
+ }
+ },
+ "user": {
+ "name": "ubuntu"
+ }
+ }
+
+ ```
+
+
+=== "pam_session_failed_to_create.json"
+
+ ```json
+
+ {
+ "message": " pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "failure",
+ "type": [
+ "end"
+ ]
+ },
+ "action": {
+ "name": "connection",
+ "outcome": "failure",
+ "outcome_reason": "Maximum number of sessions (8192) reached, refusing further sessions.",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
+=== "pam_session_opened.json"
+
+ ```json
+
+ {
+ "message": " pam_unix(sshd:session): session opened for user ubuntu by (uid=0)",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "sshd:session",
+ "outcome": "success",
+ "outcome_reason": "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "user": [
+ "ubuntu"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "ubuntu"
+ }
+ },
+ "user": {
+ "name": "ubuntu"
+ }
+ }
+
+ ```
+
+
+=== "pam_session_opened_2.json"
+
+ ```json
+
+ {
+ "message": " pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "sshd:session",
"outcome": "success",
"outcome_reason": "pam_unix(sshd:session): session opened for user jdoe(uid=10357) by (uid=0)",
"target": "user",
@@ -1992,6 +2340,42 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "pam_unable_to_dlopen.json"
+
+ ```json
+
+ {
+ "message": "PAM unable to dlopen(pam_cracklib.so): /lib/security/pam_cracklib.so: cannot open shared object file: No such file or directory",
+ "event": {
+ "category": [
+ "library"
+ ],
+ "outcome": "failure",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "outcome": "failure",
+ "outcome_reason": "cannot open shared object file: No such file or directory"
+ },
+ "dll": {
+ "name": "pam_cracklib.so",
+ "path": "/lib/security/pam_cracklib.so"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ }
+ }
+
+ ```
+
+
=== "pam_winbind_granted_access.json"
```json
@@ -2046,6 +2430,65 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "postponed_publickey.json"
+
+ ```json
+
+ {
+ "message": " Postponed publickey for star from 127.0.0.1 port 44690 ssh2 [preauth]",
+ "event": {
+ "category": [
+ "authentication"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "session",
+ "outcome": "success",
+ "outcome_reason": "Postponed publickey for star from 127.0.0.1 port 44690 ssh2 [preauth]",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "openssh": {
+ "auth": {
+ "method": "publickey"
+ }
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ],
+ "user": [
+ "star"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1",
+ "port": 44690,
+ "user": {
+ "name": "star"
+ }
+ },
+ "user": {
+ "name": "star"
+ }
+ }
+
+ ```
+
+
=== "received_disconnect_bye_bye.json"
```json
@@ -2226,7 +2669,139 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
-=== "unable_to_negociate.json"
+=== "received_disconnect_user_2.json"
+
+ ```json
+
+ {
+ "message": " Received disconnect from 127.0.0.1: 11: disconnected by user",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "outcome": "success",
+ "type": [
+ "end"
+ ]
+ },
+ "action": {
+ "name": "connection",
+ "outcome": "success",
+ "outcome_reason": "disconnected by user",
+ "target": "user",
+ "type": "close"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ }
+ }
+
+ ```
+
+
+=== "starting_session.json"
+
+ ```json
+
+ {
+ "message": " Starting session: command for nagios from 127.0.0.1 port 58752 id 0",
+ "event": {
+ "outcome": "success"
+ },
+ "action": {
+ "outcome_reason": "Starting session: command for nagios from 127.0.0.1 port 58752 id 0"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ],
+ "user": [
+ "nagios"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1",
+ "port": 58752,
+ "user": {
+ "name": "nagios"
+ }
+ },
+ "user": {
+ "name": "nagios"
+ }
+ }
+
+ ```
+
+
+=== "starting_session_2.json"
+
+ ```json
+
+ {
+ "message": " Starting session: command for star from 127.0.0.1 port 44690 id 0",
+ "event": {
+ "outcome": "success"
+ },
+ "action": {
+ "outcome_reason": "Starting session: command for star from 127.0.0.1 port 44690 id 0"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "127.0.0.1"
+ ],
+ "user": [
+ "star"
+ ]
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1",
+ "port": 44690,
+ "user": {
+ "name": "star"
+ }
+ },
+ "user": {
+ "name": "star"
+ }
+ }
+
+ ```
+
+
+=== "unable_to_negotiate.json"
```json
@@ -2271,6 +2846,51 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "unable_to_negotiate_2.json"
+
+ ```json
+
+ {
+ "message": " Unable to negotiate with 1.2.3.4 port 5228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "failure",
+ "type": [
+ "end"
+ ]
+ },
+ "action": {
+ "name": "negotiate",
+ "outcome": "failure",
+ "outcome_reason": "Unable to negotiate with 1.2.3.4 port 5228: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "port": 5228
+ }
+ }
+
+ ```
+
+
=== "user_not_allowed.json"
```json
@@ -2324,6 +2944,55 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "user_on_pid.json"
+
+ ```json
+
+ {
+ "message": " User child is on pid 60225",
+ "event": {
+ "category": [
+ "session"
+ ],
+ "outcome": "success",
+ "type": [
+ "start"
+ ]
+ },
+ "action": {
+ "name": "connection",
+ "outcome": "success",
+ "outcome_reason": "is on pid 60225",
+ "target": "user",
+ "type": "open"
+ },
+ "observer": {
+ "product": "openssh",
+ "type": "server",
+ "vendor": "openbsd project"
+ },
+ "process": {
+ "name": "sshd",
+ "pid": 60225
+ },
+ "related": {
+ "user": [
+ "child"
+ ]
+ },
+ "source": {
+ "user": {
+ "name": "child"
+ }
+ },
+ "user": {
+ "name": "child"
+ }
+ }
+
+ ```
+
+
@@ -2334,6 +3003,10 @@ The following table lists the fields that are extracted, normalized under the EC
| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`action.target` | `keyword` | |
+|`destination.ip` | `ip` | IP address of the destination. |
+|`destination.port` | `long` | Port of the destination. |
+|`dll.name` | `keyword` | Name of the library. |
+|`dll.path` | `keyword` | Full file path of the library. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
@@ -2343,6 +3016,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`observer.vendor` | `keyword` | Vendor name of the observer. |
|`openssh.auth.method` | `keyword` | |
|`process.name` | `keyword` | Process name. |
+|`process.pid` | `long` | Process id. |
|`source.domain` | `keyword` | The domain name of the source. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
diff --git a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md
index 5fea47a537..248a85ae07 100644
--- a/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md
+++ b/_shared_content/operations_center/integrations/generated/d0383e87-e054-4a21-8a2c-6a89635d8615.md
@@ -68,7 +68,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"ubika": {
"cloud_protector": {
- "application_id": "www.some-app.com"
+ "application_id": "www.some-app.com",
+ "attack_family": "Information Disclosure"
}
},
"url": {
@@ -99,6 +100,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`rule.id` | `keyword` | Rule ID |
|`source.ip` | `ip` | IP address of the source. |
|`ubika.cloud_protector.application_id` | `keyword` | Website server name |
+|`ubika.cloud_protector.attack_family` | `keyword` | The nature of the attack |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`url.query` | `keyword` | Query string of the request. |