From c2af26fb23d7de510781b4e4b2a599c2c3cbc823 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 12 Dec 2023 08:37:42 +0000 Subject: [PATCH] Refresh intakes documentation --- .../70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md | 295 ++++++++++++++++++ .../caa13404-9243-493b-943e-9848cadb1f99.md | 117 +++++++ 2 files changed, 412 insertions(+) create mode 100644 _shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md diff --git a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md new file mode 100644 index 0000000000..d355743091 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md @@ -0,0 +1,295 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | audit events from Azure Files | +| `File monitoring` | Azure files monitor logs | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `["network"]` | +| Type | `` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "storage_delete.json" + + ```json + + { + "message": "{\"time\":\"2023-12-01T17:55:31.4699153Z\",\"resourceId\":\"/subscriptions/af8a6d76-d0d2-4f4d-9591-f917957d9675/resourceGroups/myresource/providers/Microsoft.Storage/storageAccounts/example/fileServices/default\",\"category\":\"StorageDelete\",\"operationName\":\"DeleteFile\",\"operationVersion\":\"2022-11-02\",\"schemaVersion\":\"1.0\",\"statusCode\":202,\"statusText\":\"Success\",\"durationMs\":5,\"callerIpAddress\":\"1.2.3.4:39221\",\"correlationId\":\"e3ae0a7a-5817-4fd4-91f2-f8eb1df0aaaf\",\"identity\":{\"type\":\"SAS\",\"tokenHash\":\"key1(1111111111111111111111111111111111111111111111111111111111111111),SasSignature(2222222222222222222222222222222222222222222222222222222222222222)\"},\"location\":\"westeurope\",\"properties\":{\"accountName\":\"example\",\"userAgentHeader\":\"Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/119.0.0.0Safari/537.36\",\"serviceType\":\"file\",\"objectKey\":\"/example\",\"metricResponseType\":\"Success\",\"serverLatencyMs\":5,\"requestHeaderSize\":791,\"responseHeaderSize\":246,\"tlsVersion\":\"TLS1.2\"},\"uri\":\"https://example.file.core.windows.net:443/mystorage/docs/myimage.jpg?_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX\",\"protocol\":\"HTTPS\",\"resourceType\":\"Microsoft.Storage/storageAccounts/fileServices\"}", + "event": { + "action": "DeleteFile", + "category": [ + "network" + ], + "dataset": "StorageDelete", + "kind": "event", + "provider": "Microsoft.Storage/storageAccounts/fileServices", + "type": [ + "info" + ] + }, + "@timestamp": "2023-12-01T17:55:31.469915Z", + "azure": { + "files": { + "status": "Success" + } + }, + "cloud": { + "account": { + "name": "example" + }, + "provider": "Azure", + "region": "westeurope", + "service": { + "name": "files" + } + }, + "http": { + "response": { + "status_code": 202 + } + }, + "network": { + "protocol": "HTTPS" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39221 + }, + "url": { + "domain": "example.file.core.windows.net", + "original": "https://example.file.core.windows.net:443/mystorage/docs/myimage.jpg?_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX", + "path": "/mystorage/docs/myimage.jpg", + "port": 443, + "query": "_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX", + "registered_domain": "windows.net", + "scheme": "https", + "subdomain": "example.file.core", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/119.0.0.0Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "119.0.0" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "storage_read.json" + + ```json + + { + "message": "{\"time\":\"2023-12-01T17:55:39.9492668Z\",\"resourceId\":\"/subscriptions/af8a6d76-d0d2-4f4d-9591-f917957d9675/resourceGroups/myresource/providers/Microsoft.Storage/storageAccounts/example/fileServices/default\",\"category\":\"StorageRead\",\"operationName\":\"GetShareProperties\",\"operationVersion\":\"2018-03-28\",\"schemaVersion\":\"1.0\",\"statusCode\":200,\"statusText\":\"Success\",\"durationMs\":45,\"callerIpAddress\":\"10.0.0.10:49539\",\"correlationId\":\"e3ae0a7a-5817-4fd4-91f2-f8eb1df0aaaf\",\"identity\":{\"type\":\"AccountKey\",\"tokenHash\":\"key1(1111111111111111111111111111111111111111111111111111111111111111)\"},\"location\":\"westeurope\",\"properties\":{\"accountName\":\"example\",\"userAgentHeader\":\"Azure-Storage/9.3.2(.NETCLR4.0.30319.42000;Win32NT6.2.9200.0)\",\"clientRequestId\":\"0767b786-2c65-4637-990f-eb43c559b2ce\",\"etag\":\"\\\"0x8DBF2965D8FDE72\\\"\",\"serviceType\":\"file\",\"objectKey\":\"/example\",\"lastModifiedTime\":\"12/1/20235:53:03PM\",\"metricResponseType\":\"Success\",\"serverLatencyMs\":45,\"requestHeaderSize\":452,\"responseHeaderSize\":258,\"tlsVersion\":\"TLS1.2\"},\"uri\":\"https://example.file.core.windows.net:443/mystorage?restype=share\",\"protocol\":\"HTTPS\",\"resourceType\":\"Microsoft.Storage/storageAccounts/fileServices\"}", + "event": { + "action": "GetShareProperties", + "category": [ + "network" + ], + "dataset": "StorageRead", + "kind": "event", + "provider": "Microsoft.Storage/storageAccounts/fileServices", + "type": [ + "info" + ] + }, + "@timestamp": "2023-12-01T17:55:39.949266Z", + "azure": { + "files": { + "status": "Success" + } + }, + "cloud": { + "account": { + "name": "example" + }, + "provider": "Azure", + "region": "westeurope", + "service": { + "name": "files" + } + }, + "http": { + "response": { + "status_code": 200 + } + }, + "network": { + "protocol": "HTTPS" + }, + "source": { + "address": "10.0.0.10", + "ip": "10.0.0.10", + "port": 49539 + }, + "url": { + "domain": "example.file.core.windows.net", + "original": "https://example.file.core.windows.net:443/mystorage?restype=share", + "path": "/mystorage", + "port": 443, + "query": "restype=share", + "registered_domain": "windows.net", + "scheme": "https", + "subdomain": "example.file.core", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Azure-Storage/9.3.2(.NETCLR4.0.30319.42000;Win32NT6.2.9200.0)", + "os": { + "name": "Windows", + "version": "95" + } + }, + "related": { + "ip": [ + "10.0.0.10" + ] + } + } + + ``` + + +=== "storage_write.json" + + ```json + + { + "message": "{\"time\":\"2023-12-01T17:54:47.2719270Z\",\"resourceId\":\"/subscriptions/af8a6d76-d0d2-4f4d-9591-f917957d9675/resourceGroups/myresource/providers/Microsoft.Storage/storageAccounts/example/fileServices/default\",\"category\":\"StorageWrite\",\"operationName\":\"CreateFile\",\"operationVersion\":\"2022-11-02\",\"schemaVersion\":\"1.0\",\"statusCode\":201,\"statusText\":\"Success\",\"durationMs\":6,\"callerIpAddress\":\"1.2.3.4:39221\",\"correlationId\":\"e3ae0a7a-5817-4fd4-91f2-f8eb1df0aaaf\",\"identity\":{\"type\":\"SAS\",\"tokenHash\":\"key1(1111111111111111111111111111111111111111111111111111111111111111),SasSignature(2222222222222222222222222222222222222222222222222222222222222222)\"},\"location\":\"westeurope\",\"properties\":{\"accountName\":\"example\",\"userAgentHeader\":\"Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/119.0.0.0Safari/537.36\",\"referrerHeader\":\"https://portal.azure.com/\",\"etag\":\"\\\"0x8DBF2969B9AF0B5\\\"\",\"serviceType\":\"file\",\"objectKey\":\"/example\",\"lastModifiedTime\":\"12/1/20235:54:47PM\",\"metricResponseType\":\"Success\",\"serverLatencyMs\":6,\"requestHeaderSize\":994,\"responseHeaderSize\":859,\"tlsVersion\":\"TLS1.2\"},\"uri\":\"https://example.file.core.windows.net:443/mystorage/docs/myimage.jpg?_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX\",\"protocol\":\"HTTPS\",\"resourceType\":\"Microsoft.Storage/storageAccounts/fileServices\"}", + "event": { + "action": "CreateFile", + "category": [ + "network" + ], + "dataset": "StorageWrite", + "kind": "event", + "provider": "Microsoft.Storage/storageAccounts/fileServices", + "type": [ + "info" + ] + }, + "@timestamp": "2023-12-01T17:54:47.271927Z", + "azure": { + "files": { + "status": "Success" + } + }, + "cloud": { + "account": { + "name": "example" + }, + "provider": "Azure", + "region": "westeurope", + "service": { + "name": "files" + } + }, + "http": { + "response": { + "status_code": 201 + } + }, + "network": { + "protocol": "HTTPS" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 39221 + }, + "url": { + "domain": "example.file.core.windows.net", + "original": "https://example.file.core.windows.net:443/mystorage/docs/myimage.jpg?_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX", + "path": "/mystorage/docs/myimage.jpg", + "port": 443, + "query": "_=1701453287208&sv=2022-11-02&ss=bqtf&srt=sco&sp=rwdlacuptfxiy&se=2023-12-02T01:54:36Z&sig=XXXXX", + "registered_domain": "windows.net", + "scheme": "https", + "subdomain": "example.file.core", + "top_level_domain": "net" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/119.0.0.0Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "119.0.0" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`azure.files.status` | `keyword` | Azure files status | +|`cloud.account.name` | `keyword` | The cloud account name. | +|`cloud.provider` | `keyword` | Name of the cloud provider. | +|`cloud.region` | `keyword` | Region in which this host, resource, or service is located. | +|`cloud.service.name` | `keyword` | The cloud service name. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.provider` | `keyword` | Source of the event. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`network.protocol` | `keyword` | Application protocol name. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 3c1d55145a..5d0031d7e9 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -209,6 +209,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": "user" }, "email": { + "attachments": [], "from": { "address": [ "test3@test.test", @@ -302,6 +303,122 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "automated_investigation_and_response_with_attachment.json" + + ```json + + { + "message": "{\"CreationTime\": \"2023-11-21T12:24:04\", \"Id\": \"d32b02fd-f97e-47a1-9407-f5cb2dcca772\", \"Operation\": \"AirInvestigationData\", \"OrganizationId\": \"62e8c4be-8433-4768-82bb-4c97eaf05a19\", \"RecordType\": 64, \"UserKey\": \"AirInvestigation\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"AirInvestigation\", \"ObjectId\": \"d32b02fd-f97e-47a1-9407-f5cb2dcca772\", \"UserId\": \"AirInvestigation\", \"Data\": \"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"4b1820ec-39dc-45f3-abf6-5ee80df51fd2\\\",\\\"StartTimeUtc\\\":\\\"2023-11-21T12:13:21.3426718Z\\\",\\\"EndTimeUtc\\\":\\\"2023-11-21T12:13:21.3426718Z\\\",\\\"TimeGenerated\\\":\\\"2023-11-21T12:21:01.367Z\\\",\\\"ProcessingEndTime\\\":\\\"2023-11-21T12:24:02.9479392Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"2187a396-5337-1901-6e00-08dbea8b3430\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"955b1f53-3bcf-45cf-9e1d-b071d0518b01\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d\\\",\\\"InvestigationStatus\\\":\\\"Running\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"62e8c4be-8433-4768-82bb-4c97eaf05a19\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious file removed after delivery\\\",\\\"Description\\\":\\\"Emails with malicious file that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/viewalerts?id=2187a396-5337-1901-6e00-08dbea8b3430\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"70999cb4-e7db-47c8-a3ba-99381283152d\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:11111111111111111111111111111111\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\"},{\\\"$id\\\":\\\"4\\\",\\\"Files\\\":[{\\\"$id\\\":\\\"5\\\",\\\"Name\\\":\\\"pix.jpg\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"6\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"C2225DAC3768ED8E9940CC303B596D20A04FCC8BDC549CBD813464A2CBE6B366\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"Malicious Payload\\\"}],\\\"Recipient\\\":\\\"john.doe@example.com\\\",\\\"Urls\\\":[\\\"https://example.org\\\"],\\\"Sender\\\":\\\"jane.doe@example.org\\\",\\\"P1Sender\\\":\\\"jane.doe@example.org\\\",\\\"P1SenderDomain\\\":\\\"example.org\\\",\\\"SenderIP\\\":\\\"1.2.3.4\\\",\\\"P2Sender\\\":\\\"jane.doe@example.org\\\",\\\"P2SenderDisplayName\\\":\\\"jane.doe\\\",\\\"P2SenderDomain\\\":\\\"example.org\\\",\\\"ReceivedDate\\\":\\\"2023-11-21T12:00:46\\\",\\\"NetworkMessageId\\\":\\\"3fe5777d-1fb7-4f34-bb1e-035e4df1f96f\\\",\\\"InternetMessageId\\\":\\\"<88f57442-338a-4e6b-8925-73d62527809b@example.org>\\\",\\\"Subject\\\":\\\"Pending and Review\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"Blocked\\\",\\\"ThreatDetectionMethods\\\":[\\\"FileHashList\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"Quarantine\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"PhishConfidenceLevel\\\":\\\"High\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved to quarantine]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:93d7f11156b7dc03c36d7ef108389605\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\"},{\\\"$id\\\":\\\"7\\\",\\\"Name\\\":\\\"pix.jpg\\\",\\\"FileHashes\\\":[{\\\"$id\\\":\\\"8\\\",\\\"Algorithm\\\":\\\"SHA256\\\",\\\"Value\\\":\\\"C2225DAC3768ED8E9940CC303B596D20A04FCC8BDC549CBD813464A2CBE6B366\\\",\\\"Type\\\":\\\"filehash\\\"}],\\\"Type\\\":\\\"file\\\",\\\"MalwareFamily\\\":\\\"\\\",\\\"Urn\\\":\\\"urn:FileEntity:6cfb0a0866370a891ce96e9c83fb4fed\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\"}],\\\"LogCreationTime\\\":\\\"2023-11-21T12:24:02.9479392Z\\\",\\\"MachineName\\\":\\\"DBAEUR03BG405\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\", \"DeepLinkUrl\": \"https://security.microsoft.com/mtp-investigation/urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d\", \"EndTimeUtc\": \"0001-01-01T00:00:00\", \"InvestigationId\": \"urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d\", \"InvestigationName\": \"Mail with malicious file is zapped - urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d\", \"InvestigationType\": \"ZappedFileInvestigation\", \"LastUpdateTimeUtc\": \"2023-11-21T12:21:48\", \"StartTimeUtc\": \"2023-11-21T12:24:03\", \"Status\": \"Investigation Started\"}", + "event": { + "action": "AirInvestigationData", + "code": "64", + "end": "0001-01-01T00:00:00Z", + "kind": "event", + "start": "2023-11-21T12:24:03Z" + }, + "@timestamp": "2023-11-21T12:24:04Z", + "action": { + "id": 64, + "name": "AirInvestigationData", + "outcome": "success", + "target": "user" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "sha256": "C2225DAC3768ED8E9940CC303B596D20A04FCC8BDC549CBD813464A2CBE6B366" + }, + "name": "pix.jpg" + } + } + ], + "from": { + "address": [ + "jane.doe@example.org" + ] + }, + "to": { + "address": [ + "john.doe@example.com" + ] + } + }, + "host": { + "name": "DBAEUR03BG405" + }, + "log": { + "level": "Informational" + }, + "office365": { + "audit": { + "object_id": "d32b02fd-f97e-47a1-9407-f5cb2dcca772" + }, + "investigation": { + "alert": { + "category": "ThreatManagement", + "correlation_key": "955b1f53-3bcf-45cf-9e1d-b071d0518b01", + "is_incident": false, + "provider": { + "name": "OATP", + "status": "InProgress" + }, + "severity": "Informational", + "source_type": "System", + "type": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2" + }, + "email": { + "sender": { + "domains": [ + "example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "subjects": [ + "Pending and Review" + ], + "urls": [ + "https://example.org" + ] + }, + "id": "urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d", + "name": "Mail with malicious file is zapped - urn:ZappedFileInvestigation:adffaf6ed0f17079cf14e9dc2adf9c1d", + "status": "Investigation Started", + "threats": [], + "type": "ZappedFileInvestigation" + }, + "record_type": 64, + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "62e8c4be-8433-4768-82bb-4c97eaf05a19" + }, + "related": { + "user": [ + "AirInvestigation" + ] + }, + "rule": { + "name": "Email messages containing malicious file removed after delivery" + }, + "service": { + "name": "AirInvestigation" + }, + "user": { + "id": "AirInvestigation", + "name": "AirInvestigation" + } + } + + ``` + + === "compliancemanager-scorechange.json" ```json