From 985d3ca24fe8b2594b40d7e063a1461f0c3eefe2 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Mon, 16 Oct 2023 10:26:28 +0000 Subject: [PATCH] Refresh intakes documentation --- .../890207d2-4878-440d-9079-3dd25d472e0a.md | 473 ++++++++++++++++++ .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 9 + 2 files changed, 482 insertions(+) create mode 100644 _shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md diff --git a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md new file mode 100644 index 0000000000..83c3aaba54 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md @@ -0,0 +1,473 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | None | +| `File monitoring` | None | +| `Network device configuration` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `authentication`, `configuration`, `file`, `iam`, `network` | +| Type | `change`, `info`, `start` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_alert_failed_auth.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADAPAlerts|1|cat=ADAPAlerts cn3=7054 cs4=Unusual Activity -Logon Failure Count (Based on Host) cs1=AD Analytics cs5=2 rt=1694682115000 msg=10+ number of Logon Failure Activity occured on SERVER02.example.org within 11AM - 12PM. Usual average is 0, Threshold calculated is 10. Anomaly category:Unusual Activity -Logon Failure Count (Based on Host) cs3=User Behaviour Analytics sntdom=example.org", + "event": { + "kind": "alert", + "module": "EventLog", + "severity": 1, + "dataset": "ADAPAlerts", + "reason": "10+ number of Logon Failure Activity occured on SERVER02.example.org within 11AM - 12PM. Usual average is 0, Threshold calculated is 10. Anomaly category:Unusual Activity -Logon Failure Count (Based on Host)" + }, + "@timestamp": "2023-09-14T09:01:55Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "User Behaviour Analytics" + }, + "related": { + "hosts": [ + "User Behaviour Analytics" + ] + } + } + + ``` + + +=== "test_alert_iam_change_group.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADAPAlerts|1|cat=ADAPAlerts cn3=119667 cs4=Group Membership Changes cs1=Security Group Membership Changes cs5=2 rt=1694682147000 msg=Member 'CN\\=JaneDoe,OU\\=UTILISATEURS,DC\\=example,DC\\=org' was added to Global Security Group 'MyGROUP' by 'EXAMPLE\\J_DOE'. cs3=SERVER02.example.org sntdom=example.org", + "event": { + "kind": "alert", + "module": "EventLog", + "severity": 1, + "dataset": "ADAPAlerts", + "reason": "Member 'CN\\=JaneDoe,OU\\=UTILISATEURS,DC\\=example,DC\\=org' was added to Global Security Group 'MyGROUP' by 'EXAMPLE\\J_DOE'." + }, + "@timestamp": "2023-09-14T09:02:27Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ] + } + } + + ``` + + +=== "test_audit_conf_change.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|ADObjectsAuditReports|1|cat=ADObjectsAuditReports cs1=Configuration Changes cn1=1234 rt=1694681920000 outcome=Success cs3=SERVER02.example.org reason=Write Property : msExchOAB duser=Default Offline Address Book cs4=null suser=JDX2093$ type=msExchOAB msg=msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970 cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444 sntdom=example.org", + "event": { + "kind": "event", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "module": "EventLog", + "severity": 1, + "dataset": "ADObjectsAuditReports", + "reason": "msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970" + }, + "@timestamp": "2023-09-14T08:58:40Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "user": { + "name": "JDX2093$", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "target": { + "name": "Default Offline Address Book" + } + }, + "action": { + "outcome": "Success" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "user": [ + "JDX2093$" + ] + } + } + + ``` + + +=== "test_audit_conf_change_2.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|DNSAuditReports|1|cat=DNSAuditReports cs1=DNS Permission Changes cn1=1234 rt=1694681538000 outcome=Success cs3=SERVER02.example.org reason=No changes on the Security Descriptor duser=119251-P10 suser=SYSTEM msg=dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor cn2=1234567890 suid=S-1-5-18 sntdom=example.org", + "event": { + "kind": "event", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "module": "EventLog", + "severity": 1, + "dataset": "DNSAuditReports", + "reason": "dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor" + }, + "@timestamp": "2023-09-14T08:52:18Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "user": { + "name": "SYSTEM", + "id": "S-1-5-18", + "target": { + "name": "119251-P10" + } + }, + "action": { + "outcome": "Success" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "user": [ + "SYSTEM" + ] + } + } + + ``` + + +=== "test_iam_change_group.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|GroupMgmtReports|1|cat=GroupMgmtReports cs1=Group Attributes Changed cs3=SERVER02.example.org type=member msg=Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org rt=1694682151000 duser=MyGROUP sntdom=example.org duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cn1=1234 reason=Group Attribute Added cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", + "event": { + "kind": "event", + "category": [ + "iam" + ], + "type": [ + "change" + ], + "module": "EventLog", + "severity": 1, + "dataset": "GroupMgmtReports", + "reason": "Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org" + }, + "@timestamp": "2023-09-14T09:02:31Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "user": { + "name": "J_DOE", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "target": { + "name": "MyGROUP", + "id": "S-1-5-21-111111111-2222222222-3333333333-55555" + } + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "user": [ + "J_DOE" + ] + } + } + + ``` + + +=== "test_iam_change_user.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|UserMgmtReports|1|cat=UserMgmtReports cs1=User Attributes Changed type=primaryGroupID rt=1694682151000 msg=User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513 duser=JaneDoe sntdom=example.org duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cs3=SERVER02.example.org cn1=1234 reason=User Modified outcome=Success cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", + "event": { + "kind": "event", + "category": [ + "iam" + ], + "type": [ + "change" + ], + "module": "EventLog", + "severity": 1, + "dataset": "UserMgmtReports", + "reason": "User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513" + }, + "@timestamp": "2023-09-14T09:02:31Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "user": { + "name": "J_DOE", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "target": { + "name": "JaneDoe", + "id": "S-1-5-21-111111111-2222222222-3333333333-55555" + } + }, + "action": { + "outcome": "Success" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "user": [ + "J_DOE" + ] + } + } + + ``` + + +=== "test_iam_change_user_password.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|UserMgmtReports|1|cat=UserMgmtReports cs1=Password Changed Users type=Change Password Attempt rt=1694681589000 msg=Change Password Attempt by user 'J_DOE'. Status:Failure' duser=J_DOE sntdom=EXAMPLE duid=%{S-1-5-21-111111111-2222222222-3333333333-55555} suser=J_DOE cs3=SERVER02.example.org cn1=1234 reason=Change Password Attempt outcome=Failure cn2=1234567890 suid=S-1-5-21-111111111-2222222222-3333333333-44444", + "event": { + "kind": "event", + "category": [ + "iam" + ], + "type": [ + "change" + ], + "module": "EventLog", + "severity": 1, + "dataset": "UserMgmtReports", + "reason": "Change Password Attempt by user 'J_DOE'. Status:Failure'" + }, + "@timestamp": "2023-09-14T08:53:09Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "user": { + "name": "J_DOE", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444", + "target": { + "name": "J_DOE", + "id": "S-1-5-21-111111111-2222222222-3333333333-55555" + } + }, + "action": { + "outcome": "Failure" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "user": [ + "J_DOE" + ] + } + } + + ``` + + +=== "test_logon_failure.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|LogonReports|1|cat=LogonReports cs1=All Users Logon suser=johndoe cs2=1.2.3.4 shost=1.2.3.4 rt=1694681391000 cn2=1234567890 outcome=Failure sntdom=example.org cs3=SERVER02.example.org suid=S-1-5-21-111111111-2222222222-3333333333-44444 reason=Bad password cn1=1234 msg=Kerberos pre-authentication failed.", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "start" + ], + "module": "EventLog", + "severity": 1, + "dataset": "LogonReports", + "reason": "Kerberos pre-authentication failed." + }, + "@timestamp": "2023-09-14T08:49:51Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "source": { + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "user": { + "name": "johndoe", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444" + }, + "action": { + "outcome": "Failure" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "johndoe" + ] + } + } + + ``` + + +=== "test_logon_success.json" + + ```json + + { + "message": "0|ManageEngine|ADAuditPlus|1|EventLog|LogonReports|1|cat=LogonReports cs1=All Users Logon suser=johndoe cs2=1.2.3.4 shost=LAPTOP234.example.org rt=1694682196000 cn2=1234567890 outcome=Success sntdom=example.org cs3=SERVER02.example.org suid=S-1-5-21-111111111-2222222222-3333333333-44444 reason=- cn1=1234 msg=A Kerberos authentication ticket (TGT) was requested.", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "start" + ], + "module": "EventLog", + "severity": 1, + "dataset": "LogonReports", + "reason": "A Kerberos authentication ticket (TGT) was requested." + }, + "@timestamp": "2023-09-14T09:03:16Z", + "observer": { + "vendor": "ManageEngine", + "product": "ADAuditPlus", + "version": "1", + "hostname": "SERVER02.example.org" + }, + "source": { + "ip": "1.2.3.4", + "address": "LAPTOP234.example.org" + }, + "user": { + "name": "johndoe", + "id": "S-1-5-21-111111111-2222222222-3333333333-44444" + }, + "action": { + "outcome": "Success" + }, + "related": { + "hosts": [ + "SERVER02.example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "johndoe" + ] + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.module` | `keyword` | Name of the module this data is coming from. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`source.address` | `keyword` | Source network address. | +|`source.ip` | `ip` | IP address of the source. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user.target.id` | `keyword` | Unique identifier of the user. | +|`user.target.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 4b45387a7a..c9077d651b 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -430,6 +430,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "md5": "01565bf41f1cb993d69334f409835293" } }, + "url": { + "original": "https://example.org/sites/", + "domain": "example.org", + "top_level_domain": "org", + "registered_domain": "example.org", + "path": "/sites/", + "scheme": "https", + "port": 443 + }, "user": { "email": "john.doe@example.onmicrosoft.com" },