diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index c7e88d567d..fbb532cebf 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -274,6 +274,76 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "network_traffic.json" + + ```json + + { + "message": "{\"version\":5,\"account_id\":\"012345678901\",\"interface_id\":\"eni-1235b8ca123456789\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":25238.0,\"dstport\":8080.0,\"protocol\":6.0,\"packets\":5.0,\"bytes\":412.0,\"start\":1726491185,\"end\":1726491211,\"action\":\"ACCEPT\",\"log_status\":\"OK\",\"vpc_id\":\"vpc-0123456789abcdefg\",\"subnet_id\":\"subnet-0123456789abcdefg\",\"instance_id\":\"-\",\"tcp_flags\":3.0,\"type\":\"IPv4\",\"pkt_srcaddr\":\"1.2.3.4\",\"pkt_dstaddr\":\"5.6.7.8\",\"region\":\"eu-west-1\",\"az_id\":\"euw1-az3\",\"sublocation_type\":\"-\",\"sublocation_id\":\"-\",\"pkt_src_aws_service\":\"-\",\"pkt_dst_aws_service\":\"-\",\"flow_direction\":\"ingress\",\"traffic_path\":null}", + "event": { + "category": [ + "network" + ], + "end": "2024-09-16T12:53:31Z", + "outcome": "ok", + "start": "2024-09-16T12:53:05Z" + }, + "@timestamp": "2024-09-16T12:53:05Z", + "action": { + "name": "accept", + "outcome": "ok", + "target": "network-traffic", + "type": "forward" + }, + "aws": { + "flowlogs": { + "subnet": { + "id": "subnet-0123456789abcdefg" + }, + "vpc": { + "id": "vpc-0123456789abcdefg" + } + } + }, + "cloud": { + "account": { + "id": "012345678901" + }, + "provider": "aws" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 8080.0 + }, + "network": { + "iana_number": "6.0" + }, + "observer": { + "ingress": { + "interface": { + "name": "eni-1235b8ca123456789" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "bytes": 412.0, + "ip": "1.2.3.4", + "packets": 5.0, + "port": 25238.0 + } + } + + ``` + + === "nodata.json" ```json @@ -447,7 +517,10 @@ The following table lists the fields that are extracted, normalized under the EC |`action.outcome` | `keyword` | The outcome of the action | |`action.target` | `keyword` | The target of the action | |`action.type` | `keyword` | The type of the action | +|`aws.flowlogs.subnet.id` | `keyword` | The ID of the subnet | +|`aws.flowlogs.vpc.id` | `keyword` | The ID of the VPC | |`cloud.account.id` | `keyword` | The cloud account or organization id. | +|`cloud.instance.id` | `keyword` | Instance ID of the host machine. | |`cloud.provider` | `keyword` | Name of the cloud provider. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md index 62a7312427..d59a3a9cc6 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002_sample.md @@ -55,6 +55,45 @@ In this section, you will find examples of raw logs as generated natively by the +=== "network_traffic" + + + ```json + { + "version": 5, + "account_id": "012345678901", + "interface_id": "eni-1235b8ca123456789", + "srcaddr": "1.2.3.4", + "dstaddr": "5.6.7.8", + "srcport": 25238.0, + "dstport": 8080.0, + "protocol": 6.0, + "packets": 5.0, + "bytes": 412.0, + "start": 1726491185, + "end": 1726491211, + "action": "ACCEPT", + "log_status": "OK", + "vpc_id": "vpc-0123456789abcdefg", + "subnet_id": "subnet-0123456789abcdefg", + "instance_id": "-", + "tcp_flags": 3.0, + "type": "IPv4", + "pkt_srcaddr": "1.2.3.4", + "pkt_dstaddr": "5.6.7.8", + "region": "eu-west-1", + "az_id": "euw1-az3", + "sublocation_type": "-", + "sublocation_id": "-", + "pkt_src_aws_service": "-", + "pkt_dst_aws_service": "-", + "flow_direction": "ingress", + "traffic_path": null + } + ``` + + + === "nodata" diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 31ff406f71..1a4e8638b4 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -753,6 +753,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "organization": { "id": "123456789831564686" }, + "related": { + "user": [ + "user.name" + ] + }, "rule": { "id": "-1" }, @@ -788,6 +793,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "eventid": 1387019684138751044, "siteId": 1083054176741832911, "updatedAt": "2022-03-29T17:20:30.998054Z" + }, + "user": { + "name": "user.name" } } @@ -1310,7 +1318,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "2001:db8:85a3::8a2e:370:7334" ], "user": [ - "VM-SENTINELONE\\User" + "User" ] }, "sentinelone": { @@ -1459,7 +1467,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "VM-SENTINELONE\\User" + "domain": "VM-SENTINELONE", + "name": "User" } } @@ -1531,7 +1540,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "fe80::9ddd:fd78:1f21:f709" ], "user": [ - "tdr-vm-template\\tdr" + "tdr" ] }, "sentinelone": { @@ -1688,7 +1697,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "tdr-vm-template\\tdr" + "domain": "tdr-vm-template", + "name": "tdr" } } @@ -1758,7 +1768,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "fe80::e4a1:7fce:33f3:d50e" ], "user": [ - "DOMAIN\\USERNAME" + "USERNAME" ] }, "sentinelone": { @@ -2067,7 +2077,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "DOMAIN\\USERNAME" + "domain": "DOMAIN", + "name": "USERNAME" } } @@ -2133,7 +2144,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "66.66.66.66" ], "user": [ - "DOMAIN\\USERNAME" + "USERNAME" ] }, "sentinelone": { @@ -2441,7 +2452,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I } }, "user": { - "name": "DOMAIN\\USERNAME" + "domain": "DOMAIN", + "name": "USERNAME" } } @@ -2887,6 +2899,7 @@ The following table lists the fields that are extracted, normalized under the EC |`threat.indicator.file.size` | `long` | File size in bytes. | |`threat.software.type` | `keyword` | Software type. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.id` | `long` | | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md b/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md new file mode 100644 index 0000000000..b6193b2dc5 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c.md @@ -0,0 +1,753 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network intrusion detection system` | AIONIQ identify suspicious behaviors | +| `Network protocol analysis` | AIONIQ analyze traffic protocol | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `malware`, `network` | +| Type | `info` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "codebreaker.json" + + ```json + + { + "message": "{\"event_type\":\"powershell\",\"scores\":{\"analysis\":1890,\"analysis_detailed\":{\"CharInt\":0,\"InvokeWebRequest\":0,\"FmtStr\":0,\"WebClientInvokation\":0,\"StrReplace\":0,\"StrJoin\":0,\"SetContent\":0,\"StreamWriter\":0,\"SystemIOFile\":0,\"StreamReader\":0,\"InvokeRestMethod\":0,\"AddContent\":0,\"StartBitsTransfer\":0,\"InvokeExpression\":0,\"GetContent\":0,\"StrCat\":370,\"Base64\":1520},\"proba_obfuscated\":1.0},\"timestamp_detected\":\"2023-03-22T10:30:37.145Z\",\"uuid\":\"8906e477-02b5-4ada-abaa-67b2d41f204a\",\"severity\":1,\"type\":\"codebreaker\",\"src_ip\":\"1.1.1.1\",\"state\":\"Exploit\",\"dest_port\":\"35444\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":\"2157601933358692\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-03-22T10:32:50.269Z\",\"timestamp_analyzed\":\"2023-03-22T10:32:50.269Z\",\"src_port\":\"4242\",\"file_id\":\"03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local\",\"sub_type\":\"powershell\",\"SHA256\":\"efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29\",\"MD5\":\"60b656e17bec0a97f5638790c78a3124\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}", + "event": { + "category": [ + "network" + ], + "module": "powershell", + "severity": 1 + }, + "@timestamp": "2023-03-22T10:32:50.269000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 35444 + }, + "gatewatcher": { + "event_type": "powershell", + "flow_id": "2157601933358692", + "gcap": "gcap-xxxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxxxx.domain.local", + "sample_id": "03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local", + "scores": { + "analysis": 1890, + "analysis_detailed": "{\"AddContent\": 0, \"Base64\": 1520, \"CharInt\": 0, \"FmtStr\": 0, \"GetContent\": 0, \"InvokeExpression\": 0, \"InvokeRestMethod\": 0, \"InvokeWebRequest\": 0, \"SetContent\": 0, \"StartBitsTransfer\": 0, \"StrCat\": 370, \"StrJoin\": 0, \"StrReplace\": 0, \"StreamReader\": 0, \"StreamWriter\": 0, \"SystemIOFile\": 0, \"WebClientInvokation\": 0}", + "proba_obfuscated": 1.0 + }, + "state": "Exploit", + "sub_type": "powershell", + "timestamp_analyzed": "2023-03-22T10:32:50.269Z", + "timestamp_detected": "2023-03-22T10:30:37.145Z", + "type": "codebreaker" + }, + "observer": { + "name": "gcap-xxxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 4242 + } + } + + ``` + + +=== "dga.json" + + ```json + + { + "message": "{\"event_type\":\"dga\",\"domain_name\":\"pgoadcmgqfacj.com\",\"timestamp_detected\":\"2023-03-22T10:25:54.903Z\",\"uuid\":\"4e4b3104-06ba-4277-899e-149a74a0671c\",\"severity\":1,\"type\":\"machine_learning\",\"probability\":0.9999731546766107,\"dest_port\":53,\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":729468278572,\"src_ip\":\"1.1.1.1\",\"@timestamp\":\"2023-03-22T10:46:08.487Z\",\"@version\":\"1\",\"matched_event\":\"041b2ed4-a5e0-4814-8bdc-7522b6d5464f\",\"timestamp_analyzed\":\"2023-03-22T10:46:08.487Z\",\"gcenter\":\"gcenter-xxxxxx.domain.local\",\"src_port\":1294}", + "event": { + "category": [ + "network" + ], + "module": "dga", + "severity": 1 + }, + "@timestamp": "2023-03-22T10:46:08.487000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 53 + }, + "gatewatcher": { + "domain_name": "pgoadcmgqfacj.com", + "event_type": "dga", + "flow_id": "729468278572", + "gcap": "gcap-xxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxx.domain.local", + "matched_event": "041b2ed4-a5e0-4814-8bdc-7522b6d5464f", + "probability": 0.9999731546766107, + "timestamp_analyzed": "2023-03-22T10:46:08.487Z", + "timestamp_detected": "2023-03-22T10:25:54.903Z", + "type": "machine_learning" + }, + "observer": { + "name": "gcap-xxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 1294 + } + } + + ``` + + +=== "malcore.json" + + ```json + + { + "message": "{\"timestamp\":\"2023-03-22T10:35:22.615360+0000\",\"analyzed_infected\":10,\"detail_threat_found\":\"Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF\",\"timestamp_detected\":\"2023-03-22T10:35:22.615Z\",\"uuid\":\"2103a99c-549e-49b7-bbef-68459e6cc44e\",\"severity\":1,\"dest_port\":19609,\"detail_wait_time\":320265,\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"timestamp_analyzed\":\"2023-03-22T10:53:13.408Z\",\"@timestamp\":\"2023-03-22T10:53:13.408Z\",\"file_type_description\":\"Macromedia Flash Player\",\"fileinfo\":{\"sha256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"file_id\":379,\"magic\":\"Macromedia Flash data (compressed), version 14\",\"tx_id\":1,\"state\":\"CLOSED\",\"filename\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"sid\":[1100020],\"stored\":true,\"md5\":\"67ca9a31f220bc7b68f203c07ad668b9\",\"gaps\":false,\"size\":77068},\"analyzed_suspicious\":0,\"analyzers_up\":16,\"app_proto\":\"http\",\"engines_last_update_date\":\"2023-03-08T19:03:00Z\",\"total_found\":\"10/16\",\"file_type\":\"application/x-shockwave-flash\",\"detail_scan_time\":13425,\"processing_time\":333690,\"SHA256\":\"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"analyzed_clean\":5,\"event_type\":\"malware\",\"http\":{\"http_method\":\"GET\",\"http_port\":8080,\"protocol\":\"HTTP/1.1\",\"status\":200,\"hostname\":\"tsevid-synonymi.justdanceatsea.com\",\"url\":\"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\",\"length\":77068,\"http_content_type\":\"application/x-shockwave-flash\",\"http_user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)\",\"http_refer\":\"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php\"},\"type\":\"malcore\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"state\":\"Infected\",\"gcap\":\"gcap-xxxxxxxx.domain.local\",\"flow_id\":1910314914537014,\"reporting_token\":\"No GBOX\",\"src_port\":8080,\"analyzed_other\":1,\"engine_id\":{\"4\":{\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"SWF/Exploit.ExKit.J trojan\",\"scan_result\":\"INFECTED\"},\"1\":{\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"9\":{\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"Script.SWF.CVE-2014-0515++.C118\",\"scan_result\":\"INFECTED\"},\"14\":{\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"8\":{\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"Exploit.Swf.Agent.dvtnkm\",\"scan_result\":\"INFECTED\"},\"7\":{\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"Exploit.Agent.Script.371\",\"scan_result\":\"INFECTED\"},\"2\":{\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"Exp.SWF.Angler.D\",\"scan_result\":\"INFECTED\"},\"11\":{\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\",\"scan_result\":\"NOT_SCANNED\"},\"12\":{\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"EXP/FLASH.Pubenush.E.Gen\",\"scan_result\":\"INFECTED\"},\"10\":{\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"3\":{\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107\",\"scan_result\":\"INFECTED\"},\"6\":{\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"13\":{\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\",\"scan_result\":\"CLEAN\"},\"0\":{\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"Script.SWF.CVE-2014-0515+.C107 (B)\",\"scan_result\":\"INFECTED\"},\"5\":{\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"Exploit.SWF.Agent.ja\",\"scan_result\":\"INFECTED\"},\"15\":{\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"Exploit.SWF\",\"scan_result\":\"INFECTED\"}},\"proto\":\"TCP\",\"code\":1,\"analyzed_error\":0,\"@version\":\"1\",\"magic_details\":\"Macromedia Flash data (compressed), version 14\"}", + "event": { + "category": [ + "malware" + ], + "module": "malware", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2023-03-22T10:53:13.408000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 19609 + }, + "file": { + "hash": { + "md5": "67ca9a31f220bc7b68f203c07ad668b9", + "sha256": "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4" + }, + "name": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust", + "size": 77068 + }, + "gatewatcher": { + "event_type": "malware", + "fileinfo": "{\"file_id\": 379, \"filename\": \"/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust\", \"gaps\": false, \"magic\": \"Macromedia Flash data (compressed), version 14\", \"md5\": \"67ca9a31f220bc7b68f203c07ad668b9\", \"sha256\": \"350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4\", \"sid\": [1100020], \"size\": 77068, \"state\": \"CLOSED\", \"stored\": true, \"tx_id\": 1}", + "filemagic": "Macromedia Flash data (compressed), version 14", + "flow_id": "1910314914537014", + "gcap": "gcap-xxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "malcore": { + "code": "1", + "detail_threat_found": "Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF" + }, + "reporting_token": "No GBOX", + "state": "Infected", + "timestamp_analyzed": "2023-03-22T10:53:13.408Z", + "timestamp_detected": "2023-03-22T10:35:22.615Z", + "type": "malcore" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "protocol": "http", + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "name": "gcap-xxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hash": [ + "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4", + "67ca9a31f220bc7b68f203c07ad668b9" + ], + "hosts": [ + "gcap-xxxxxxxxx.domain.local", + "tsevid-synonymi.justdanceatsea.com" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 8080 + }, + "url": { + "domain": "tsevid-synonymi.justdanceatsea.com", + "path": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust", + "registered_domain": "justdanceatsea.com", + "subdomain": "tsevid-synonymi", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "8.0" + } + } + + ``` + + +=== "retrohunt.json" + + ```json + + { + "message": "{\"external_links\":[{\"url\":\"https://urlhaus.abuse.ch/url/2269068/\",\"source_name\":\"URLHaus Abuse.ch\"}],\"relations\":[\"0e3cc27b-7999-48ce-8484-dc12b325a355\"],\"description\":\"IOC matching first tests\",\"event_type\":\"retrohunt\",\"kill_chain_phases\":[],\"timestamp_detected\":\"2023-06-09T14:08:46.845Z\",\"ioc_type\":\"Host\",\"severity\":1,\"community_id\":\"1:x0uuTl0mYnN1nwngep7+A4VH38I=\",\"ioc_creation_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_countries\":[],\"ioc_value\":\"im.a.very.bad.doma.in\",\"dest_ip\":\"2.2.2.2\",\"vulnerabilities\":[],\"matched_event\":\"bd7686c8-20db-427e-941d-844a5ecfe559\",\"risk\":\"Suspicious\",\"uuid\":\"416f35ad-b954-4b6a-a886-987b826bb7f4\",\"meta_data\":{\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"cwe\":[],\"descriptions\":[],\"tslh\":\"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"filetype\":\"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\",\"size\":78.3984375,\"usageMode\":\"hunting\"},\"flow_id\":841376349480333,\"matched_event_type\":\"alert\",\"ioc_updated_date\":\"2023-06-12T10:00:35+00:00\",\"targeted_platforms\":[\"linux\"],\"signature\":\"RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0\",\"ioc_tags\":[\"trojan.generickd.34055387 (b)\",\"linux/hajime.a trojan\",\"e32/agent.cd\",\"linux.hajime.bc\",\"backdoor.hajime.linux.129\",\"linux/hajime.75930\",\"unix.malware.agent-6626471-0\",\"linux/hajime.nsnlw\",\"hajime\",\"elf.mirai.43048.gc\",\"trojan.elfarm32.hajime.fbhtfi\",\"trojan.linux.hajime\",\"trojan.generickd.34055387\"],\"@version\":\"1\",\"type\":\"cti\",\"targeted_organizations\":[],\"campaigns\":[],\"categories\":[\"malware\"],\"src_port\":55614,\"gcenter\":\"gcenter-xxxxxxxxxxxxxxxxx.domain.local\",\"case_id\":\"00100035-1206-2023-edb6-b38911f8ba0c\",\"dest_port\":80,\"usage_mode\":\"hunting\",\"timestamp_package\":\"2023-06-12T10:00:35.012874+0000\",\"src_ip\":\"1.1.1.1\",\"ttp\":[],\"tlp\":\"green\",\"probability\":0.5,\"gcap\":\"gcap-xxxxxxxxxxxxxxxx.domain.local\",\"@timestamp\":\"2023-06-12T10:12:39.001Z\",\"timestamp_analyzed\":\"2023-06-12T10:12:39.001Z\",\"families\":[\"Hajime\"],\"ioc_id\":\"00100035-1206-2023-cbf5-08330f0d5bc0\",\"targeted_sectors\":[],\"threat_actor\":[\"GW Lab Test\"],\"matched_app_proto\":\"http\"}", + "event": { + "category": [ + "network" + ], + "module": "retrohunt", + "severity": 1 + }, + "@timestamp": "2023-06-12T10:12:39.001000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 80 + }, + "gatewatcher": { + "campaigns": [], + "case_id": "00100035-1206-2023-edb6-b38911f8ba0c", + "categories": [ + "malware" + ], + "description": "IOC matching first tests", + "event_type": "retrohunt", + "external_links": [ + "{\"source_name\": \"URLHaus Abuse.ch\", \"url\": \"https://urlhaus.abuse.ch/url/2269068/\"}" + ], + "families": [ + "Hajime" + ], + "flow_id": "841376349480333", + "gcap": "gcap-xxxxxxxxxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxxxxxxxxxxx.domain.local", + "ioc_creation_date": "2023-06-12T10:00:35+00:00", + "ioc_id": "00100035-1206-2023-cbf5-08330f0d5bc0", + "ioc_tags": [ + "backdoor.hajime.linux.129", + "e32/agent.cd", + "elf.mirai.43048.gc", + "hajime", + "linux.hajime.bc", + "linux/hajime.75930", + "linux/hajime.a trojan", + "linux/hajime.nsnlw", + "trojan.elfarm32.hajime.fbhtfi", + "trojan.generickd.34055387", + "trojan.generickd.34055387 (b)", + "trojan.linux.hajime", + "unix.malware.agent-6626471-0" + ], + "ioc_type": "Host", + "ioc_updated_date": "2023-06-12T10:00:35+00:00", + "ioc_value": "im.a.very.bad.doma.in", + "kill_chain_phases": [], + "matched_event": "bd7686c8-20db-427e-941d-844a5ecfe559", + "matched_event_type": "alert", + "meta_data": "{\"cwe\": [], \"descriptions\": [], \"filetype\": \"ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)\", \"size\": 78.3984375, \"ssdeep\": \"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\", \"tslh\": \"T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\", \"usageMode\": \"hunting\"}", + "probability": 0.5, + "relations": [ + "0e3cc27b-7999-48ce-8484-dc12b325a355" + ], + "risk": "Suspicious", + "signature": "RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0", + "targeted_countries": [], + "targeted_organizations": [], + "targeted_platforms": [ + "linux" + ], + "targeted_sectors": [], + "threat_actor": [ + "GW Lab Test" + ], + "timestamp_analyzed": "2023-06-12T10:12:39.001Z", + "timestamp_detected": "2023-06-09T14:08:46.845Z", + "timestamp_package": "2023-06-12T10:00:35.012874+0000", + "tlp": "green", + "ttp": [], + "type": "cti", + "usage_mode": "hunting", + "vulnerabilities": [] + }, + "observer": { + "name": "gcap-xxxxxxxxxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 55614 + } + } + + ``` + + +=== "sigflow-alert.json" + + ```json + + { + "message": "{\"event_type\":\"alert\",\"http\":{\"url\":\"/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.devyatinskiy.ru\",\"length\":0,\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.690Z\",\"uuid\":\"fd5ba8ea-e263-426d-b4b2-a16521ae09b1\",\"packet_info\":{\"linktype\":1},\"severity\":1,\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"dest_port\":16122,\"@timestamp\":\"2023-03-22T10:44:08.001Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:08.001Z\",\"gcap\":\"gcap-xxxxxxx.domain.local\",\"type\":\"suricata\",\"src_port\":8550,\"metadata\":{\"flowbits\":[\"min.gethttp\",\"ETPROtxtminhead\",\"http.dottedquadhost.dll\"]},\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"app_proto\":\"http\",\"packet\":\"kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K\",\"proto\":\"TCP\",\"stream\":1,\"flow\":{\"bytes_toclient\":90364,\"bytes_toserver\":3084,\"pkts_toserver\":19,\"pkts_toclient\":66,\"start\":\"2023-03-22T10:25:55.345216+0000\"},\"tx_id\":5,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"payload\":\"R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==\",\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"payload_printable\":\"GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nHost: dc524.4shared.com\\r\\nConnection: Keep-Alive\\r\\nCookie: day1host=h\\r\\n\\r\\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\\r\\nAccept: text/html, application/xhtml+xml, */*\\r\\nAccept-Language: en-US\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\\r\\nAccept-Encoding: gzip, deflate\\r\\nCookie: day1host=h\\r\\nConnection: Keep-Alive\\r\\nHost: cdnfiles.4shared.com\\r\\n\\r\\nGET /a35new/w7.txt HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /a35new/aw7.tiff HTTP/1.1\\r\\nHost: 65.181.125.193\\r\\n\\r\\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\nConnection: Keep-Alive\\r\\n\\r\\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\\r\\nHost: www.devyatinskiy.ru\\r\\n\\r\\n\",\"alert\":{\"signature\":\"ETPRO TROJAN MSIL/Bazidow.A HTTP C2\",\"category\":\"A Network Trojan was detected\",\"gid\":1,\"signature_id\":2828821,\"rev\":3,\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"performance_impact\":[\"Moderate\"],\"deployment\":[\"Perimeter\"],\"created_at\":[\"2017_12_07\"],\"updated_at\":[\"2022_05_03\"],\"former_category\":[\"MALWARE\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]},\"action\":\"allowed\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "module": "alert", + "severity": 1 + }, + "@timestamp": "2023-03-22T10:44:08.001000Z", + "destination": { + "address": "2.2.2.2", + "bytes": 90364, + "ip": "2.2.2.2", + "packets": 66, + "port": 16122 + }, + "gatewatcher": { + "event_type": "alert", + "flow_id": "1408237495862400", + "gcap": "gcap-xxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "payload": "R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==", + "payload_printable": "GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: dc524.4shared.com\r\nConnection: Keep-Alive\r\nCookie: day1host=h\r\n\r\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nCookie: day1host=h\r\nConnection: Keep-Alive\r\nHost: cdnfiles.4shared.com\r\n\r\nGET /a35new/w7.txt HTTP/1.1\r\nHost: 65.181.125.193\r\nConnection: Keep-Alive\r\n\r\nGET /a35new/aw7.tiff HTTP/1.1\r\nHost: 65.181.125.193\r\n\r\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\nConnection: Keep-Alive\r\n\r\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\n\r\n", + "timestamp_analyzed": "2023-03-22T10:44:08.001Z", + "timestamp_detected": "2023-03-22T10:25:55.690Z", + "type": "suricata" + }, + "http": { + "request": { + "method": "GET" + } + }, + "network": { + "protocol": "http", + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxx.domain.local", + "mac": [ + "90:e2:ba:a6:a4:90", + "90:e2:ba:a6:a4:91" + ], + "name": "gcap-xxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxx.domain.local", + "www.devyatinskiy.ru" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "rule": { + "category": "A Network Trojan was detected", + "id": "2828821", + "name": "ETPRO TROJAN MSIL/Bazidow.A HTTP C2" + }, + "source": { + "address": "1.1.1.1", + "bytes": 3084, + "ip": "1.1.1.1", + "packets": 19, + "port": 8550 + }, + "url": { + "domain": "www.devyatinskiy.ru", + "path": "/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll", + "registered_domain": "devyatinskiy.ru", + "subdomain": "www", + "top_level_domain": "ru" + } + } + + ``` + + +=== "sigflow-file.json" + + ```json + + { + "message": "{\"event_type\":\"fileinfo\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"url\":\"/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"hostname\":\"cdnfiles.4shared.com\",\"status\":200,\"length\":1088,\"http_content_type\":\"APPLICATION/OCTET-STREAM\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.469Z\",\"uuid\":\"24231245-276c-4509-9437-016b82f88c7c\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.998Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.998Z\",\"@version\":\"1\",\"gcap\":\"gcap-xxxxxxxxxx.domain.local\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"fileinfo\":{\"size\":1088,\"filename\":\"16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs\",\"state\":\"CLOSED\",\"sha256\":\"f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df\",\"magic\":\"Little-endian UTF-16 Unicode text, with CRLF line terminators\",\"sid\":[],\"stored\":false,\"tx_id\":1,\"gaps\":false,\"md5\":\"d526c8e4ad7ab6d80baeb839976b7c80\"},\"dest_port\":8550,\"src_port\":16122,\"app_proto\":\"http\"}", + "event": { + "category": [ + "network" + ], + "module": "fileinfo" + }, + "@timestamp": "2023-03-22T10:44:07.998000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 8550 + }, + "file": { + "hash": { + "md5": "d526c8e4ad7ab6d80baeb839976b7c80", + "sha256": "f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df" + }, + "name": "16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs", + "size": 1088 + }, + "gatewatcher": { + "event_type": "fileinfo", + "filemagic": "Little-endian UTF-16 Unicode text, with CRLF line terminators", + "flow_id": "1408237495862400", + "gcap": "gcap-xxxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2023-03-22T10:44:07.998Z", + "timestamp_detected": "2023-03-22T10:25:55.469Z", + "type": "suricata" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "protocol": "http", + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "name": "gcap-xxxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hash": [ + "d526c8e4ad7ab6d80baeb839976b7c80", + "f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df" + ], + "hosts": [ + "cdnfiles.4shared.com", + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 16122 + }, + "url": { + "domain": "cdnfiles.4shared.com", + "path": "/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F", + "registered_domain": "4shared.com", + "subdomain": "cdnfiles", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "11.0" + } + } + + ``` + + +=== "sigflow-meta.json" + + ```json + + { + "message": "{\"event_type\":\"http\",\"http\":{\"accept_encoding\":\"gzip, deflate\",\"server\":\"524\",\"accept\":\"text/html, application/xhtml+xml, */*\",\"url\":\"/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000\",\"protocol\":\"HTTP/1.1\",\"hostname\":\"dc524.4shared.com\",\"accept_language\":\"en-US\",\"location\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"length\":0,\"status\":302,\"http_user_agent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\"date\":\"Wed, 17 Aug 2016 01:34:43 GMT\",\"redirect\":\"http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F\",\"content_length\":\"0\",\"cookie\":\"day1host=h\",\"http_method\":\"GET\"},\"timestamp_detected\":\"2023-03-22T10:25:55.377Z\",\"uuid\":\"f8ee6e33-91ef-404f-bad3-a69185416a0d\",\"type\":\"suricata\",\"in_iface\":\"monvirt\",\"src_ip\":\"1.1.1.1\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"dest_ip\":\"2.2.2.2\",\"flow_id\":1408237495862400,\"@timestamp\":\"2023-03-22T10:44:07.997Z\",\"timestamp_analyzed\":\"2023-03-22T10:44:07.997Z\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"dest_port\":16122,\"src_port\":8550,\"community_id\":\"1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=\",\"proto\":\"TCP\",\"tx_id\":0,\"ether\":{\"dest_mac\":\"90:e2:ba:a6:a4:90\",\"src_mac\":\"90:e2:ba:a6:a4:91\"},\"@version\":\"1\",\"gcenter\":\"gcenter-xxxxxxxxxx.domain.local\"}", + "event": { + "category": [ + "network" + ], + "module": "http" + }, + "@timestamp": "2023-03-22T10:44:07.997000Z", + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 16122 + }, + "gatewatcher": { + "event_type": "http", + "flow_id": "1408237495862400", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxxxx.domain.local", + "timestamp_analyzed": "2023-03-22T10:44:07.997Z", + "timestamp_detected": "2023-03-22T10:25:55.377Z", + "type": "suricata" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 302 + } + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "90:e2:ba:a6:a4:90", + "90:e2:ba:a6:a4:91" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "dc524.4shared.com", + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 8550 + }, + "url": { + "domain": "dc524.4shared.com", + "path": "/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000", + "registered_domain": "4shared.com", + "subdomain": "dc524", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "os": { + "name": "Windows", + "version": "7" + }, + "version": "11.0" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.packets` | `long` | Packets sent from the destination to the source. | +|`destination.port` | `long` | Port of the destination. | +|`dns.id` | `keyword` | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | +|`dns.question.name` | `keyword` | The name being queried. | +|`dns.question.type` | `keyword` | The type of record being queried. | +|`dns.type` | `keyword` | The type of DNS event captured, query or answer. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.module` | `keyword` | Name of the module this data is coming from. | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.size` | `long` | File size in bytes. | +|`gatewatcher.calls` | `text` | This field represents the list of calls detected in a shellcode | +|`gatewatcher.campaigns` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.case_id` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.categories` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.description` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.dhcp` | `text` | This field represents the dhcp field in a network metadata (used in legacy format log) | +|`gatewatcher.dnp3` | `text` | This field represents the dnp3 field in a suricata alert (used in legacy format log) | +|`gatewatcher.domain_name` | `text` | This field represents the domain name found in a dga alert | +|`gatewatcher.email` | `text` | This field represents the email field | +|`gatewatcher.encodings` | `text` | This field represents the encodings used in the shellcode | +|`gatewatcher.event_type` | `keyword` | Type of event | +|`gatewatcher.external_links` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.families` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.fileinfo` | `text` | This field represents the fileinfo field in a malcore alert (used in legacy format log) | +|`gatewatcher.filemagic` | `text` | This field represents the magic of a file info | +|`gatewatcher.flow_id` | `keyword` | Identifier of the flow | +|`gatewatcher.ftp` | `text` | This field represents the ftp field in a network metadata (used in legacy format log) | +|`gatewatcher.ftp_data` | `text` | This field represents the ftp-data field in a network metadata (used in legacy format log) | +|`gatewatcher.gcap` | `keyword` | Name of the gcap | +|`gatewatcher.gcenter` | `keyword` | Name of the associated gcenter | +|`gatewatcher.http2` | `text` | This field represents the http2 field in a network metadata (used in legacy format log) | +|`gatewatcher.ikev2` | `text` | This field represents the ikev2 field in a network metadata (used in legacy format log) | +|`gatewatcher.ioc_creation_date` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.ioc_id` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.ioc_tags` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.ioc_type` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.ioc_updated_date` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.ioc_value` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.kill_chain_phases` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.krb5` | `text` | This field represents the krb5 field in a network metadata (used in legacy format log) | +|`gatewatcher.malcore.code` | `keyword` | Return code of the malcore analysis | +|`gatewatcher.malcore.detail_threat_found` | `keyword` | Type of the detected threat | +|`gatewatcher.malcore.file` | `keyword` | Identifier of the file | +|`gatewatcher.malcore.magic` | `keyword` | The magic number of the executable of the malware | +|`gatewatcher.malcore.replica` | `keyword` | Analysis is a replica of another previous one | +|`gatewatcher.matched_event` | `text` | This field represents the matched event found in a dga and retrohunt alert | +|`gatewatcher.matched_event_type` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.meta_data` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.mqtt` | `text` | This field represents the mqtt field in a network metadata (used in legacy format log) | +|`gatewatcher.nb_rescans` | `long` | Number of retroact analysis | +|`gatewatcher.nfs` | `text` | This field represents the nfs field in a network metadata (used in legacy format log) | +|`gatewatcher.payload` | `text` | This field represents the payload in a suricata alert | +|`gatewatcher.payload_printable` | `text` | This field represents the human readable payload in a suricata alert | +|`gatewatcher.probability` | `float` | This field represents the probability found in a dga and retrohunt alert | +|`gatewatcher.rdp` | `text` | This field represents the rdp field in a network metadata (used in legacy format log) | +|`gatewatcher.relations` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.reporting_token` | `keyword` | Token used by Gbox | +|`gatewatcher.retroact` | `keyword` | Analysis result per retroact | +|`gatewatcher.rfb` | `text` | This field represents the rfb field in a network metadata (used in legacy format log) | +|`gatewatcher.risk` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.rpc` | `text` | This field represents the rpc field in a network metadata (used in legacy format log) | +|`gatewatcher.sample_id` | `text` | Matching legacy file_id with ECS sample_id | +|`gatewatcher.scores.analysis` | `number` | test-scores | +|`gatewatcher.scores.analysis_detailed` | `text` | test-scores | +|`gatewatcher.scores.proba_obfuscated` | `float` | test-scores | +|`gatewatcher.signature` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.sip` | `text` | This field represents the sip field in a network metadata (used in legacy format log) | +|`gatewatcher.smb` | `text` | This field represents the smb field in a network metadata (used in legacy format log) | +|`gatewatcher.smtp` | `text` | This field represents the smtp field in a network metadata (used in legacy format log) | +|`gatewatcher.snmp` | `text` | This field represents the snmp field in a network metadata (used in legacy format log) | +|`gatewatcher.ssh` | `text` | This field represents the ssh field in a network metadata (used in legacy format log) | +|`gatewatcher.state` | `keyword` | Analysis result | +|`gatewatcher.stats` | `text` | This field represents the metrics stats | +|`gatewatcher.sub_type` | `text` | Sub type of codebreaker exploit | +|`gatewatcher.targeted_countries` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.targeted_organizations` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.targeted_platforms` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.targeted_sectors` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.tftp` | `text` | This field represents the tftp field in a network metadata (used in legacy format log) | +|`gatewatcher.threat_actor` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.timestamp_analyzed` | `keyword` | Timestamp of the alert processing by gcenter | +|`gatewatcher.timestamp_detected` | `keyword` | Timestamp of the file collection by gcap | +|`gatewatcher.timestamp_package` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.tlp` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.tls` | `text` | This field represents the tls field in a network metadata (used in legacy format log) | +|`gatewatcher.ttp` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.type` | `keyword` | Type of analysis | +|`gatewatcher.usage_mode` | `text` | This field is used for retrohunt alerts | +|`gatewatcher.vulnerabilities` | `text` | This field is used for retrohunt alerts | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.hostname` | `keyword` | Hostname of the observer. | +|`observer.mac` | `keyword` | MAC addresses of the observer. | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.version` | `keyword` | Observer version. | +|`rule.category` | `keyword` | Rule category | +|`rule.id` | `keyword` | Rule ID | +|`rule.name` | `keyword` | Rule name | +|`rule.version` | `keyword` | Rule version | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.packets` | `long` | Packets sent from the source to the destination. | +|`source.port` | `long` | Port of the source. | +|`url.domain` | `keyword` | Domain of the url. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/GateWatcher/aioniq). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md b/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md new file mode 100644 index 0000000000..d5d4689942 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/0825709a-5f76-441e-9dfb-2b5ea6ce551c_sample.md @@ -0,0 +1,538 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "codebreaker" + + + ```json + { + "event_type": "powershell", + "scores": { + "analysis": 1890, + "analysis_detailed": { + "CharInt": 0, + "InvokeWebRequest": 0, + "FmtStr": 0, + "WebClientInvokation": 0, + "StrReplace": 0, + "StrJoin": 0, + "SetContent": 0, + "StreamWriter": 0, + "SystemIOFile": 0, + "StreamReader": 0, + "InvokeRestMethod": 0, + "AddContent": 0, + "StartBitsTransfer": 0, + "InvokeExpression": 0, + "GetContent": 0, + "StrCat": 370, + "Base64": 1520 + }, + "proba_obfuscated": 1.0 + }, + "timestamp_detected": "2023-03-22T10:30:37.145Z", + "uuid": "8906e477-02b5-4ada-abaa-67b2d41f204a", + "severity": 1, + "type": "codebreaker", + "src_ip": "1.1.1.1", + "state": "Exploit", + "dest_port": "35444", + "dest_ip": "2.2.2.2", + "flow_id": "2157601933358692", + "gcap": "gcap-xxxxxxxxxx.domain.local", + "@timestamp": "2023-03-22T10:32:50.269Z", + "timestamp_analyzed": "2023-03-22T10:32:50.269Z", + "src_port": "4242", + "file_id": "03-22-2023T10:32:45_772669089795425e9ad63823ea1e7ac3_gcap-xxxxxxxx.domain.local", + "sub_type": "powershell", + "SHA256": "efc9380fee13f9accf1cbc2f2bb02ae430cf39d4fbfe1d766f65b500b571ca29", + "MD5": "60b656e17bec0a97f5638790c78a3124", + "@version": "1", + "gcenter": "gcenter-xxxxxxxxxx.domain.local" + } + ``` + + + +=== "dga" + + + ```json + { + "event_type": "dga", + "domain_name": "pgoadcmgqfacj.com", + "timestamp_detected": "2023-03-22T10:25:54.903Z", + "uuid": "4e4b3104-06ba-4277-899e-149a74a0671c", + "severity": 1, + "type": "machine_learning", + "probability": 0.9999731546766107, + "dest_port": 53, + "gcap": "gcap-xxxxxxxx.domain.local", + "dest_ip": "2.2.2.2", + "flow_id": 729468278572, + "src_ip": "1.1.1.1", + "@timestamp": "2023-03-22T10:46:08.487Z", + "@version": "1", + "matched_event": "041b2ed4-a5e0-4814-8bdc-7522b6d5464f", + "timestamp_analyzed": "2023-03-22T10:46:08.487Z", + "gcenter": "gcenter-xxxxxx.domain.local", + "src_port": 1294 + } + ``` + + + +=== "malcore" + + + ```json + { + "timestamp": "2023-03-22T10:35:22.615360+0000", + "analyzed_infected": 10, + "detail_threat_found": "Infected : Script.SWF.CVE-2014-0515+.C107 (B), Exp.SWF.Angler.D, Script.SWF.CVE-2014-0515+.C107, SWF/Exploit.ExKit.J trojan, Exploit.SWF.Agent.ja, Exploit.Agent.Script.371, Exploit.Swf.Agent.dvtnkm, Script.SWF.CVE-2014-0515++.C118, EXP/FLASH.Pubenush.E.Gen, Exploit.SWF", + "timestamp_detected": "2023-03-22T10:35:22.615Z", + "uuid": "2103a99c-549e-49b7-bbef-68459e6cc44e", + "severity": 1, + "dest_port": 19609, + "detail_wait_time": 320265, + "host": "gcap-xxxxxxxxx.domain.local", + "dest_ip": "2.2.2.2", + "timestamp_analyzed": "2023-03-22T10:53:13.408Z", + "@timestamp": "2023-03-22T10:53:13.408Z", + "file_type_description": "Macromedia Flash Player", + "fileinfo": { + "sha256": "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4", + "file_id": 379, + "magic": "Macromedia Flash data (compressed), version 14", + "tx_id": 1, + "state": "CLOSED", + "filename": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust", + "sid": [ + 1100020 + ], + "stored": true, + "md5": "67ca9a31f220bc7b68f203c07ad668b9", + "gaps": false, + "size": 77068 + }, + "analyzed_suspicious": 0, + "analyzers_up": 16, + "app_proto": "http", + "engines_last_update_date": "2023-03-08T19:03:00Z", + "total_found": "10/16", + "file_type": "application/x-shockwave-flash", + "detail_scan_time": 13425, + "processing_time": 333690, + "SHA256": "350836364013549b6a76aab79d57d109df6acc143759e24a952d3ff5d6a76ec4", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "analyzed_clean": 5, + "event_type": "malware", + "http": { + "http_method": "GET", + "http_port": 8080, + "protocol": "HTTP/1.1", + "status": 200, + "hostname": "tsevid-synonymi.justdanceatsea.com", + "url": "/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust", + "length": 77068, + "http_content_type": "application/x-shockwave-flash", + "http_user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)", + "http_refer": "http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php" + }, + "type": "malcore", + "in_iface": "monvirt", + "src_ip": "1.1.1.1", + "state": "Infected", + "gcap": "gcap-xxxxxxxx.domain.local", + "flow_id": 1910314914537014, + "reporting_token": "No GBOX", + "src_port": 8080, + "analyzed_other": 1, + "engine_id": { + "4": { + "id": "32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684", + "threat_details": "SWF/Exploit.ExKit.J trojan", + "scan_result": "INFECTED" + }, + "1": { + "id": "054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af", + "threat_details": "", + "scan_result": "CLEAN" + }, + "9": { + "id": "95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a", + "threat_details": "Script.SWF.CVE-2014-0515++.C118", + "scan_result": "INFECTED" + }, + "14": { + "id": "ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf", + "threat_details": "", + "scan_result": "CLEAN" + }, + "8": { + "id": "714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77", + "threat_details": "Exploit.Swf.Agent.dvtnkm", + "scan_result": "INFECTED" + }, + "7": { + "id": "527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737", + "threat_details": "Exploit.Agent.Script.371", + "scan_result": "INFECTED" + }, + "2": { + "id": "0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db", + "threat_details": "Exp.SWF.Angler.D", + "scan_result": "INFECTED" + }, + "11": { + "id": "ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c", + "threat_details": "", + "scan_result": "NOT_SCANNED" + }, + "12": { + "id": "af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a", + "threat_details": "EXP/FLASH.Pubenush.E.Gen", + "scan_result": "INFECTED" + }, + "10": { + "id": "a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713", + "threat_details": "", + "scan_result": "CLEAN" + }, + "3": { + "id": "312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d", + "threat_details": "Script.SWF.CVE-2014-0515+.C107", + "scan_result": "INFECTED" + }, + "6": { + "id": "4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc", + "threat_details": "", + "scan_result": "CLEAN" + }, + "13": { + "id": "b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e", + "threat_details": "", + "scan_result": "CLEAN" + }, + "0": { + "id": "038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74", + "threat_details": "Script.SWF.CVE-2014-0515+.C107 (B)", + "scan_result": "INFECTED" + }, + "5": { + "id": "3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53", + "threat_details": "Exploit.SWF.Agent.ja", + "scan_result": "INFECTED" + }, + "15": { + "id": "fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1", + "threat_details": "Exploit.SWF", + "scan_result": "INFECTED" + } + }, + "proto": "TCP", + "code": 1, + "analyzed_error": 0, + "@version": "1", + "magic_details": "Macromedia Flash data (compressed), version 14" + } + ``` + + + +=== "retrohunt" + + + ```json + { + "external_links": [ + { + "url": "https://urlhaus.abuse.ch/url/2269068/", + "source_name": "URLHaus Abuse.ch" + } + ], + "relations": [ + "0e3cc27b-7999-48ce-8484-dc12b325a355" + ], + "description": "IOC matching first tests", + "event_type": "retrohunt", + "kill_chain_phases": [], + "timestamp_detected": "2023-06-09T14:08:46.845Z", + "ioc_type": "Host", + "severity": 1, + "community_id": "1:x0uuTl0mYnN1nwngep7+A4VH38I=", + "ioc_creation_date": "2023-06-12T10:00:35+00:00", + "targeted_countries": [], + "ioc_value": "im.a.very.bad.doma.in", + "dest_ip": "2.2.2.2", + "vulnerabilities": [], + "matched_event": "bd7686c8-20db-427e-941d-844a5ecfe559", + "risk": "Suspicious", + "uuid": "416f35ad-b954-4b6a-a886-987b826bb7f4", + "meta_data": { + "ssdeep": "1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL", + "cwe": [], + "descriptions": [], + "tslh": "T16D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE", + "filetype": "ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux)", + "size": 78.3984375, + "usageMode": "hunting" + }, + "flow_id": 841376349480333, + "matched_event_type": "alert", + "ioc_updated_date": "2023-06-12T10:00:35+00:00", + "targeted_platforms": [ + "linux" + ], + "signature": "RetroHunt - Host - malware/Unknown - Hajime - GW Lab Test - 00100035-1206-2023-cbf5-08330f0d5bc0", + "ioc_tags": [ + "trojan.generickd.34055387 (b)", + "linux/hajime.a trojan", + "e32/agent.cd", + "linux.hajime.bc", + "backdoor.hajime.linux.129", + "linux/hajime.75930", + "unix.malware.agent-6626471-0", + "linux/hajime.nsnlw", + "hajime", + "elf.mirai.43048.gc", + "trojan.elfarm32.hajime.fbhtfi", + "trojan.linux.hajime", + "trojan.generickd.34055387" + ], + "@version": "1", + "type": "cti", + "targeted_organizations": [], + "campaigns": [], + "categories": [ + "malware" + ], + "src_port": 55614, + "gcenter": "gcenter-xxxxxxxxxxxxxxxxx.domain.local", + "case_id": "00100035-1206-2023-edb6-b38911f8ba0c", + "dest_port": 80, + "usage_mode": "hunting", + "timestamp_package": "2023-06-12T10:00:35.012874+0000", + "src_ip": "1.1.1.1", + "ttp": [], + "tlp": "green", + "probability": 0.5, + "gcap": "gcap-xxxxxxxxxxxxxxxx.domain.local", + "@timestamp": "2023-06-12T10:12:39.001Z", + "timestamp_analyzed": "2023-06-12T10:12:39.001Z", + "families": [ + "Hajime" + ], + "ioc_id": "00100035-1206-2023-cbf5-08330f0d5bc0", + "targeted_sectors": [], + "threat_actor": [ + "GW Lab Test" + ], + "matched_app_proto": "http" + } + ``` + + + +=== "sigflow-alert" + + + ```json + { + "event_type": "alert", + "http": { + "url": "/bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll", + "protocol": "HTTP/1.1", + "hostname": "www.devyatinskiy.ru", + "length": 0, + "http_method": "GET" + }, + "timestamp_detected": "2023-03-22T10:25:55.690Z", + "uuid": "fd5ba8ea-e263-426d-b4b2-a16521ae09b1", + "packet_info": { + "linktype": 1 + }, + "severity": 1, + "in_iface": "monvirt", + "src_ip": "1.1.1.1", + "host": "gcap-xxxxxxxx.domain.local", + "dest_ip": "2.2.2.2", + "flow_id": 1408237495862400, + "dest_port": 16122, + "@timestamp": "2023-03-22T10:44:08.001Z", + "timestamp_analyzed": "2023-03-22T10:44:08.001Z", + "gcap": "gcap-xxxxxxx.domain.local", + "type": "suricata", + "src_port": 8550, + "metadata": { + "flowbits": [ + "min.gethttp", + "ETPROtxtminhead", + "http.dottedquadhost.dll" + ] + }, + "community_id": "1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=", + "app_proto": "http", + "packet": "kOK6pqSQkOK6pqSRCABFAAC7Uz1AAEAGPT4py4AkHxzgtiFmPvokcIbSnp074oAYAGsSTgAAAQEICmgi0xNoItMTR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaWFyJTdCNjklN0QgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCg0K", + "proto": "TCP", + "stream": 1, + "flow": { + "bytes_toclient": 90364, + "bytes_toserver": 3084, + "pkts_toserver": 19, + "pkts_toclient": 66, + "start": "2023-03-22T10:25:55.345216+0000" + }, + "tx_id": 5, + "ether": { + "dest_mac": "90:e2:ba:a6:a4:90", + "src_mac": "90:e2:ba:a6:a4:91" + }, + "payload": "R0VUIC9kb3dubG9hZC9RanRHRGx0bWNlLzE2MDgyMDE2dmVjTzdPa0wzeUxQSUNsZW96aWJLRS52YnM/ZHNpZD1ndjVucTMuNDAwYjg2YzcxOTZmOWU4Y2NkZTM1MzcwZWIwYTU0Yjkmc2Jzcj0yZjViMmRmMGFlMGE4Yzc1NTFjN2RmMGJjNDZhOWQ3OTk4MCZsZ2ZwPTMwMDAgSFRUUC8xLjENCkFjY2VwdDogdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94aHRtbCt4bWwsICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC83LjA7IHJ2OjExLjApIGxpa2UgR2Vja28NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KSG9zdDogZGM1MjQuNHNoYXJlZC5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvb2tpZTogZGF5MWhvc3Q9aA0KDQpHRVQgL3dlYi9jZG4vcG9wdWxhci9kb3dubG9hZC9RanRHRGx0bWNlP2NvbnREaXNwPWF0dGFjaG1lbnQlM0IrZmlsZW5hbWUlM0QlMjIxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMlMjIlM0IrZmlsZW5hbWUqJTNEdXRmLTglMjclMjcxNjA4MjAxNnZlY083T2tMM3lMUElDbGVvemliS0VIYTg2MUh6aDlHRi52YnMmY29udFR5cGU9QVBQTElDQVRJT04lMkZPQ1RFVC1TVFJFQU0mY2RuaD03YTc0NTUzYTA1N2VhNTVmYzU2OGI4MGU2MGNkN2ZhMiZkM2M9ZmRzUWp0R0RsdG1jZSUzRElOSVRJQUxJWkVEJTNCK2RvbWFpbiUzRC40c2hhcmVkLmNvbSUzQitleHBpcmVzJTNEV2VkJTJDKzE3LUF1Zy0yMDE2KzAxJTNBMzYlM0E0NCtHTVQlM0IrcGF0aCUzRCUyRiBIVFRQLzEuMQ0KQWNjZXB0OiB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpDb29raWU6IGRheTFob3N0PWgNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkhvc3Q6IGNkbmZpbGVzLjRzaGFyZWQuY29tDQoNCkdFVCAvYTM1bmV3L3c3LnR4dCBIVFRQLzEuMQ0KSG9zdDogNjUuMTgxLjEyNS4xOTMNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hMzVuZXcvYXc3LnRpZmYgSFRUUC8xLjENCkhvc3Q6IDY1LjE4MS4xMjUuMTkzDQoNCkdFVCAvYnNiL2luZmVjdHMvaW5kZXgucGhwP049R08tR08tR0FER0VULVBDLWluc3BlY3Rvci1nYWRnZXQlMjA9JTIwJTIwJTIwJTIwV2luZG93cyUyMDclMjBIb21lJTIwUHJlbWl1bSUyMCUyMCUyMCUyMD0lMjAlMjAlMjAlMjAlMjAlMjAlMjBOL0EgSFRUUC8xLjENCkhvc3Q6IHd3dy5kZXZ5YXRpbnNraXkucnUNCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9ic2IvZGVidWdub3Nzby9pbmRleC5waHA/Tj1HTy1HTy1HQURHRVQtUEMtaW5zcGVjdG9yLWdhZGdldCUyMD0lMjAlMjAlMjAlMjBJbmljaW91JTIwbyUyMGV4ZWN1dGFyJTIwJTIwaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy93Ny56aXAlN0NodHRwOi8vNjUuMTgxLjEyNS4xOTMvYTM1bmV3L3c3LnppcCU3QzMyJTdDaHR0cDovLzY1LjE4MS4xMjUuMTkzL2EzNW5ldy9kbGwuZGxsIEhUVFAvMS4xDQpIb3N0OiB3d3cuZGV2eWF0aW5za2l5LnJ1DQoNCg==", + "@version": "1", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "payload_printable": "GET /download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000 HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nHost: dc524.4shared.com\r\nConnection: Keep-Alive\r\nCookie: day1host=h\r\n\r\nGET /web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAccept-Encoding: gzip, deflate\r\nCookie: day1host=h\r\nConnection: Keep-Alive\r\nHost: cdnfiles.4shared.com\r\n\r\nGET /a35new/w7.txt HTTP/1.1\r\nHost: 65.181.125.193\r\nConnection: Keep-Alive\r\n\r\nGET /a35new/aw7.tiff HTTP/1.1\r\nHost: 65.181.125.193\r\n\r\nGET /bsb/infects/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Windows%207%20Home%20Premium%20%20%20%20=%20%20%20%20%20%20%20N/A HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\nConnection: Keep-Alive\r\n\r\nGET /bsb/debugnosso/index.php?N=GO-GO-GADGET-PC-inspector-gadget%20=%20%20%20%20Iniciou%20o%20executar%20%20http://65.181.125.193/a35new/w7.zip%7Chttp://65.181.125.193/a35new/w7.zip%7C32%7Chttp://65.181.125.193/a35new/dll.dll HTTP/1.1\r\nHost: www.devyatinskiy.ru\r\n\r\n", + "alert": { + "signature": "ETPRO TROJAN MSIL/Bazidow.A HTTP C2", + "category": "A Network Trojan was detected", + "gid": 1, + "signature_id": 2828821, + "rev": 3, + "severity": 1, + "metadata": { + "affected_product": [ + "Windows_XP_Vista_7_8_10_Server_32_64_Bit" + ], + "performance_impact": [ + "Moderate" + ], + "deployment": [ + "Perimeter" + ], + "created_at": [ + "2017_12_07" + ], + "updated_at": [ + "2022_05_03" + ], + "former_category": [ + "MALWARE" + ], + "attack_target": [ + "Client_Endpoint" + ], + "signature_severity": [ + "Major" + ] + }, + "action": "allowed" + } + } + ``` + + + +=== "sigflow-file" + + + ```json + { + "event_type": "fileinfo", + "proto": "TCP", + "http": { + "protocol": "HTTP/1.1", + "url": "/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F", + "hostname": "cdnfiles.4shared.com", + "status": 200, + "length": 1088, + "http_content_type": "APPLICATION/OCTET-STREAM", + "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "http_method": "GET" + }, + "timestamp_detected": "2023-03-22T10:25:55.469Z", + "uuid": "24231245-276c-4509-9437-016b82f88c7c", + "type": "suricata", + "in_iface": "monvirt", + "src_ip": "1.1.1.1", + "host": "gcap-xxxxxxxxx.domain.local", + "dest_ip": "2.2.2.2", + "flow_id": 1408237495862400, + "@timestamp": "2023-03-22T10:44:07.998Z", + "timestamp_analyzed": "2023-03-22T10:44:07.998Z", + "@version": "1", + "gcap": "gcap-xxxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "fileinfo": { + "size": 1088, + "filename": "16082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs", + "state": "CLOSED", + "sha256": "f31faae778ecfee8e27041309444468a37ad7681d42d7972faa92fe2056721df", + "magic": "Little-endian UTF-16 Unicode text, with CRLF line terminators", + "sid": [], + "stored": false, + "tx_id": 1, + "gaps": false, + "md5": "d526c8e4ad7ab6d80baeb839976b7c80" + }, + "dest_port": 8550, + "src_port": 16122, + "app_proto": "http" + } + ``` + + + +=== "sigflow-meta" + + + ```json + { + "event_type": "http", + "http": { + "accept_encoding": "gzip, deflate", + "server": "524", + "accept": "text/html, application/xhtml+xml, */*", + "url": "/download/QjtGDltmce/16082016vecO7OkL3yLPICleozibKE.vbs?dsid=gv5nq3.400b86c7196f9e8ccde35370eb0a54b9&sbsr=2f5b2df0ae0a8c7551c7df0bc46a9d79980&lgfp=3000", + "protocol": "HTTP/1.1", + "hostname": "dc524.4shared.com", + "accept_language": "en-US", + "location": "http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F", + "length": 0, + "status": 302, + "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "date": "Wed, 17 Aug 2016 01:34:43 GMT", + "redirect": "http://cdnfiles.4shared.com/web/cdn/popular/download/QjtGDltmce?contDisp=attachment%3B+filename%3D%2216082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs%22%3B+filename*%3Dutf-8%27%2716082016vecO7OkL3yLPICleozibKEHa861Hzh9GF.vbs&contType=APPLICATION%2FOCTET-STREAM&cdnh=7a74553a057ea55fc568b80e60cd7fa2&d3c=fdsQjtGDltmce%3DINITIALIZED%3B+domain%3D.4shared.com%3B+expires%3DWed%2C+17-Aug-2016+01%3A36%3A44+GMT%3B+path%3D%2F", + "content_length": "0", + "cookie": "day1host=h", + "http_method": "GET" + }, + "timestamp_detected": "2023-03-22T10:25:55.377Z", + "uuid": "f8ee6e33-91ef-404f-bad3-a69185416a0d", + "type": "suricata", + "in_iface": "monvirt", + "src_ip": "1.1.1.1", + "host": "gcap-xxxxxxxxx.domain.local", + "dest_ip": "2.2.2.2", + "flow_id": 1408237495862400, + "@timestamp": "2023-03-22T10:44:07.997Z", + "timestamp_analyzed": "2023-03-22T10:44:07.997Z", + "gcap": "gcap-xxxxxxxxx.domain.local", + "dest_port": 16122, + "src_port": 8550, + "community_id": "1:hEBuGl9msx7YJtg3Tb/+Gf+a1VI=", + "proto": "TCP", + "tx_id": 0, + "ether": { + "dest_mac": "90:e2:ba:a6:a4:90", + "src_mac": "90:e2:ba:a6:a4:91" + }, + "@version": "1", + "gcenter": "gcenter-xxxxxxxxxx.domain.local" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md new file mode 100644 index 0000000000..e495a9142c --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b.md @@ -0,0 +1,265 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `authentication`, `configuration`, `session` | +| Type | `change`, `info`, `start` | + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "test_audit_events.json" + + ```json + + { + "message": "{\"sekoia_event_type\": \"auditevents\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"actor_uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"actor_details\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"Jane Doe\", \"email\": \"jane.doe@example.com\"}, \"action\": \"join\", \"object_type\": \"gm\", \"object_uuid\": \"pf8soyakgngrphytsyjed4ae3u\", \"aux_id\": 9277034, \"aux_uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"aux_details\": {\"uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"aux_info\": \"R\", \"session\": {\"uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"login_time\": \"2023-03-15T16:33:50-03:00\", \"device_uuid\": \"lc5fqgbrcm4plajd8mwncv2b3u\", \"ip\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}", + "event": { + "action": "join", + "category": [ + "configuration" + ], + "dataset": "auditevents", + "outcome": "failure", + "type": [ + "change" + ] + }, + "1password": { + "object": { + "type": "gm", + "uuid": "pf8soyakgngrphytsyjed4ae3u" + }, + "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM" + }, + "@timestamp": "2023-03-15T19:33:50Z", + "client": { + "address": "1.2.3.4", + "geo": { + "city_name": "Toronto", + "country_name": "Canada", + "location": { + "lat": 43.5991, + "lon": -79.4988 + }, + "region_name": "Ontario" + }, + "ip": "1.2.3.4" + }, + "host": { + "id": "lc5fqgbrcm4plajd8mwncv2b3u" + }, + "observer": { + "product": "1Password EPM", + "vendor": "Agilebits" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "Jane Doe" + ] + }, + "user": { + "email": "jane.doe@example.com", + "id": "4HCGRGYCTRQFBMGVEGTABYDU2V", + "name": "Jane Doe", + "target": { + "email": "john.doe@example.com", + "id": "K6VFYDCJKHGGDI7QFAXX65LCDY", + "name": "John Doe" + } + } + } + + ``` + + +=== "test_item_usage_events.json" + + ```json + + { + "message": "{\"sekoia_event_type\": \"itemusages\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"used_version\": 0, \"vault_uuid\": \"VZSYVT2LGHTBWBQGUJAIZVRABM\", \"item_uuid\": \"SDGD3I4AJYO6RMHRK8DYVNFIDZ\", \"user\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}, \"action\": \"secure-copy\"}", + "event": { + "action": "secure-copy", + "category": [ + "session" + ], + "dataset": "itemusages", + "outcome": "failure", + "type": [ + "info" + ] + }, + "1password": { + "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ", + "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM" + }, + "@timestamp": "2023-03-15T19:33:50Z", + "client": { + "address": "1.2.3.4", + "geo": { + "city_name": "Toronto", + "country_name": "Canada", + "location": { + "lat": 43.5991, + "lon": -79.4988 + }, + "region_name": "Ontario" + }, + "ip": "1.2.3.4" + }, + "host": { + "os": { + "name": "MacOSX", + "version": "13.2" + } + }, + "observer": { + "product": "1Password EPM", + "vendor": "Agilebits" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "John Doe" + ] + }, + "user": { + "email": "john.doe@example.com", + "id": "4HCGRGYCTRQFBMGVEGTABYDU2V", + "name": "John Doe" + } + } + + ``` + + +=== "test_sign_in_attempts.json" + + ```json + + { + "message": "{\"sekoia_event_type\": \"signinattempts\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"session_uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"timestamp\": \"2023-03-15T16:32:50-03:00\", \"category\": \"firewall_failed\", \"type\": \"continent_blocked\", \"country\": \"France\", \"details\": {\"value\": \"Europe\"}, \"target_user\": {\"uuid\": \"IR7VJHJ36JHINBFAD7V2T5MP3E\", \"name\": \"John Doe\", \"email\": \"john.doe@example.com\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}", + "event": { + "category": [ + "authentication" + ], + "dataset": "signinattempts", + "outcome": "failure", + "type": [ + "start" + ] + }, + "1password": { + "category": "firewall_failed", + "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM", + "type": "continent_blocked" + }, + "@timestamp": "2023-03-15T19:32:50Z", + "client": { + "address": "1.2.3.4", + "geo": { + "city_name": "Toronto", + "country_name": "Canada", + "location": { + "lat": 43.5991, + "lon": -79.4988 + }, + "region_name": "Ontario" + }, + "ip": "1.2.3.4" + }, + "host": { + "os": { + "name": "MacOSX", + "version": "13.2" + } + }, + "observer": { + "product": "1Password EPM", + "vendor": "Agilebits" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "user": { + "target": { + "email": "john.doe@example.com", + "id": "IR7VJHJ36JHINBFAD7V2T5MP3E", + "name": "John Doe" + } + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`1password.category` | `keyword` | | +|`1password.item_uuid` | `keyword` | | +|`1password.object.email` | `keyword` | | +|`1password.object.name` | `keyword` | | +|`1password.object.type` | `keyword` | | +|`1password.object.uuid` | `keyword` | | +|`1password.session_uuid` | `keyword` | | +|`1password.type` | `keyword` | | +|`1password.vault_uuid` | `keyword` | | +|`@timestamp` | `date` | Date/time when the event originated. | +|`client.geo.city_name` | `keyword` | City name. | +|`client.geo.country_name` | `keyword` | Country name. | +|`client.geo.region_name` | `keyword` | Region name. | +|`client.ip` | `ip` | IP address of the client. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.id` | `keyword` | Unique host id. | +|`host.os.name` | `keyword` | Operating system name, without the version. | +|`host.os.version` | `keyword` | Operating system version as a raw string. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user.target.email` | `keyword` | User email address. | +|`user.target.id` | `keyword` | Unique identifier of the user. | +|`user.target.name` | `keyword` | Short name or login of the user. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/1Password/1password-epm). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b_sample.md b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b_sample.md new file mode 100644 index 0000000000..f23bffc6b8 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/09754cc4-e247-4712-9a76-25529ba11b8b_sample.md @@ -0,0 +1,128 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "test_audit_events" + + + ```json + { + "sekoia_event_type": "auditevents", + "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E", + "timestamp": "2023-03-15T16:33:50-03:00", + "actor_uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V", + "actor_details": { + "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V", + "name": "Jane Doe", + "email": "jane.doe@example.com" + }, + "action": "join", + "object_type": "gm", + "object_uuid": "pf8soyakgngrphytsyjed4ae3u", + "aux_id": 9277034, + "aux_uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY", + "aux_details": { + "uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY", + "name": "John Doe", + "email": "john.doe@example.com" + }, + "aux_info": "R", + "session": { + "uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM", + "login_time": "2023-03-15T16:33:50-03:00", + "device_uuid": "lc5fqgbrcm4plajd8mwncv2b3u", + "ip": "1.2.3.4" + }, + "location": { + "country": "Canada", + "region": "Ontario", + "city": "Toronto", + "latitude": 43.5991, + "longitude": -79.4988 + } + } + ``` + + + +=== "test_item_usage_events" + + + ```json + { + "sekoia_event_type": "itemusages", + "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E", + "timestamp": "2023-03-15T16:33:50-03:00", + "used_version": 0, + "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM", + "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ", + "user": { + "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V", + "name": "John Doe", + "email": "john.doe@example.com" + }, + "client": { + "app_name": "1Password Browser", + "app_version": "20240", + "platform_name": "Chrome", + "platform_version": "string", + "os_name": "MacOSX", + "os_version": "13.2", + "ip_address": "1.2.3.4" + }, + "location": { + "country": "Canada", + "region": "Ontario", + "city": "Toronto", + "latitude": 43.5991, + "longitude": -79.4988 + }, + "action": "secure-copy" + } + ``` + + + +=== "test_sign_in_attempts" + + + ```json + { + "sekoia_event_type": "signinattempts", + "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E", + "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM", + "timestamp": "2023-03-15T16:32:50-03:00", + "category": "firewall_failed", + "type": "continent_blocked", + "country": "France", + "details": { + "value": "Europe" + }, + "target_user": { + "uuid": "IR7VJHJ36JHINBFAD7V2T5MP3E", + "name": "John Doe", + "email": "john.doe@example.com" + }, + "client": { + "app_name": "1Password Browser", + "app_version": "20240", + "platform_name": "Chrome", + "platform_version": "string", + "os_name": "MacOSX", + "os_version": "13.2", + "ip_address": "1.2.3.4" + }, + "location": { + "country": "Canada", + "region": "Ontario", + "city": "Toronto", + "latitude": 43.5991, + "longitude": -79.4988 + } + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index da08d70cb0..4e80f00d88 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -684,6 +684,89 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "mobile_detection_network_connections.json" + + ```json + + { + "message": "{\"metadata\":{\"customerIDString\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"offset\":13896542,\"eventType\":\"MobileDetectionSummaryEvent\",\"eventCreationTime\":1722754343000,\"version\":\"1.0\"},\"event\":{\"SensorId\":\"85ae98xxxxxxd9a8f2\",\"MobileDetectionId\":2,\"ComputerName\":\"host\",\"UserName\":\"user.name@test.com\",\"ContextTimeStamp\":1722754273,\"DetectId\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2\",\"DetectName\":\"CkbSensorDetectDomainHighUI\",\"DetectDescription\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\",\"Tactic\":\"Falcon Intel\",\"TacticId\":\"CSTA0008\",\"Technique\":\"Intelligence Indicator - Domain\",\"TechniqueId\":\"CST0023\",\"Objective\":\"Falcon Detection Method\",\"Severity\":70,\"FalconHostLink\":\"https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"MobileNetworkConnections\":[{\"AccessTimestamp\":1722754273,\"Protocol\":\"6\",\"ConnectionFlags\":0,\"LocalAddress\":\"\",\"RemoteAddress\":\"1.2.3.4\",\"RemotePort\":1,\"ConnectionDirection\":0,\"Url\":\"https://crowdstrike.test.com/integration\",\"IsIPV6\":false,\"ContextProcessId\":17793441978049446000}],\"ApplicationName\":\".com.google.chrome.ios\",\"NetworkDetectionType\":\"prevented\",\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon for Mobile\",\"DataDomains\":\"Endpoint\",\"PatternId\":41124,\"CompositeId\":\"7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2\",\"Name\":\"CkbSensorDetectDomainHighUI\",\"Description\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\"}}", + "event": { + "action": "prevented", + "category": [ + "intrusion_detection" + ], + "dataset": [ + "MobileDetection" + ], + "kind": "alert", + "severity": 70, + "type": "info", + "url": "https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV" + }, + "@timestamp": "2024-08-04T06:52:23Z", + "agent": { + "id": "85ae98xxxxxxd9a8f2" + }, + "crowdstrike": { + "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV", + "detect_description": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.", + "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2", + "detect_name": "CkbSensorDetectDomainHighUI", + "event_objective": "Falcon Detection Method", + "event_type": "MobileDetectionSummaryEvent", + "mobile": { + "network_connections": [ + { + "context": { + "pid": "17793441978049446000" + }, + "destination": { + "address": "1.2.3.4", + "port": 1 + }, + "direction": 0, + "flags": 0, + "is_ipv6": false, + "protocol": 6, + "timestamp": "2024-08-04T06:51:13.000000Z", + "url": "https://crowdstrike.test.com/integration" + } + ] + } + }, + "host": { + "name": "host" + }, + "network": { + "application": ".com.google.chrome.ios" + }, + "observer": { + "product": "Falcon for Mobile", + "vendor": "CrowdStrike" + }, + "related": { + "user": [ + "user.name@test.com" + ] + }, + "threat": { + "tactic": { + "id": "CSTA0008", + "name": "Falcon Intel" + }, + "technique": { + "id": "CST0023", + "name": "Intelligence Indicator - Domain" + } + }, + "user": { + "name": "user.name@test.com" + } + } + + ``` + + === "mobile_detection_summary_1.json" ```json @@ -1236,6 +1319,7 @@ The following table lists the fields that are extracted, normalized under the EC |`crowdstrike.incident_id` | `keyword` | The incident ID of the incident | |`crowdstrike.incident_start` | `date` | Time of the first activity in the incident | |`crowdstrike.incident_type` | `keyword` | Identity-based incident or detection name | +|`crowdstrike.mobile.network_connections` | `array` | Mobile network connections | |`crowdstrike.object_id` | `keyword` | The identifier of a vertex | |`crowdstrike.operation_name` | `keyword` | Operation name | |`crowdstrike.pattern_id` | `keyword` | Identifies the pattern used for the detection | diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md index 8c4b913011..45009a062d 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md @@ -1033,6 +1033,63 @@ In this section, you will find examples of raw logs as generated natively by the +=== "mobile_detection_network_connections" + + + ```json + { + "metadata": { + "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV", + "offset": 13896542, + "eventType": "MobileDetectionSummaryEvent", + "eventCreationTime": 1722754343000, + "version": "1.0" + }, + "event": { + "SensorId": "85ae98xxxxxxd9a8f2", + "MobileDetectionId": 2, + "ComputerName": "host", + "UserName": "user.name@test.com", + "ContextTimeStamp": 1722754273, + "DetectId": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2", + "DetectName": "CkbSensorDetectDomainHighUI", + "DetectDescription": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.", + "Tactic": "Falcon Intel", + "TacticId": "CSTA0008", + "Technique": "Intelligence Indicator - Domain", + "TechniqueId": "CST0023", + "Objective": "Falcon Detection Method", + "Severity": 70, + "FalconHostLink": "https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV", + "MobileNetworkConnections": [ + { + "AccessTimestamp": 1722754273, + "Protocol": "6", + "ConnectionFlags": 0, + "LocalAddress": "", + "RemoteAddress": "1.2.3.4", + "RemotePort": 1, + "ConnectionDirection": 0, + "Url": "https://crowdstrike.test.com/integration", + "IsIPV6": false, + "ContextProcessId": 17793441978049446000 + } + ], + "ApplicationName": ".com.google.chrome.ios", + "NetworkDetectionType": "prevented", + "SourceVendors": "CrowdStrike", + "SourceProducts": "Falcon for Mobile", + "DataDomains": "Endpoint", + "PatternId": 41124, + "CompositeId": "7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2", + "Name": "CkbSensorDetectDomainHighUI", + "Description": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks." + } + } + ``` + + + === "mobile_detection_summary_1" diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 7bf09eb7b5..5d9aa0cb0c 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -1685,7 +1685,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "id": 1001, "properties": { - "param0": "", "param1": "0", "param10": "0", "param11": "8024500b", @@ -1693,13 +1692,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "param13": "{581473F3-A4DC-4D00-8245-D203EAA9B5A9}", "param14": "0", "param15": "C:\\Windows\\WindowsUpdate.log\r\nC:\\Windows\\SoftwareDistribution\\ReportingEvents.log", - "param16": "", - "param17": "", "param18": "0", "param19": "3e7b694e-4cf1-45cc-93ff-f30da6e8f683", "param2": "WindowsUpdateFailure3", "param20": "262144", - "param21": "", "param3": "Non disponible", "param4": "0", "param5": "7.9.9600.19915", @@ -1847,27 +1843,18 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "IpAddress": "1.2.3.4", "IpPort": "17780", "KeyLength": "0", - "LmPackageName": "-", "LogonGuid": "{7B5ACC17-5CED-4A2D-ABCB-BECAE6799395}", "LogonProcessName": "Kerbe", "LogonType": "3", "ProcessId": "0x0", - "ProcessName": "-", - "RestrictedAdminMode": "-", - "SubjectDomainName": "-", "SubjectLogonId": "0x0", - "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "example.org", "TargetLinkedLogonId": "0x0", "TargetLogonId": "0x6accabcc3", - "TargetOutboundDomainName": "-", - "TargetOutboundUserName": "-", "TargetUserName": "john.doe$", "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", - "TransmittedServices": "-", - "VirtualAccount": "%%1843", - "WorkstationName": "-" + "VirtualAccount": "%%1843" } }, "agent": { @@ -2023,22 +2010,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "IpAddress": "166.88.151.58", "IpPort": "0", "KeyLength": "0", - "LmPackageName": "-", "LogonProcessName": "NtLmSsp ", "LogonType": "3", "ProcessId": "0x0", - "ProcessName": "-", "Status": "0xc000006d", "SubStatus": "0xc000006a", - "SubjectDomainName": "-", "SubjectLogonId": "0x0", - "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "TargetDomainName": null, "TargetUserName": "ADMINISTRATOR", - "TargetUserSid": "S-1-0-0", - "TransmittedServices": "-", - "WorkstationName": "-" + "TargetUserSid": "S-1-0-0" } }, "agent": { @@ -2124,48 +2104,40 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "id": 1116, "properties": { - "Action ID": "9", - "Action Name": "Non applicable", - "Additional Actions ID": "0", - "Additional Actions String": "No additional actions required", - "Category ID": "30", - "Category Name": "Attaque", - "Detection ID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}", - "Detection Time": "2022-01-03T05:44:57.284Z", - "Detection User": "AUTORITE NT\\Syst\u00e8me", - "Engine Version": "AM: 1.1.18800.4, NIS: 1.1.18800.4", - "Error Code": "0x00000000", - "Error Description": "L\u2019op\u00e9ration a r\u00e9ussi. ", - "Execution ID": "1", - "Execution Name": "Suspendu", + "ActionID": "9", + "ActionName": "Non applicable", + "AdditionalActionsID": "0", + "AdditionalActionsString": "No additional actions required", + "CategoryID": "30", + "CategoryName": "Attaque", + "DetectionID": "{2E51DC7F-A01D-4E9E-94C8-782C63D85C6E}", + "DetectionTime": "2022-01-03T05:44:57.284Z", + "DetectionUser": "AUTORITE NT\\Syst\u00e8me", + "EngineVersion": "AM: 1.1.18800.4, NIS: 1.1.18800.4", + "ErrorCode": "0x00000000", + "ErrorDescription": "L\u2019op\u00e9ration a r\u00e9ussi. ", + "ExecutionID": "1", + "ExecutionName": "Suspendu", "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:O97M/CVE-2017-11882.SMK!MTB&threatid=2147772194&enterprise=0", - "Origin ID": "1", - "Origin Name": "Ordinateur local", + "OriginID": "1", + "OriginName": "Ordinateur local", "Path": "file:_C:\\Program Files\\Avast\\Amex\\temp\\TMMSG_45AD4A29-D7BD-AE8F-FFBC-4115652291C2", - "Post Clean Status": "0", - "Pre Execution Status": "0", - "Process Name": "C:\\Program Files\\Avast\\Amex\\AMEX_secondary.exe", - "Product Name": "Antivirus Microsoft Defender", - "Product Version": "4.18.2111.5", - "Remediation User": null, - "Security intelligence Version": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0", - "Severity ID": "5", - "Severity Name": "Grave", - "Source ID": "3", - "Source Name": "Protection en temps r\u00e9el", + "PostCleanStatus": "0", + "PreExecutionStatus": "0", + "ProcessName": "C:\\Program Files\\Avast\\Amex\\AMEX_secondary.exe", + "ProductName": "Antivirus Microsoft Defender", + "ProductVersion": "4.18.2111.5", + "SecurityintelligenceVersion": "AV: 1.355.1292.0, AS: 1.355.1292.0, NIS: 1.355.1292.0", + "SeverityID": "5", + "SeverityName": "Grave", + "SourceID": "3", + "SourceName": "Protection en temps r\u00e9el", "State": "1", - "Status Code": "1", - "Status Description": null, - "Threat ID": "2147772194", - "Threat Name": "Exploit:O97M/CVE-2017-11882.SMK", - "Type ID": "0", - "Type Name": "Concret", - "Unused": null, - "Unused2": null, - "Unused3": null, - "Unused4": null, - "Unused5": null, - "Unused6": null + "StatusCode": "1", + "ThreatID": "2147772194", + "ThreatName": "Exploit:O97M/CVE-2017-11882.SMK", + "TypeID": "0", + "TypeName": "Concret" } }, "agent": { @@ -2214,12 +2186,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "properties": { "AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4417\n\t\t\t\t%%4418\n\t\t\t\t%%4419\n\t\t\t\t%%4420\n\t\t\t\t%%4423\n\t\t\t\t%%4424\n\t\t\t\t", "AccessMask": "0x12019f", - "AccessReason": "-", "IpAddress": "10.84.128.186", "IpPort": "50846", "ObjectType": "File", "RelativeTargetName": "NETLOGON", - "ShareLocalPath": null, "ShareName": "\\\\*\\IPC$", "SubjectDomainName": "AUTORITE NT", "SubjectLogonId": "0x3ad88f7f3", @@ -2352,11 +2322,182 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | -|`action.properties` | `object` | A detailed set of attributes associated with a specific action, typically involving user authentication or a network event. It contains the following keys: | +|`action.properties.ASsecurityintelligencecreationtime` | `keyword` | | +|`action.properties.ASsecurityintelligenceversion` | `keyword` | | +|`action.properties.AVsecurityintelligencecreationtime` | `keyword` | | +|`action.properties.AVsecurityintelligenceversion` | `keyword` | | +|`action.properties.AccessList` | `keyword` | | +|`action.properties.AccessMask` | `keyword` | | +|`action.properties.AccessReason` | `keyword` | | +|`action.properties.ActionID` | `keyword` | | +|`action.properties.ActionName` | `keyword` | | +|`action.properties.AdditionalActionsID` | `keyword` | | +|`action.properties.AdditionalActionsString` | `keyword` | | +|`action.properties.AuthenticationPackageName` | `keyword` | | +|`action.properties.BMstate` | `keyword` | | +|`action.properties.CacheState` | `keyword` | | +|`action.properties.CallerProcessId` | `keyword` | | +|`action.properties.CallerProcessName` | `keyword` | | +|`action.properties.CategoryID` | `keyword` | | +|`action.properties.CategoryName` | `keyword` | | +|`action.properties.ClientProcessId` | `keyword` | | +|`action.properties.ClientProcessStartKey` | `keyword` | | +|`action.properties.DetectionID` | `keyword` | | +|`action.properties.DetectionTime` | `keyword` | | +|`action.properties.DetectionUser` | `keyword` | | +|`action.properties.ElevatedToken` | `keyword` | | +|`action.properties.EngineVersion` | `keyword` | | +|`action.properties.Engineup-to-date` | `keyword` | | +|`action.properties.Engineversion` | `keyword` | | +|`action.properties.ErrorCode` | `keyword` | | +|`action.properties.ErrorDescription` | `keyword` | | +|`action.properties.ExecutionID` | `keyword` | | +|`action.properties.ExecutionName` | `keyword` | | +|`action.properties.FQDN` | `keyword` | | +|`action.properties.FWLink` | `keyword` | | +|`action.properties.FailureReason` | `keyword` | | +|`action.properties.FileNameBuffer` | `keyword` | | +|`action.properties.FileNameLength` | `keyword` | | +|`action.properties.Flags` | `keyword` | | +|`action.properties.Hash` | `keyword` | | +|`action.properties.HashSize` | `keyword` | | +|`action.properties.IOAVstate` | `keyword` | | +|`action.properties.ImpersonationLevel` | `keyword` | | +|`action.properties.IpAddress` | `keyword` | | +|`action.properties.IpPort` | `keyword` | | +|`action.properties.IssuerName` | `keyword` | | +|`action.properties.IssuerNameLength` | `keyword` | | +|`action.properties.IssuerTBSHash` | `keyword` | | +|`action.properties.IssuerTBSHashSize` | `keyword` | | +|`action.properties.KeyLength` | `keyword` | | +|`action.properties.LastASsecurityintelligenceage` | `keyword` | | +|`action.properties.LastAVsecurityintelligenceage` | `keyword` | | +|`action.properties.Lastfullscanage` | `keyword` | | +|`action.properties.Lastfullscanendtime` | `keyword` | | +|`action.properties.Lastfullscansource` | `keyword` | | +|`action.properties.Lastfullscanstarttime` | `keyword` | | +|`action.properties.Lastquickscanage` | `keyword` | | +|`action.properties.Lastquickscanendtime` | `keyword` | | +|`action.properties.Lastquickscansource` | `keyword` | | +|`action.properties.Lastquickscanstarttime` | `keyword` | | +|`action.properties.Latestengineversion` | `keyword` | | +|`action.properties.Latestplatformversion` | `keyword` | | +|`action.properties.LmPackageName` | `keyword` | | +|`action.properties.LogonGuid` | `keyword` | | +|`action.properties.LogonProcessName` | `keyword` | | +|`action.properties.LogonType` | `keyword` | | +|`action.properties.NRIengineversion` | `keyword` | | +|`action.properties.NRIsecurityintelligenceversion` | `keyword` | | +|`action.properties.NotValidAfter` | `keyword` | | +|`action.properties.NotValidBefore` | `keyword` | | +|`action.properties.OAstate` | `keyword` | | +|`action.properties.ObjectType` | `keyword` | | +|`action.properties.OriginID` | `keyword` | | +|`action.properties.OriginName` | `keyword` | | +|`action.properties.PageHash` | `keyword` | | +|`action.properties.ParentProcessId` | `keyword` | | |`action.properties.Path` | `keyword` | | +|`action.properties.Platformup-to-date` | `keyword` | | +|`action.properties.Platformversion` | `keyword` | | +|`action.properties.PolicyBits` | `keyword` | | +|`action.properties.PostCleanStatus` | `keyword` | | +|`action.properties.PreExecutionStatus` | `keyword` | | +|`action.properties.ProcessId` | `keyword` | | +|`action.properties.ProcessName` | `keyword` | | +|`action.properties.ProcessNameBuffer` | `keyword` | | +|`action.properties.ProcessNameLength` | `keyword` | | +|`action.properties.ProductName` | `keyword` | | +|`action.properties.ProductVersion` | `keyword` | | +|`action.properties.Productstatus` | `keyword` | | +|`action.properties.ProfileChanged` | `keyword` | | +|`action.properties.PublisherName` | `keyword` | | +|`action.properties.PublisherNameLength` | `keyword` | | +|`action.properties.PublisherTBSHash` | `keyword` | | +|`action.properties.PublisherTBSHashSize` | `keyword` | | +|`action.properties.RTPstate` | `keyword` | | +|`action.properties.RelativeTargetName` | `keyword` | | +|`action.properties.RemediationUser` | `keyword` | | +|`action.properties.RequestedPolicy` | `keyword` | | +|`action.properties.RequestedSigningLevel` | `keyword` | | +|`action.properties.RestrictedAdminMode` | `keyword` | | +|`action.properties.RpcCallClientLocality` | `keyword` | | +|`action.properties.RuleId` | `keyword` | | +|`action.properties.RuleName` | `keyword` | | |`action.properties.ScriptBlockText` | `keyword` | | +|`action.properties.SecureRequired` | `keyword` | | +|`action.properties.SecurityintelligenceVersion` | `keyword` | | +|`action.properties.SeverityID` | `keyword` | | +|`action.properties.SeverityName` | `keyword` | | +|`action.properties.ShareLocalPath` | `keyword` | | +|`action.properties.ShareName` | `keyword` | | +|`action.properties.Signature` | `keyword` | | +|`action.properties.SignatureType` | `keyword` | | +|`action.properties.SourceID` | `keyword` | | +|`action.properties.SourceName` | `keyword` | | +|`action.properties.State` | `keyword` | | +|`action.properties.Status` | `keyword` | | +|`action.properties.StatusCode` | `keyword` | | +|`action.properties.StatusDescription` | `keyword` | | +|`action.properties.SubStatus` | `keyword` | | +|`action.properties.SubjectDomainName` | `keyword` | | +|`action.properties.SubjectLogonId` | `keyword` | | +|`action.properties.SubjectUserName` | `keyword` | | +|`action.properties.SubjectUserSid` | `keyword` | | +|`action.properties.TargetDomainName` | `keyword` | | +|`action.properties.TargetInfo` | `keyword` | | +|`action.properties.TargetLinkedLogonId` | `keyword` | | +|`action.properties.TargetLogonGuid` | `keyword` | | +|`action.properties.TargetLogonId` | `keyword` | | +|`action.properties.TargetOutboundDomainName` | `keyword` | | +|`action.properties.TargetOutboundUserName` | `keyword` | | +|`action.properties.TargetServerName` | `keyword` | | +|`action.properties.TargetSid` | `keyword` | | +|`action.properties.TargetUserName` | `keyword` | | +|`action.properties.TargetUserSid` | `keyword` | | +|`action.properties.TaskContent` | `keyword` | | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | +|`action.properties.TaskName` | `keyword` | | +|`action.properties.ThreatID` | `keyword` | | +|`action.properties.ThreatName` | `keyword` | | +|`action.properties.TotalSignatureCount` | `keyword` | | +|`action.properties.TransmittedServices` | `keyword` | | +|`action.properties.TypeID` | `keyword` | | +|`action.properties.TypeName` | `keyword` | | +|`action.properties.Unused` | `keyword` | | +|`action.properties.Unused2` | `keyword` | | +|`action.properties.Unused3` | `keyword` | | +|`action.properties.Unused4` | `keyword` | | +|`action.properties.Unused5` | `keyword` | | +|`action.properties.Unused6` | `keyword` | | +|`action.properties.ValidatedPolicy` | `keyword` | | +|`action.properties.ValidatedSigningLevel` | `keyword` | | +|`action.properties.VerificationError` | `keyword` | | +|`action.properties.VirtualAccount` | `keyword` | | +|`action.properties.WorkstationName` | `keyword` | | +|`action.properties.param0` | `keyword` | | +|`action.properties.param1` | `keyword` | | +|`action.properties.param10` | `keyword` | | +|`action.properties.param11` | `keyword` | | +|`action.properties.param12` | `keyword` | | +|`action.properties.param13` | `keyword` | | +|`action.properties.param14` | `keyword` | | +|`action.properties.param15` | `keyword` | | +|`action.properties.param16` | `keyword` | | +|`action.properties.param17` | `keyword` | | +|`action.properties.param18` | `keyword` | | +|`action.properties.param19` | `keyword` | | +|`action.properties.param2` | `keyword` | | +|`action.properties.param20` | `keyword` | | +|`action.properties.param21` | `keyword` | | +|`action.properties.param22` | `keyword` | | +|`action.properties.param3` | `keyword` | | +|`action.properties.param4` | `keyword` | | +|`action.properties.param5` | `keyword` | | +|`action.properties.param6` | `keyword` | | +|`action.properties.param7` | `keyword` | | +|`action.properties.param8` | `keyword` | | +|`action.properties.param9` | `keyword` | | |`agent.id` | `keyword` | Unique identifier of this agent. | |`agent.name` | `keyword` | Custom name of the agent. | |`agent.version` | `keyword` | Version of the agent. | diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index 9ac14dbb56..3dad5fda80 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -257,11 +257,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa", "type": "domain-name", "url": { - "domain": "badsite.zz" + "domain": "badsite.zz", + "original": "badsite.zz" } } } ] + }, + "url": { + "original": "badsite.zz", + "path": "badsite.zz" } } diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 073d8b0976..63d95a0342 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -263,9 +263,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "my-device" - }, "log": { "hostname": "my-device", "level": "information" @@ -350,9 +347,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "dev-name" - }, "log": { "hostname": "dev-name", "level": "information" @@ -533,9 +527,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "description": "Progress IPsec phase 2", "hostname": "abc", @@ -599,9 +590,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "http": { "request": { "method": "jsconsole" @@ -672,9 +660,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "PRX1-AA" } }, - "host": { - "name": "abc" - }, "log": { "description": "Disk log rolled", "hostname": "abc", @@ -882,9 +867,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "PRX1-AA" } }, - "host": { - "name": "abc" - }, "log": { "description": "SSL fatal alert sent", "hostname": "abc", @@ -1696,9 +1678,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "AAAA-AA" } }, - "host": { - "name": "PC-01-OS1" - }, "log": { "description": "Object attribute configured", "hostname": "PC-01-OS1", @@ -1924,6 +1903,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "event_logdev.json" + + ```json + + { + "message": "devname=\".self\" devid=\"1111111111111111\" vd=\"root\" itime=1725479662 date=\"2024-09-04\" time=\"19:54:22\" tz=\"+0000\" type=\"appevent\" user=\"system\" user_from=\"system\" logid=\"222222\" subtype=\"logdev\" eventtype=\"logging-status\" level=\"warning\" desc=\"Device offline\" logdev_id=\"ABCDEFGHIJKLMNOP\" logdev_name=\"LOGDEV-NAME\" logdev_offline_duration=69138 logdev_last_logging=1721331330 msg=\"Did not receive any log from device LOGDEV-NAME[ABCDEFGHIJKLMNOP] in past 48d18m52s (69138 minutes).\"", + "event": { + "category": "appevent", + "code": "222222", + "reason": "Did not receive any log from device LOGDEV-NAME[ABCDEFGHIJKLMNOP] in past 48d18m52s (69138 minutes).", + "timezone": "+0000", + "type": "Device offline" + }, + "action": { + "outcome_reason": "Did not receive any log from device LOGDEV-NAME[ABCDEFGHIJKLMNOP] in past 48d18m52s (69138 minutes).", + "type": "logdev" + }, + "fortinet": { + "fortigate": { + "event": { + "desc": "Device offline", + "type": "appevent" + }, + "logdev": { + "id": "ABCDEFGHIJKLMNOP", + "last_logging": "2024-07-18T19:35:30.000000Z", + "name": "LOGDEV-NAME" + }, + "virtual_domain": "root" + } + }, + "log": { + "hostname": ".self", + "level": "warning" + }, + "observer": { + "hostname": ".self", + "serial_number": "1111111111111111" + }, + "related": { + "hosts": [ + ".self" + ], + "user": [ + "system" + ] + }, + "source": { + "user": { + "name": "system" + } + }, + "user": { + "name": "system" + } + } + + ``` + + === "forwadedfor.json" ```json @@ -1964,9 +2003,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "FW-001" - }, "http": { "request": { "method": "domain" @@ -2069,9 +2105,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "information" @@ -2159,9 +2192,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "warning" @@ -2242,9 +2272,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "notice" @@ -2397,9 +2424,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "ROUTER" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "notice" @@ -2567,9 +2591,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "alert" @@ -3300,9 +3321,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "PRX1-AA" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "notice" @@ -3456,9 +3474,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "notice" @@ -3647,9 +3662,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "IPSEC" } }, - "host": { - "name": "abc" - }, "log": { "description": "SSL VPN statistics", "hostname": "abc", @@ -3734,9 +3746,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "log": { "description": "IPsec tunnel statistics", "hostname": "abc", @@ -3799,9 +3808,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "abc" - }, "http": { "request": { "method": "HTTP" @@ -3860,9 +3866,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "FW-FOOBAR" - }, "log": { "description": "SSL VPN login fail", "hostname": "FW-FOOBAR", @@ -3932,9 +3935,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "virtual_domain": "root" } }, - "host": { - "name": "FW-FOOBAR" - }, "log": { "description": "SSL VPN login fail", "hostname": "FW-FOOBAR", @@ -4100,6 +4100,9 @@ The following table lists the fields that are extracted, normalized under the EC |`fortinet.fortigate.event.type` | `keyword` | Type of the event. | |`fortinet.fortigate.icmp.request.code` | `keyword` | The request code. | |`fortinet.fortigate.icmp.request.type` | `keyword` | The request type. | +|`fortinet.fortigate.logdev.id` | `keyword` | ID of the device that generated the log. | +|`fortinet.fortigate.logdev.last_logging` | `date` | Last logging time of the device. | +|`fortinet.fortigate.logdev.name` | `keyword` | Name of the device that generated the log. | |`fortinet.fortigate.policyid` | `keyword` | ID of the policy | |`fortinet.fortigate.poluuid` | `keyword` | UUID of pol | |`fortinet.fortigate.tunnel.id` | `keyword` | The id of the tunnel | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md index fee16049c2..667d53b70a 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981_sample.md @@ -204,6 +204,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "event_logdev" + + ``` + devname=".self" devid="1111111111111111" vd="root" itime=1725479662 date="2024-09-04" time="19:54:22" tz="+0000" type="appevent" user="system" user_from="system" logid="222222" subtype="logdev" eventtype="logging-status" level="warning" desc="Device offline" logdev_id="ABCDEFGHIJKLMNOP" logdev_name="LOGDEV-NAME" logdev_offline_duration=69138 logdev_last_logging=1721331330 msg="Did not receive any log from device LOGDEV-NAME[ABCDEFGHIJKLMNOP] in past 48d18m52s (69138 minutes)." + ``` + + + === "forwadedfor" ``` diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md index c96f0b006f..0cbeca7da1 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md @@ -37,9 +37,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "session_id": "ziuhiohzf" } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "information" @@ -69,15 +66,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "log": { "level": "165917" - }, - "related": { - "ip": [ - "3.4.5.6" - ] - }, - "source": { - "address": "3.4.5.6", - "ip": "3.4.5.6" } } @@ -110,6 +98,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user_identifier": "mail" } }, + "destination": { + "address": "notifications", + "domain": "notifications", + "ip": "1.1.1.1" + }, "email": { "from": { "address": [ @@ -120,9 +113,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "file": { "size": 26135 }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -131,6 +121,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "protocol": "ESMTP" }, "related": { + "hosts": [ + "notifications" + ], + "ip": [ + "1.1.1.1" + ], "user": [ "mail" ] @@ -165,6 +161,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "0003007072", "mailer": "esmtp", "priority_level_msg": "165917", + "relay": "188.165.36.237", "session_id": "13KGXMHI007058-13KGXMHK007058", "user_identifier": "mail", "xdelay": "00:00:06" @@ -223,6 +220,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "0003007072", "mailer": "esmtp", "priority_level_msg": "165917", + "relay": "smtp.example.org", "session_id": "13KGXMHI007058-13KGXMHK007058", "user_identifier": "mail", "xdelay": "00:00:06" @@ -289,14 +287,22 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "verify": "NO" } }, - "host": { - "name": "123" + "destination": { + "address": "something.com", + "domain": "something.com", + "ip": "1.1.1.1" }, "log": { "hostname": "123", "level": "information" }, "related": { + "hosts": [ + "something.com" + ], + "ip": [ + "1.1.1.1" + ], "user": [ "mail" ] @@ -334,6 +340,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "0003007072", "mailer": "esmtp", "priority_level_msg": "50733", + "relay": "email.fr.", "session_id": "13KGXMHI007058-13KGXMHK007058", "user_identifier": "mail", "xdelay": "00:00:12" @@ -352,9 +359,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "1234" - }, "log": { "hostname": "1234", "level": "information" @@ -401,6 +405,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "0003014581", "mailer": "esmtp", "priority_level_msg": "40733", + "relay": "mail.eu.", "session_id": "13RDCREi014579-13RDCREj014579", "user_identifier": "mail", "xdelay": "00:00:01" @@ -419,9 +424,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "1234" - }, "log": { "hostname": "1234", "level": "information" @@ -464,9 +466,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "log_id": "123" } }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -520,6 +519,66 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "relay_ip_only.json" + + ```json + + { + "message": "time=15:03:24.344 device_id=FFFF log_id=YY type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"AAA-BBB\" msg=\"to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok: Message 88943067 accepted)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok: Message 88943067 accepted)", + "reason": "Sent (ok: Message 88943067 accepted)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok: Message 88943067 accepted)", + "properties": { + "delay": "00:00:01", + "device_id": "FFFF", + "dsn_version": "2.0.0", + "log_id": "YY", + "mailer": "esmtp", + "priority_level_msg": "2290731", + "relay": "1.2.3.4", + "session_id": "AAA-BBB", + "user_identifier": "mail", + "xdelay": "00:00:01" + } + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "email": { + "to": { + "address": [ + "johndoe" + ] + } + }, + "log": { + "hostname": "abc", + "level": "information" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "johndoe", + "name": "mail" + } + } + + ``` + + === "smtp_event_STARTTLS_client_local_certificate.json" ```json @@ -543,9 +602,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user_identifier": "mail" } }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -592,9 +648,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user_identifier": "mail" } }, - "host": { - "name": "ABC" - }, "log": { "hostname": "ABC", "level": "information" @@ -641,9 +694,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "user_identifier": "mail" } }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -700,9 +750,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "00000" - }, "log": { "hostname": "00000", "level": "information" @@ -757,9 +804,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "icon_deleteall.png", "type": "file" }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -815,9 +859,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "information" @@ -884,9 +925,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "file.ppt", "type": "file" }, - "host": { - "name": "abc" - }, "log": { "hostname": "abc", "level": "information" @@ -947,9 +985,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "12345" - }, "log": { "hostname": "12345", "level": "information" @@ -1008,9 +1043,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "12345" - }, "log": { "hostname": "12345", "level": "information" @@ -1081,9 +1113,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ] } }, - "host": { - "name": "B96f1GJTxDUKbh2l" - }, "http": { "request": { "bytes": 112389 @@ -1143,9 +1172,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "name": "file.pdf", "type": "file" }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" @@ -1179,9 +1205,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "session_id": "15N7xWCW025167-15N7xWCX025167" } }, - "host": { - "name": "hostname" - }, "log": { "hostname": "hostname", "level": "information" diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md index 6acc839904..6cec374314 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_sample.md @@ -84,6 +84,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "relay_ip_only" + + ``` + time=15:03:24.344 device_id=FFFF log_id=YY type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id="AAA-BBB" msg="to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=2290731, relay= [1.2.3.4], dsn=2.0.0, stat=Sent (ok: Message 88943067 accepted)" + ``` + + + === "smtp_event_STARTTLS_client_local_certificate" ``` diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index 6d89584d41..85b2c44a32 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -17,8 +17,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `` | -| Category | `` | -| Type | `end` | +| Category | `session` | +| Type | `end`, `info` | @@ -170,6 +170,39 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "session_integrity.json" + + ```json + + { + "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", + "event": { + "action": "SSH_SHELL_SESSION", + "category": [ + "session" + ], + "dataset": "session_integrity", + "outcome": "failure", + "type": [ + "info" + ] + }, + "related": { + "user": [ + "adm@CORP.NET@1.1.1.1" + ] + }, + "user": { + "name": "adm@CORP.NET@1.1.1.1" + }, + "wallix": { + "type": "SSH_SHELL_SESSION" + } + } + + ``` + + === "sshprox.json" ```json @@ -3820,6 +3853,8 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`destination.ip` | `ip` | IP address of the destination. | |`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md index 3ea5b02ba6..2207a11036 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899_sample.md @@ -48,6 +48,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "session_integrity" + + ``` + [sessionintegrity] session_uid="1830c403be7caf0c00505688c380" status="failed" type="SSH_SHELL_SESSION" user="adm@CORP.NET@1.1.1.1" target="domain@local@target01.corp.net:SSH_1" begin="2022-08-19 11:31:17" end="2022-08-19 11:32:50" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec] + ``` + + + === "sshprox" ``` diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md index e6d033a989..4f98f8c835 100644 --- a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md @@ -63,7 +63,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "breach": { "root_cause": "hacked" }, - "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586" + "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586", + "type": "breach_reported" } } } @@ -71,7 +72,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` -=== "issue_event.json" +=== "issue_event_01.json" ```json @@ -101,7 +102,90 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "vas": { "id": "8e21f4aa-ee49-5f6d-be70-366b95ecc586", "selected": "by_severity", - "severity": "low" + "severity": "low", + "type": "new_issues" + } + } + } + + ``` + + +=== "issue_event_02.json" + + ```json + + { + "message": "{\n \"trigger\": {\n \"type\": \"new_issues\",\n \"issues\": {\n \"tls_weak_protocol\": {\n \"departed\": { \"count\": 1 },\n \"active\": { \"count\": 1 }\n },\n \"tls_weak_cipher\": {\n \"departed\": { \"count\": 2 },\n \"active\": { \"count\": 2 }\n }\n },\n \"selected\": \"by_severity\",\n \"severity\": \"low\"\n },\n \"created_at\": \"2024-07-12T04:54:27.941Z\",\n \"execution_id\": \"8a1be922-6698-4407-ba70-0515943d323e\",\n \"scorecard_id\": \"56f0fca6-f6e0-55fd-9fce-b75ba65db80e\",\n \"domain\": \"example.com\",\n \"previous\": { \"score\": 90, \"factors\": {} },\n \"current\": { \"score\": 90, \"factors\": {} },\n \"platform_score_date\": 20240710\n}", + "event": { + "action": "new_issues", + "category": [ + "vulnerability" + ], + "dataset": "issue", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-12T04:54:27.941000Z", + "cloud": { + "account": { + "name": "example.com" + } + }, + "observer": { + "product": "Vulnerability Assessment Scanner", + "vendor": "SecurityScorecard" + }, + "securityscorecard": { + "vas": { + "current_score": 90, + "id": "56f0fca6-f6e0-55fd-9fce-b75ba65db80e", + "previous_score": 90, + "selected": "by_severity", + "severity": "low", + "type": "new_issues" + } + } + } + + ``` + + +=== "issue_event_03.json" + + ```json + + { + "message": "{\n \"trigger\": {\n \"type\": \"new_issues\",\n \"issues\": {\n \"tlscert_excessive_expiration\": { \"active\": { \"count\": 1 } },\n \"tlscert_no_revocation\": { \"active\": { \"count\": 1 } },\n \"csp_no_policy_v2\": { \"active\": { \"count\": 1 } },\n \"insecure_https_redirect_pattern_v2\": { \"active\": { \"count\": 3 } },\n \"redirect_chain_contains_http_v2\": { \"active\": { \"count\": 9 } },\n \"tls_weak_protocol\": {\n \"departed\": { \"count\": 1 },\n \"active\": { \"count\": 1 }\n },\n \"tls_weak_cipher\": { \"active\": { \"count\": 1 } },\n \"unsafe_sri_v2\": { \"active\": { \"count\": 1 } },\n \"hsts_incorrect_v2\": { \"active\": { \"count\": 1 } },\n \"x_content_type_options_incorrect_v2\": { \"active\": { \"count\": 1 } }\n },\n \"selected\": \"by_severity\",\n \"severity\": \"low\"\n },\n \"created_at\": \"2024-07-11T07:47:17.165Z\",\n \"execution_id\": \"4c5395cc-0161-402f-896f-477966c2386d\",\n \"scorecard_id\": \"d332f6dd-ec0e-57bf-9086-31ddd68095c9\",\n \"domain\": \"example.com\",\n \"previous\": {\n \"score\": 88,\n \"factors\": { \"application_security\": 85, \"network_security\": 85 }\n },\n \"current\": {\n \"score\": 88,\n \"factors\": { \"application_security\": 84, \"network_security\": 84 }\n },\n \"platform_score_date\": 20240709\n}", + "event": { + "action": "new_issues", + "category": [ + "vulnerability" + ], + "dataset": "issue", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-11T07:47:17.165000Z", + "cloud": { + "account": { + "name": "example.com" + } + }, + "observer": { + "product": "Vulnerability Assessment Scanner", + "vendor": "SecurityScorecard" + }, + "securityscorecard": { + "vas": { + "current_score": 88, + "id": "d332f6dd-ec0e-57bf-9086-31ddd68095c9", + "previous_score": 88, + "selected": "by_severity", + "severity": "low", + "type": "new_issues" } } } @@ -130,9 +214,12 @@ The following table lists the fields that are extracted, normalized under the EC |`observer.vendor` | `keyword` | Vendor name of the observer. | |`organization.name` | `keyword` | Organization name. | |`securityscorecard.vas.breach.root_cause` | `keyword` | Scorecard breach root cause | +|`securityscorecard.vas.current_score` | `number` | Scorecard current score | |`securityscorecard.vas.id` | `keyword` | Scorecard event id | +|`securityscorecard.vas.previous_score` | `number` | Scorecard previous score | |`securityscorecard.vas.selected` | `keyword` | Scorecard event selected | |`securityscorecard.vas.severity` | `keyword` | Scorecard event severity | +|`securityscorecard.vas.type` | `keyword` | Scorecard event type | diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333_sample.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333_sample.md index 535f2ec502..3f8e208d4b 100644 --- a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333_sample.md +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333_sample.md @@ -30,7 +30,7 @@ In this section, you will find examples of raw logs as generated natively by the -=== "issue_event" +=== "issue_event_01" ```json @@ -67,3 +67,138 @@ In this section, you will find examples of raw logs as generated natively by the +=== "issue_event_02" + + + ```json + { + "trigger": { + "type": "new_issues", + "issues": { + "tls_weak_protocol": { + "departed": { + "count": 1 + }, + "active": { + "count": 1 + } + }, + "tls_weak_cipher": { + "departed": { + "count": 2 + }, + "active": { + "count": 2 + } + } + }, + "selected": "by_severity", + "severity": "low" + }, + "created_at": "2024-07-12T04:54:27.941Z", + "execution_id": "8a1be922-6698-4407-ba70-0515943d323e", + "scorecard_id": "56f0fca6-f6e0-55fd-9fce-b75ba65db80e", + "domain": "example.com", + "previous": { + "score": 90, + "factors": {} + }, + "current": { + "score": 90, + "factors": {} + }, + "platform_score_date": 20240710 + } + ``` + + + +=== "issue_event_03" + + + ```json + { + "trigger": { + "type": "new_issues", + "issues": { + "tlscert_excessive_expiration": { + "active": { + "count": 1 + } + }, + "tlscert_no_revocation": { + "active": { + "count": 1 + } + }, + "csp_no_policy_v2": { + "active": { + "count": 1 + } + }, + "insecure_https_redirect_pattern_v2": { + "active": { + "count": 3 + } + }, + "redirect_chain_contains_http_v2": { + "active": { + "count": 9 + } + }, + "tls_weak_protocol": { + "departed": { + "count": 1 + }, + "active": { + "count": 1 + } + }, + "tls_weak_cipher": { + "active": { + "count": 1 + } + }, + "unsafe_sri_v2": { + "active": { + "count": 1 + } + }, + "hsts_incorrect_v2": { + "active": { + "count": 1 + } + }, + "x_content_type_options_incorrect_v2": { + "active": { + "count": 1 + } + } + }, + "selected": "by_severity", + "severity": "low" + }, + "created_at": "2024-07-11T07:47:17.165Z", + "execution_id": "4c5395cc-0161-402f-896f-477966c2386d", + "scorecard_id": "d332f6dd-ec0e-57bf-9086-31ddd68095c9", + "domain": "example.com", + "previous": { + "score": 88, + "factors": { + "application_security": 85, + "network_security": 85 + } + }, + "current": { + "score": 88, + "factors": { + "application_security": 84, + "network_security": 84 + } + }, + "platform_score_date": 20240709 + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md new file mode 100644 index 0000000000..3d0dc0e26e --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671.md @@ -0,0 +1,273 @@ + +### Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Process monitoring` | Sekoia forwarder logs are collected: rsyslog resource usage, queue size, number of messages handled, .. | + + + + + + + + +### Transformed Events Samples after Ingestion + +This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. + +=== "action_log.json" + + ```json + + { + "message": "{\"name\":\"output-techno1\",\"origin\":\"core.action\",\"processed\": 0,\"failed\": 0,\"suspended\": 0, \"suspended.duration\": 0, \"resumed\": 0}", + "sekoiaio": { + "forwarder": { + "action": { + "failed": 0, + "processed": 0, + "resumed": 0, + "suspended": 0 + }, + "intake": { + "name": "techno1" + }, + "module": { + "name": "output-techno1", + "type": "core.action" + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "da_queue_log.json" + + ```json + + { + "message": "{ \"name\": \"ruleset-my-techno1[DA]\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }", + "sekoiaio": { + "forwarder": { + "intake": { + "name": "my-techno1" + }, + "module": { + "name": "ruleset-my-techno1[DA]", + "type": "core.queue" + }, + "queue": { + "discarded": { + "full": 0, + "nf": 0 + }, + "enqueued": 0, + "full": 0, + "maxqsize": 0, + "size": 0 + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "input_tcp.json" + + ```json + + { + "message": "{ \"name\": \"input-techno1(20516)\", \"origin\": \"imtcp\", \"submitted\": 0 }", + "sekoiaio": { + "forwarder": { + "input": { + "port": "20516", + "submitted": 0 + }, + "intake": { + "name": "techno1" + }, + "module": { + "name": "input-techno1(20516)", + "type": "imtcp" + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "input_udp.json" + + ```json + + { + "message": "{ \"name\": \"input-my-techno2(*/20517/IPv4)\", \"origin\": \"imudp\", \"submitted\": 0, \"disallowed\": 0 }", + "sekoiaio": { + "forwarder": { + "input": { + "port": "*/20517/IPv4", + "submitted": 0 + }, + "intake": { + "name": "my-techno2" + }, + "module": { + "name": "input-my-techno2(*/20517/IPv4)", + "type": "imudp" + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "memory_queue_log.json" + + ```json + + { + "message": "{ \"name\": \"ruleset-techno1\", \"origin\": \"core.queue\", \"size\": 0, \"enqueued\": 0, \"full\": 0, \"discarded.full\": 0, \"discarded.nf\": 0, \"maxqsize\": 0 }", + "sekoiaio": { + "forwarder": { + "intake": { + "name": "techno1" + }, + "module": { + "name": "ruleset-techno1", + "type": "core.queue" + }, + "queue": { + "discarded": { + "full": 0, + "nf": 0 + }, + "enqueued": 0, + "full": 0, + "maxqsize": 0, + "size": 0 + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "output_log.json" + + ```json + + { + "message": "{ \"name\": \"TCP-intake.sekoia.io-10514\", \"origin\": \"omfwd\", \"bytes.sent\": 0 }", + "sekoiaio": { + "forwarder": { + "intake": { + "name": "intake.sekoia.io-10514" + }, + "module": { + "name": "TCP-intake.sekoia.io-10514", + "type": "omfwd" + }, + "output": { + "bytes": { + "sent": 0 + } + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + +=== "stats.json" + + ```json + + { + "message": "{ \"name\": \"resource-usage\", \"origin\": \"impstats\", \"utime\": 134625, \"stime\": 20397, \"maxrss\": 13888, \"minflt\": 1510, \"majflt\": 0, \"inblock\": 0, \"oublock\": 272, \"nvcsw\": 347, \"nivcsw\": 31, \"openfiles\": 15 }", + "sekoiaio": { + "forwarder": { + "intake": { + "name": "usage" + }, + "module": { + "name": "resource-usage", + "type": "impstats" + }, + "stats": { + "openfiles": 15, + "stime": 20397, + "utime": 134625 + } + } + }, + "user": { + "domain": "SEKOIA.IO" + } + } + + ``` + + + + + +### Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`sekoiaio.forwarder.action.failed` | `number` | Number of messages failed in the action | +|`sekoiaio.forwarder.action.processed` | `number` | Number of messages processed by the action | +|`sekoiaio.forwarder.action.resumed` | `number` | Number of messages resumed by the action | +|`sekoiaio.forwarder.action.suspended` | `number` | Number of messages suspended by the action | +|`sekoiaio.forwarder.input.port` | `keyword` | Input port use by the forwarder | +|`sekoiaio.forwarder.input.submitted` | `number` | Number of messages handled by the forwarder input | +|`sekoiaio.forwarder.intake.name` | `keyword` | Intake name defined in the forwarder | +|`sekoiaio.forwarder.module.name` | `keyword` | This identifies the module name for which the statistics are being reported | +|`sekoiaio.forwarder.module.type` | `keyword` | This identifies the module type for which the statistics are being reported | +|`sekoiaio.forwarder.output.bytes.sent` | `number` | Number of bytes sent to Sekoia | +|`sekoiaio.forwarder.queue.discarded.full` | `number` | Number of messages discarded because the queue was full | +|`sekoiaio.forwarder.queue.discarded.nf` | `number` | Number of messages discarded because the queue was nearly full | +|`sekoiaio.forwarder.queue.enqueued` | `number` | Total number of messages enqueued into this queue since startup | +|`sekoiaio.forwarder.queue.full` | `number` | Number of times the queue was actually full and could not accept additional messages | +|`sekoiaio.forwarder.queue.maxqsize` | `number` | The maximum amount of messages that have passed through the queue since rsyslog was started | +|`sekoiaio.forwarder.queue.size` | `number` | Number of messages in the queue | +|`sekoiaio.forwarder.stats.openfiles` | `number` | Number of file handles used by rsyslog | +|`sekoiaio.forwarder.stats.stime` | `number` | The amount of system CPU time consumed by rsyslog, in milliseconds. | +|`sekoiaio.forwarder.stats.utime` | `number` | The amount of user CPU time consumed by rsyslog, in milliseconds. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | + + + +For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events [here](https://github.com/SEKOIA-IO/intake-formats/tree/main/SekoiaIO/forwarder_log). \ No newline at end of file diff --git a/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671_sample.md b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671_sample.md new file mode 100644 index 0000000000..bd130a0ebf --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/915a119c-2ec8-4482-a3c6-4d4cae62b671_sample.md @@ -0,0 +1,121 @@ + +### Raw Events Samples + +In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured. + + +=== "action_log" + + + ```json + { + "name": "output-techno1", + "origin": "core.action", + "processed": 0, + "failed": 0, + "suspended": 0, + "suspended.duration": 0, + "resumed": 0 + } + ``` + + + +=== "da_queue_log" + + + ```json + { + "name": "ruleset-my-techno1[DA]", + "origin": "core.queue", + "size": 0, + "enqueued": 0, + "full": 0, + "discarded.full": 0, + "discarded.nf": 0, + "maxqsize": 0 + } + ``` + + + +=== "input_tcp" + + + ```json + { + "name": "input-techno1(20516)", + "origin": "imtcp", + "submitted": 0 + } + ``` + + + +=== "input_udp" + + + ```json + { + "name": "input-my-techno2(*/20517/IPv4)", + "origin": "imudp", + "submitted": 0, + "disallowed": 0 + } + ``` + + + +=== "memory_queue_log" + + + ```json + { + "name": "ruleset-techno1", + "origin": "core.queue", + "size": 0, + "enqueued": 0, + "full": 0, + "discarded.full": 0, + "discarded.nf": 0, + "maxqsize": 0 + } + ``` + + + +=== "output_log" + + + ```json + { + "name": "TCP-intake.sekoia.io-10514", + "origin": "omfwd", + "bytes.sent": 0 + } + ``` + + + +=== "stats" + + + ```json + { + "name": "resource-usage", + "origin": "impstats", + "utime": 134625, + "stime": 20397, + "maxrss": 13888, + "minflt": 1510, + "majflt": 0, + "inblock": 0, + "oublock": 272, + "nvcsw": 347, + "nivcsw": 31, + "openfiles": 15 + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md index d6adb8fe88..1f80cd9378 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5.md @@ -70,16 +70,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "52.95.4.21" }, "user": { - "group": { - "id": [], - "name": [] - }, "id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user", "target": { - "group": { - "id": [], - "name": [] - }, "id": "AROA2W7SOKHEXAMPLE:Admin-user", "name": "test_user2" } @@ -146,10 +138,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "205.8.181.128" }, "user": { - "group": { - "id": [], - "name": [] - }, "id": "arn:aws:iam::1111111111111:user/Level6", "name": "Level6" }, @@ -200,7 +188,20 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "activity_id": 1, "activity_name": "Create", "class_name": "API Activity", - "class_uid": 6003 + "class_uid": 6003, + "user": { + "groups": [ + { + "name": "system:bootstrappers" + }, + { + "name": "system:nodes" + }, + { + "name": "system:authenticated" + } + ] + } }, "package": { "description": [], @@ -216,14 +217,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "path": "/api/v1/nodes" }, "user": { - "group": { - "id": [], - "name": [ - "system:authenticated", - "system:bootstrappers", - "system:nodes" - ] - }, "id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE", "name": "system:node:ip-192-001-02-03.ec2.internal" }, @@ -290,17 +283,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "ip": "192.0.2.0" }, "user": { - "group": { - "id": [], - "name": [] - }, "id": "arn:aws:iam::111122223333:user/anaya", "name": "anaya", "target": { - "group": { - "id": [], - "name": [] - }, "id": "arn:aws:iam::111122223333:user/anaya" } }, @@ -384,18 +369,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "ATTACKRANGE", - "group": { - "id": [], - "name": [] - }, "id": "NT AUTHORITY\\SYSTEM", "name": "WIN-DC-725$", "target": { "domain": "NT AUTHORITY", - "group": { - "id": [], - "name": [] - }, "id": "NT AUTHORITY\\SYSTEM", "name": "SYSTEM" } @@ -460,17 +437,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "port": 0 }, "user": { - "group": { - "id": [], - "name": [] - }, "id": "NULL SID", "target": { "domain": "EC2AMAZ-6KJ2BPP", - "group": { - "id": [], - "name": [] - }, "id": "NULL SID", "name": "Administrator" } @@ -488,9 +457,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}", "event": { "action": "update", - "category": [], + "category": [ + "vulnerability" + ], "severity": 3, - "type": [] + "type": [ + "info" + ] }, "@timestamp": "2023-07-21T18:11:53.060000Z", "cloud": { @@ -519,9 +492,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}", "event": { "action": "create", - "category": [], + "category": [ + "vulnerability" + ], "severity": 2, - "type": [] + "type": [ + "info" + ] }, "@timestamp": "2023-09-19T15:05:22.487000Z", "cloud": { @@ -542,6 +519,41 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_detection_finding_2.json" + + ```json + + { + "message": "{\"metadata\":{\"log_version\":\"2018-10-08\",\"product\":{\"feature\":{\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833\",\"name\":null},\"uid\":\"arn:aws:securityhub:eu-west-3::product/aws/guardduty\",\"name\":\"GuardDuty\",\"vendor_name\":\"Amazon\",\"version\":null},\"processed_time_dt\":1726062303537,\"profiles\":[\"cloud\",\"datetime\",\"linux\"],\"version\":\"1.1.0\",\"extensions\":[{\"name\":\"linux\",\"uid\":\"1\",\"version\":\"1.1.0\"}]},\"time\":1726062281022,\"time_dt\":1726062281022,\"confidence_score\":null,\"message\":null,\"cloud\":{\"account\":{\"uid\":\"11111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"resource\":null,\"finding_info\":{\"created_time_dt\":1681218428211,\"uid\":\"arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c\",\"desc\":\"The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.\",\"title\":\"The API DescribeStackEvents was invoked using root credentials.\",\"modified_time_dt\":1726062281022,\"first_seen_time_dt\":1681218080000,\"last_seen_time_dt\":1726061921000,\"related_events\":null,\"types\":[\"TTPs/Policy:IAMUser-RootCredentialUsage\"],\"src_url\":\"https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c\"},\"remediation\":null,\"compliance\":null,\"vulnerabilities\":null,\"resources\":[{\"type\":\"AwsIamAccessKey\",\"uid\":\"AWS::IAM::AccessKey:********************\",\"cloud_partition\":\"aws\",\"region\":\"eu-west-3\",\"labels\":null,\"data\":\"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"11111111111\\\",\\\"PrincipalName\\\":\\\"Root\\\",\\\"PrincipalType\\\":\\\"Root\\\"}}\",\"criticality\":null,\"owner\":null}],\"evidences\":[{\"data\":\"\",\"actor\":null,\"process\":null,\"api\":{\"operation\":\"DescribeStackEvents\",\"response\":null,\"service\":{\"name\":\"cloudformation.amazonaws.com\"}},\"src_endpoint\":{\"ip\":\"1.2.3.4\",\"location\":{\"country\":\"France\",\"city\":\"Rennes\",\"coordinates\":[-1.6744,48.110001]},\"port\":null},\"connection_info\":null,\"dst_endpoint\":null,\"query\":null}],\"class_name\":\"Detection Finding\",\"class_uid\":2004,\"category_name\":\"Findings\",\"category_uid\":2,\"severity_id\":2,\"severity\":\"Low\",\"activity_name\":\"Update\",\"activity_id\":2,\"type_uid\":200402,\"type_name\":\"Detection Finding: Update\",\"status\":\"New\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"resources[].uid\",\"value\":\"AWS::IAM::AccessKey:********************\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"evidences[].src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n", + "event": { + "action": "update", + "category": [ + "vulnerability" + ], + "severity": 2, + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-11T13:44:41.022000Z", + "cloud": { + "account": { + "id": "11111111111" + }, + "provider": "AWS", + "region": "eu-west-3" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "class_name": "Detection Finding", + "class_uid": 2004 + } + } + + ``` + + === "test_dns_activity_1.json" ```json @@ -569,16 +581,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "region": "us-east-1" }, "dns": { - "answers": { - "class": [ - "IN" - ], - "ttl": [], - "type": [ - "A" - ] - }, - "id": [], + "answers": [ + { + "class": "IN", + "data": "127.0.0.62", + "type": "A" + } + ], "question": { "class": [ "IN" @@ -620,6 +629,76 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_dns_activity_2.json" + + ```json + + { + "message": "{\"metadata\":{\"product\":{\"version\":\"1.100000\",\"name\":\"Route 53\",\"feature\":{\"name\":\"Resolver Query Logs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"provider\":\"AWS\"},\"src_endpoint\":{\"vpc_uid\":\"vpc-11111111\",\"ip\":\"1.2.3.4\",\"port\":63115,\"instance_uid\":\"i-11111111111111111\"},\"time\":1726088328000,\"time_dt\":1726088328000,\"query\":{\"hostname\":\"_ldap._tcp.dc.example.org.\",\"type\":\"SRV\",\"class\":\"IN\"},\"answers\":null,\"connection_info\":{\"protocol_name\":\"UDP\",\"direction\":\"Unknown\",\"direction_id\":0},\"dst_endpoint\":null,\"firewall_rule\":null,\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"DNS Activity\",\"class_uid\":4003,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_id\":6,\"activity_name\":\"Traffic\",\"type_uid\":400306,\"type_name\":\"DNS Activity: Traffic\",\"rcode_id\":3,\"rcode\":\"NXDomain\",\"disposition\":\"Unknown\",\"action\":\"Unknown\",\"action_id\":0,\"unmapped\":null,\"accountid\":null,\"region\":null,\"asl_version\":null,\"observables\":[{\"name\":\"src_endpoint.instance_uid\",\"value\":\"i-11111111111111111\",\"type\":\"Resource UID\",\"type_id\":10},{\"name\":\"query.hostname\",\"value\":\"_ldap._tcp.dc.example.org.\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"src_endpoint.ip\",\"value\":\"1.2.3.4\",\"type\":\"IP Address\",\"type_id\":2}]}\n", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "kind": "event", + "severity": 1, + "type": [ + "info", + "protocol" + ] + }, + "@timestamp": "2024-09-11T20:58:48Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "eu-west-3" + }, + "dns": { + "question": { + "class": [ + "IN" + ], + "name": "_ldap._tcp.dc.example.org.", + "registered_domain": "example.org", + "subdomain": "_ldap._tcp.dc", + "top_level_domain": "org", + "type": [ + "SRV" + ] + }, + "response_code": "NXDomain" + }, + "network": { + "direction": [ + "unknown" + ] + }, + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "DNS Activity", + "class_uid": 4003 + }, + "related": { + "hosts": [ + "_ldap._tcp.dc.example.org." + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63115 + } + } + + ``` + + === "test_http_activity_1.json" ```json @@ -1043,10 +1122,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "command_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ", "pid": 4696, "user": { - "group": { - "id": [], - "name": [] - }, "id": [ "NULL SID" ] @@ -1062,10 +1137,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "ATTACKRANGE", - "group": { - "id": [], - "name": [] - }, "id": "ATTACKRANGE\\Administrator", "name": "Administrator" } @@ -1130,10 +1201,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "LOGISTICS", - "group": { - "id": [], - "name": [] - }, "id": "S-1-5-21-1135140816-2109348461-2107143693-500", "name": "Administrator" } @@ -1393,10 +1460,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "DIR", - "group": { - "id": [], - "name": [] - }, "id": "NT AUTHORITY\\SYSTEM", "name": "STLDIRDC1$" } @@ -1448,10 +1511,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "SESTEST", - "group": { - "id": [], - "name": [] - }, "id": "SESTEST\\splunker", "name": "splunker" } @@ -1468,9 +1527,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}", "event": { "action": "update", - "category": [], + "category": [ + "vulnerability" + ], "severity": 3, - "type": [] + "type": [ + "info" + ] }, "@timestamp": "2024-01-26T22:19:14Z", "cloud": { @@ -1487,25 +1550,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "class_uid": 2002 }, "vulnerability": { - "description": [ - "" - ], - "id": [ - "CVE-2023-1255" - ], + "id": "CVE-2023-1255", "scanner": { - "vendor": [ - "NVD" - ] - }, - "score": { - "version": [ - "" - ] - }, - "severity": [ - "" - ] + "vendor": "NVD" + } } } @@ -1561,10 +1609,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "user": { "domain": "SOI", - "group": { - "id": [], - "name": [] - }, "id": "NT AUTHORITY\\SYSTEM", "name": "SZUSOIDC1$" } @@ -1607,9 +1651,7 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.mac` | `keyword` | MAC address of the destination. | |`destination.packets` | `long` | Packets sent from the destination to the source. | |`destination.port` | `long` | Port of the destination. | -|`dns.answers.class` | `keyword` | The class of DNS data contained in this resource record. | -|`dns.answers.ttl` | `long` | The time interval in seconds that this resource record may be cached before it should be discarded. | -|`dns.answers.type` | `keyword` | The type of data contained in this resource record. | +|`dns.answers` | `object` | Array of DNS answers. | |`dns.id` | `keyword` | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | |`dns.question.class` | `keyword` | The class of records being queried. | |`dns.question.name` | `keyword` | The name being queried. | @@ -1700,6 +1742,18 @@ The following table lists the fields that are extracted, normalized under the EC |`ocsf.activity_name` | `keyword` | The event activity name, as defined by the activity_id. | |`ocsf.class_name` | `keyword` | The event class name, as defined by class_uid value: Security Finding. | |`ocsf.class_uid` | `long` | The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. | +|`ocsf.process.group` | `dict` | | +|`ocsf.process.parent.group` | `dict` | | +|`ocsf.process.parent.user.domain` | `keyword` | | +|`ocsf.process.parent.user.email` | `keyword` | | +|`ocsf.process.parent.user.full_name` | `keyword` | | +|`ocsf.process.parent.user.groups` | `array` | | +|`ocsf.process.user.domain` | `keyword` | | +|`ocsf.process.user.email` | `keyword` | | +|`ocsf.process.user.full_name` | `keyword` | | +|`ocsf.process.user.groups` | `array` | | +|`ocsf.user.groups` | `array` | The list of groups that the user belong to | +|`ocsf.vulnerabilities` | `array` | | |`orchestrator.type` | `keyword` | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | |`organization.id` | `keyword` | Unique identifier for the organization. | |`organization.name` | `keyword` | Organization name. | @@ -1710,8 +1764,6 @@ The following table lists the fields that are extracted, normalized under the EC |`process.end` | `date` | The time the process ended. | |`process.entity_id` | `keyword` | Unique identifier for the process. | |`process.exit_code` | `long` | The exit code of the process. | -|`process.group.id` | `keyword` | | -|`process.group.name` | `keyword` | | |`process.name` | `keyword` | Process name. | |`process.parent.command_line` | `wildcard` | Full command line that started the process. | |`process.parent.end` | `date` | The time the process ended. | @@ -1720,19 +1772,9 @@ The following table lists the fields that are extracted, normalized under the EC |`process.parent.pid` | `long` | Process id. | |`process.parent.start` | `date` | The time the process started. | |`process.parent.thread.id` | `long` | Thread ID. | -|`process.parent.user.domain` | `keyword` | | -|`process.parent.user.email` | `keyword` | | -|`process.parent.user.full_name` | `keyword` | | -|`process.parent.user.group.id` | `keyword` | | -|`process.parent.user.group.name` | `keyword` | | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | |`process.thread.id` | `long` | Thread ID. | -|`process.user.domain` | `keyword` | | -|`process.user.email` | `keyword` | | -|`process.user.full_name` | `keyword` | | -|`process.user.group.id` | `keyword` | | -|`process.user.group.name` | `keyword` | | |`rule.category` | `keyword` | Rule category | |`rule.description` | `keyword` | Rule description | |`rule.name` | `keyword` | Rule name | @@ -1779,22 +1821,16 @@ The following table lists the fields that are extracted, normalized under the EC |`user.changes.domain` | `keyword` | Name of the directory the user is a member of. | |`user.changes.email` | `keyword` | User email address. | |`user.changes.full_name` | `keyword` | User's full name, if available. | -|`user.changes.group.id` | `keyword` | Unique identifier for the group on the system/platform. | -|`user.changes.group.name` | `keyword` | Name of the group. | |`user.changes.id` | `keyword` | Unique identifier of the user. | |`user.changes.name` | `keyword` | Short name or login of the user. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | |`user.full_name` | `keyword` | User's full name, if available. | -|`user.group.id` | `keyword` | Unique identifier for the group on the system/platform. | -|`user.group.name` | `keyword` | Name of the group. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user.target.domain` | `keyword` | Name of the directory the user is a member of. | |`user.target.email` | `keyword` | User email address. | |`user.target.full_name` | `keyword` | User's full name, if available. | -|`user.target.group.id` | `keyword` | Unique identifier for the group on the system/platform. | -|`user.target.group.name` | `keyword` | Name of the group. | |`user.target.id` | `keyword` | Unique identifier of the user. | |`user.target.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md index d7bae59044..6497502ea7 100644 --- a/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md +++ b/_shared_content/operations_center/integrations/generated/a9c959ac-78ec-47a4-924e-8156a77cebf5_sample.md @@ -1104,6 +1104,141 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_detection_finding_2" + + + ```json + { + "metadata": { + "log_version": "2018-10-08", + "product": { + "feature": { + "uid": "arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833", + "name": null + }, + "uid": "arn:aws:securityhub:eu-west-3::product/aws/guardduty", + "name": "GuardDuty", + "vendor_name": "Amazon", + "version": null + }, + "processed_time_dt": 1726062303537, + "profiles": [ + "cloud", + "datetime", + "linux" + ], + "version": "1.1.0", + "extensions": [ + { + "name": "linux", + "uid": "1", + "version": "1.1.0" + } + ] + }, + "time": 1726062281022, + "time_dt": 1726062281022, + "confidence_score": null, + "message": null, + "cloud": { + "account": { + "uid": "11111111111" + }, + "region": "eu-west-3", + "provider": "AWS" + }, + "resource": null, + "finding_info": { + "created_time_dt": 1681218428211, + "uid": "arn:aws:guardduty:eu-west-3:11111111111:detector/effff3292fef47a8b2941836e434e833/finding/9711517f14c54eb79ad3e3b0cee89e3c", + "desc": "The API DescribeStackEvents was invoked using root credentials from IP address 62.129.18.152.", + "title": "The API DescribeStackEvents was invoked using root credentials.", + "modified_time_dt": 1726062281022, + "first_seen_time_dt": 1681218080000, + "last_seen_time_dt": 1726061921000, + "related_events": null, + "types": [ + "TTPs/Policy:IAMUser-RootCredentialUsage" + ], + "src_url": "https://eu-west-3.console.aws.amazon.com/guardduty/home?region=eu-west-3#/findings?macros=current&fId=9711517f14c54eb79ad3e3b0cee89e3c" + }, + "remediation": null, + "compliance": null, + "vulnerabilities": null, + "resources": [ + { + "type": "AwsIamAccessKey", + "uid": "AWS::IAM::AccessKey:********************", + "cloud_partition": "aws", + "region": "eu-west-3", + "labels": null, + "data": "{\"AwsIamAccessKey\":{\"PrincipalId\":\"11111111111\",\"PrincipalName\":\"Root\",\"PrincipalType\":\"Root\"}}", + "criticality": null, + "owner": null + } + ], + "evidences": [ + { + "data": "", + "actor": null, + "process": null, + "api": { + "operation": "DescribeStackEvents", + "response": null, + "service": { + "name": "cloudformation.amazonaws.com" + } + }, + "src_endpoint": { + "ip": "1.2.3.4", + "location": { + "country": "France", + "city": "Rennes", + "coordinates": [ + -1.6744, + 48.110001 + ] + }, + "port": null + }, + "connection_info": null, + "dst_endpoint": null, + "query": null + } + ], + "class_name": "Detection Finding", + "class_uid": 2004, + "category_name": "Findings", + "category_uid": 2, + "severity_id": 2, + "severity": "Low", + "activity_name": "Update", + "activity_id": 2, + "type_uid": 200402, + "type_name": "Detection Finding: Update", + "status": "New", + "accountid": null, + "region": null, + "asl_version": null, + "observables": [ + { + "name": "resources[].uid", + "value": "AWS::IAM::AccessKey:********************", + "type": "Resource UID", + "type_id": 10 + }, + { + "name": "evidences[].src_endpoint.ip", + "value": "1.2.3.4", + "type": "IP Address", + "type_id": 2 + } + ] + } + ``` + + + === "test_dns_activity_1" @@ -1212,6 +1347,99 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_dns_activity_2" + + + ```json + { + "metadata": { + "product": { + "version": "1.100000", + "name": "Route 53", + "feature": { + "name": "Resolver Query Logs" + }, + "vendor_name": "AWS" + }, + "profiles": [ + "cloud", + "security_control", + "datetime" + ], + "version": "1.1.0" + }, + "cloud": { + "account": { + "uid": "111111111111" + }, + "region": "eu-west-3", + "provider": "AWS" + }, + "src_endpoint": { + "vpc_uid": "vpc-11111111", + "ip": "1.2.3.4", + "port": 63115, + "instance_uid": "i-11111111111111111" + }, + "time": 1726088328000, + "time_dt": 1726088328000, + "query": { + "hostname": "_ldap._tcp.dc.example.org.", + "type": "SRV", + "class": "IN" + }, + "answers": null, + "connection_info": { + "protocol_name": "UDP", + "direction": "Unknown", + "direction_id": 0 + }, + "dst_endpoint": null, + "firewall_rule": null, + "severity_id": 1, + "severity": "Informational", + "class_name": "DNS Activity", + "class_uid": 4003, + "category_name": "Network Activity", + "category_uid": 4, + "activity_id": 6, + "activity_name": "Traffic", + "type_uid": 400306, + "type_name": "DNS Activity: Traffic", + "rcode_id": 3, + "rcode": "NXDomain", + "disposition": "Unknown", + "action": "Unknown", + "action_id": 0, + "unmapped": null, + "accountid": null, + "region": null, + "asl_version": null, + "observables": [ + { + "name": "src_endpoint.instance_uid", + "value": "i-11111111111111111", + "type": "Resource UID", + "type_id": 10 + }, + { + "name": "query.hostname", + "value": "_ldap._tcp.dc.example.org.", + "type": "Hostname", + "type_id": 1 + }, + { + "name": "src_endpoint.ip", + "value": "1.2.3.4", + "type": "IP Address", + "type_id": 2 + } + ] + } + ``` + + + === "test_http_activity_1" diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md index ee06a14fb6..f567f3be49 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40.md @@ -66,6 +66,47 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_alert_with_duration.json" + + ```json + + { + "message": "{\n \"accountName\": \"Account name\",\n \"isProtected\": false,\n \"threatName\": \"Threat\",\n \"endpointName\": \"Endpoint\",\n \"duration\": \"8 minutes 15 seconds\",\n \"startDateTime\": \"06 September, 08:01 UTC +00:00\",\n \"endDateTime\": \"06 September, 08:09 UTC +00:00\",\n \"requestsCount\": \"10,558\",\n \"peakSpeed\": \"1,457\",\n \"ipCount\": \"393\",\n \"uaCount\": \"82\",\n \"countryCount\": \"17\",\n \"urlCount\": \"2,221\"\n}", + "event": { + "category": [ + "intrusion_detection" + ], + "duration": 495000000000, + "end": "2024-09-06T08:09:00Z", + "kind": "alert", + "start": "2024-09-06T08:01:00Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-06T08:01:00Z", + "cloud": { + "account": { + "name": "Account name" + } + }, + "host": { + "name": "Endpoint" + }, + "observer": { + "product": "Datadome protection", + "vendor": "Datadome" + }, + "threat": { + "indicator": { + "name": "Threat" + } + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40_sample.md b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40_sample.md index 757a26d2fb..af437e4e79 100644 --- a/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40_sample.md +++ b/_shared_content/operations_center/integrations/generated/acd3374a-9738-4650-9d20-bd0a22daac40_sample.md @@ -27,3 +27,26 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_alert_with_duration" + + + ```json + { + "accountName": "Account name", + "isProtected": false, + "threatName": "Threat", + "endpointName": "Endpoint", + "duration": "8 minutes 15 seconds", + "startDateTime": "06 September, 08:01 UTC +00:00", + "endDateTime": "06 September, 08:09 UTC +00:00", + "requestsCount": "10,558", + "peakSpeed": "1,457", + "ipCount": "393", + "uaCount": "82", + "countryCount": "17", + "urlCount": "2,221" + } + ``` + + + diff --git a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md b/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md deleted file mode 100644 index d7d6f946f7..0000000000 --- a/_shared_content/operations_center/integrations/generated/bba2bed2-d925-440f-a0ce-dbcae04eaf26.md +++ /dev/null @@ -1,501 +0,0 @@ - -### Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Network intrusion detection system` | AIONIQ identify suspicious behaviors | -| `Network protocol analysis` | AIONIQ analyze traffic protocol | - - - - - -In details, the following table denotes the type of events produced by this integration. - -| Name | Values | -| ---- | ------ | -| Kind | `` | -| Category | `malware`, `network` | -| Type | `info` | - - - - -### Transformed Events Samples after Ingestion - -This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the [built-in detection rules](/xdr/features/detect/rules_catalog) and hunting activities in the [events page](/xdr/features/investigate/events). Understanding these transformations is essential for analysts to create effective detection mechanisms with [custom detection rules](/xdr/features/detect/sigma) and to leverage the full potential of the collected data. - -=== "malcore_event.json" - - ```json - - { - "message": "{\"@timestamp\":\"2022-06-03T15:00:20.531Z\",\"detail_wait_time\":18,\"event_type\":\"malware\",\"total_found\":\"3/16\",\"type\":\"malcore\",\"analyzed_clean\":13,\"analyzed_error\":0,\"SHA256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"dest_port\":49804,\"timestamp\":\"2022-06-03T14:59:08.780474+0000\",\"state\":\"Infected\",\"engine_id\":{\"3\":{\"scan_result\":\"CLEAN\",\"id\":\"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d\",\"threat_details\":\"\"},\"4\":{\"scan_result\":\"INFECTED\",\"id\":\"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684\",\"threat_details\":\"Win32/Exploit.CVE-2022-30190.A trojan\"},\"6\":{\"scan_result\":\"CLEAN\",\"id\":\"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc\",\"threat_details\":\"\"},\"10\":{\"scan_result\":\"CLEAN\",\"id\":\"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713\",\"threat_details\":\"\"},\"13\":{\"scan_result\":\"CLEAN\",\"id\":\"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e\",\"threat_details\":\"\"},\"2\":{\"scan_result\":\"CLEAN\",\"id\":\"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db\",\"threat_details\":\"\"},\"12\":{\"scan_result\":\"CLEAN\",\"id\":\"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a\",\"threat_details\":\"\"},\"1\":{\"scan_result\":\"INFECTED\",\"id\":\"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af\",\"threat_details\":\"Exploit/HTML.CVE-2022-30190.S1841\"},\"14\":{\"scan_result\":\"CLEAN\",\"id\":\"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf\",\"threat_details\":\"\"},\"9\":{\"scan_result\":\"CLEAN\",\"id\":\"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a\",\"threat_details\":\"\"},\"15\":{\"scan_result\":\"CLEAN\",\"id\":\"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1\",\"threat_details\":\"\"},\"7\":{\"scan_result\":\"CLEAN\",\"id\":\"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737\",\"threat_details\":\"\"},\"5\":{\"scan_result\":\"SUSPICIOUS\",\"id\":\"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53\",\"threat_details\":\"HEUR:Exploit.Script.Generic\"},\"0\":{\"scan_result\":\"CLEAN\",\"id\":\"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74\",\"threat_details\":\"\"},\"8\":{\"scan_result\":\"CLEAN\",\"id\":\"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77\",\"threat_details\":\"\"},\"11\":{\"scan_result\":\"CLEAN\",\"id\":\"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c\",\"threat_details\":\"\"}},\"detail_threat_found\":\"Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic\",\"analyzed_suspicious\":1,\"fileinfo\":{\"tx_id\":0,\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"file_id\":1,\"sid\":[1100029],\"state\":\"CLOSED\",\"size\":6105,\"stored\":true,\"filename\":\"/exploit.html\"},\"host\":\"network.internal\",\"src_port\":80,\"flow_id\":1686930575880829,\"processing_time\":359,\"file_type_description\":\"Not available\",\"timestamp_analyzed\":\"2022-06-03T15:00:20.531Z\",\"dest_ip\":\"1.2.3.4\",\"reporting_token\":\"No GBOX\",\"severity\":1,\"gcenter\":[\"gcenter-nti.gatewatcher.com\",\"gcenter-nti.gatewatcher.com\"],\"analyzed_other\":0,\"analyzed_infected\":2,\"app_proto\":\"http\",\"detail_scan_time\":341,\"src_ip\":\"9.8.7.6\",\"magic_details\":\"HTML document, ASCII text, with very long lines\",\"proto\":\"TCP\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"analyzers_up\":16,\"file_type\":\"Not available\",\"in_iface\":\"monvirt\",\"code\":1,\"engines_last_update_date\":\"2022-06-01T21:22:55Z\",\"gcap\":\"gcap-nti.gatewatcher.com\",\"uuid\":\"73a1884d-94a6-4800-9b08-6daa3281ce8f\"}", - "event": { - "category": [ - "malware" - ], - "kind": "event", - "severity": 1, - "type": [ - "info" - ] - }, - "@timestamp": "2022-06-03T15:00:20.531000Z", - "destination": { - "address": "1.2.3.4", - "ip": "1.2.3.4", - "port": 49804 - }, - "file": { - "hash": { - "md5": "16e3fcee85f81ec9e9c75dd13fb08c01", - "sha256": "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c" - }, - "name": "/exploit.html", - "size": 6105 - }, - "gatewatcher": { - "event_type": "malware", - "flow_id": "1686930575880829", - "gcap": "gcap-nti.gatewatcher.com", - "gcenter": [ - "gcenter-nti.gatewatcher.com", - "gcenter-nti.gatewatcher.com" - ], - "malcore": { - "code": "1", - "detail_threat_found": "Infected : Exploit/HTML.CVE-2022-30190.S1841, Win32/Exploit.CVE-2022-30190.A trojan, HEUR:Exploit.Script.Generic" - }, - "reporting_token": "No GBOX", - "state": "Infected", - "timestamp_analyzed": "2022-06-03T15:00:20.531Z", - "timestamp_detected": "2022-06-03T14:59:08.780Z", - "type": "malcore" - }, - "http": { - "request": { - "method": "GET" - }, - "response": { - "status_code": 200 - } - }, - "network": { - "protocol": "http", - "transport": "TCP" - }, - "observer": { - "hostname": "network.internal", - "name": "gcap-nti.gatewatcher.com", - "type": "firewall", - "version": "0.2" - }, - "related": { - "hash": [ - "16e3fcee85f81ec9e9c75dd13fb08c01", - "2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c" - ], - "hosts": [ - "network.internal", - "www.xmlformats.com" - ], - "ip": [ - "1.2.3.4", - "9.8.7.6" - ] - }, - "source": { - "address": "9.8.7.6", - "ip": "9.8.7.6", - "port": 80 - }, - "url": { - "domain": "www.xmlformats.com", - "path": "/exploit.html", - "registered_domain": "xmlformats.com", - "subdomain": "www", - "top_level_domain": "com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Outlook", - "original": "Mozilla/4.0 (compatible; ms-office; MSOffice 16)", - "os": { - "name": "Other" - }, - "version": "2016" - } - } - - ``` - - -=== "suricata_alert_event.json" - - ```json - - { - "message": "{\"@timestamp\":\"2022-06-03T14:59:41.373Z\",\"gcenter\":[\"gcenter-sekoia.gatewatcher.com\",\"gcenter-sekoia.gatewatcher.com\"],\"event_type\":\"alert\",\"payload\":\"SFRUUC8xLjEgMjAwIE9LCkRhdGU6IFRodSwgMDIgSnVuIDIwMjIgMjI6Mzc6MjIgR01UClNlcnZlcjogQXBhY2hlLzIuNC40MSAoVWJ1bnR1KQpMYXN0LU1vZGlmaWVkOiBUaHUsIDAyIEp1biAyMDIyIDIyOjMwOjM0IEdNVApFVGFnOiAiMTdkOS01ZTA3ZThkZGI0NTA4LWd6aXAiCkFjY2VwdC1SYW5nZXM6IGJ5dGVzClZhcnk6IEFjY2VwdC1FbmNvZGluZwpDb250ZW50LUVuY29kaW5nOiBnemlwCkNvbnRlbnQtTGVuZ3RoOiAyNDg1CktlZXAtQWxpdmU6IHRpbWVvdXQ9NSwgbWF4PTEwMApDb25uZWN0aW9uOiBLZWVwLUFsaXZlCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sCgp0ZXN0Cg==\",\"packet\":\"CAAnjitsCAAnk+hwCABFAAAoBRhAAD8GMWkKAQHewKg4yABQwow7Z24SQI3k4FAQAfUWzAAA\",\"type\":\"suricata\",\"community_id\":\"1:dGVzdAo=\",\"app_proto\":\"http\",\"src_ip\":\"9.8.7.6\",\"dest_port\":49804,\"alert\":{\"action\":\"allowed\",\"rev\":2,\"signature\":\"ETPRO INFO Observed Suspicious Base64 Encoded Wide String Inbound (exe)\",\"category\":\"Potentially Bad Traffic\",\"gid\":1,\"metadata\":{\"updated_at\":[\"2020_11_17\"],\"created_at\":[\"2020_04_13\"],\"former_category\":[\"HUNTING\"],\"signature_severity\":[\"Informational\"],\"attack_target\":[\"Client_Endpoint\"],\"deployment\":[\"Perimeter\"],\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"]},\"signature_id\":2841990,\"severity\":2},\"flow\":{\"pkts_toserver\":5,\"bytes_toserver\":798,\"start\":\"2022-06-03T14:59:08.750205+0000\",\"pkts_toclient\":4,\"bytes_toclient\":3052},\"files\":[{\"filename\":\"/exploit.html\",\"state\":\"CLOSED\",\"tx_id\":0,\"sid\":[1100029],\"magic\":\"HTML document, ASCII text, with very long lines\",\"gaps\":false,\"md5\":\"16e3fcee85f81ec9e9c75dd13fb08c01\",\"sha256\":\"2c36fbcbac3e57df410f6613180fe572015adba62d0f1bd98c13a1535d64703c\",\"size\":6105,\"stored\":false}],\"proto\":\"TCP\",\"stream\":1,\"host\":\"network.internal\",\"http\":{\"protocol\":\"HTTP/1.1\",\"hostname\":\"www.xmlformats.com\",\"http_content_type\":\"text/html\",\"length\":2485,\"http_user_agent\":\"Mozilla/4.0 (compatible; ms-office; MSOffice 16)\",\"http_method\":\"GET\",\"url\":\"/exploit.html\",\"status\":200},\"timestamp_detected\":\"2022-06-03T14:59:08.780Z\",\"ether\":{\"src_mac\":\"08:00:27:8e:2b:6c\",\"dest_mac\":\"08:00:27:93:e8:70\"},\"src_port\":80,\"flow_id\":1686930575880829,\"payload_printable\":\"HTTP/1.1 200 OK\\r\\nDate: Thu, 02 Jun 2022 22:37:22 GMT\\r\\nServer: Apache/2.4.41 (Ubuntu)\\r\\nLast-Modified: Thu, 02 Jun 2022 22:30:34 GMT\\r\\nETag: \\\"17d9-5e07e8ddb4508-gzip\\\"\\r\\nAccept-Ranges: bytes\\r\\nVary: Accept-Encoding\\r\\nContent-Encoding: gzip\\r\\nContent-Length: 2485\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/html\\r\\n\\r\\n...........Xko........\\n.F&.$VS..]pmYRa.Vd9q.(.........gW......#7....G....s.=.RO.....q..&n.....0.k...|{D.....!6.....V&nB.6.oVap......}7........l..>..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\\\"...!:.............C./.Z.....\\rP$S,.t.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\\n...B......q.IR....\\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\\rm.VcK....p:....P.Dj...\\nD*0u*..b..(..P...\\\\S..Q*VT'......m.............7B..D./\\\"...gX..\\\".9W....I.=.9......T.%.U....J{b.l.\\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\\\..zZ\\\"\\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\\\&#'EUT...;Xt?...P.%W'.,@(\\r.+Y...4.y~.{d.&xn\\\"...../].....k.m.ZK`..M.lr.....VK.\\\"z&.R+.V.<-..U.\\\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\\\"S\\\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\\\........H...Y...MA...`U.8..O..z.J.l#91..\\\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^..{>{..~k.n..f.5]o.....X..k._G....U.....|...\\.a.m.f......._.!...c.8.Z..n.0........i..`.:..c[.a..;......_.........gv}.L.1V.G.......o.2,}..C~..w.(,...[..at+..8.~..'.mh1a..y......hVc0.n.iB.en.Z..O.]...l.b..2.b..{|i|._+...o].3}..Wd....3\"...!:.............C./.Z.....\rP$S,.t.s.k..!..r..UI..g...ji^V...,.k..0i...}.!.=.......2.%.@..=u........{'Y@.k.8!.*`... ..c..z.j.u.D.....*......G.ng.U.....@.3U......\n...$/..!.c.....T..S..tr.$...h......$(....&R...i.U#PL.J{...\n!E.-9,w.....$%Xh9.U!...6...S`b...C>.i.cW......H...It\n...B......q.IR....\n..P&....i.d... .07.]U$tD.R...J4............^....tIT....UaD....g..k.b.......\rm.VcK....p:....P.Dj...\nD*0u*..b..(..P...\\S..Q*VT'......m.............7B..D./\"...gX..\".9W....I.=.9......T.%.U....J{b.l.\r..Q.X.t9U.i)......R.i..V.g.5c..^.,.....&=r..p0SX..E...S5hsSJt..J...'}#8.........R.H.D.(i.TW...^.&..>@v..+sX\ra..],>I.!%.`l`..,vDvL.....vDwM....,.I.-[3IP.I..GMi.I.MYa..'Z$U]r...... j3CE).NM!.@.!a......T.S.77....k&...P.........8...$..:.A.....+A........a......Mm..*..\\..zZ\"\n...D.I.e.....r..9..JD..8.u`vd{..=.)Y.9...\\A'.}J...'.A?....)...........U....M5.`....J.&..e.D....N{1.s...d....cZE....\nG)..8.nq)..G..`..@.T.rgB..B.9>7.@.\\&#'EUT...;Xt?...P.%W'.,@(\r.+Y...4.y~.{d.&xn\"...../].....k.m.ZK`..M.lr.....VK.\"z&.R+.V.<-..U.\"...IU.h%/9....y....T)].f..._.I.X0K.k...|-t...\\.d#7.A..J..I.L.H7:.r..%].Ti......(....V-i....2...:...`J...\"S\"..?I.......w..E....Q.......B.l$.T.E....-......k.u........BQ.#.Tn@.C..x.7.K/...M...},..-L.......~..E.@..o.7.. .!.t....._q.....\\........H...Y...MA...`U.8..O..z.J.l#91..\".+...Vi..v..k......%.k...0i..u.T.O#A.[j.M...*G*W..s.......V..+.%.......t:..&<....Uz..2.....{....\\.{a.H.-.D.QC..]|>3..t5.........9.._n.U..1Ly.....(v.Fm...agn..zs.s=0..........;..U..\n.........bs...[={.A....oG...7.../.}...yz.>......7......B;.....m\r.../....F!../O./.n...~~..u$.~....hz..e..n.@(.=.Ui.../.\\_-F{..........W....~...g}......W........uWvm..ve1~n...vo_<.....=.......}e.v..gOl.^D{vJ..k_........>......y|.........k.=..W.?}.s.../^......=.4.#=.~..l?.}.}k._.....K>...k....._...:...N........`}C......w.................:.wW...Z.....~.....}.._..%?.W8.....$.R..y...............sCq.....y.....)^e....gS^\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\",\"{\\\"$id\\\":\\\"1\\\",\\\"ActionId\\\":\\\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\\\",\\\"InvestigationId\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ActionApproval\\\":\\\"None\\\",\\\"ActionType\\\":\\\"EmailRemediation\\\",\\\"ActionStatus\\\":\\\"Pending\\\",\\\"Entities\\\":[{\\\"$id\\\":\\\"2\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"RelatedAlertIds\\\":[\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\"],\\\"StartTimeUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"LastUpdateTimeUtc\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"TimestampUtc\\\":\\\"2024-09-02T03:27:33\\\",\\\"BulkName\\\":\\\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"3\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"PendingType\\\":\\\"User\\\",\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"Description\\\":\\\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\\\"}\"],\"Data\":\"{\\\"Version\\\":\\\"3.0\\\",\\\"VendorName\\\":\\\"Microsoft\\\",\\\"ProviderName\\\":\\\"OATP\\\",\\\"AlertType\\\":\\\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\\\",\\\"StartTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"EndTimeUtc\\\":\\\"2024-09-02T03:14:37.3349438Z\\\",\\\"TimeGenerated\\\":\\\"2024-09-02T03:16:43.91Z\\\",\\\"ProcessingEndTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"Status\\\":\\\"InProgress\\\",\\\"DetectionTechnology\\\":\\\"URLList\\\",\\\"Severity\\\":\\\"Informational\\\",\\\"ConfidenceLevel\\\":\\\"Unknown\\\",\\\"ConfidenceScore\\\":1.0,\\\"IsIncident\\\":false,\\\"ProviderAlertId\\\":\\\"76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"SystemAlertId\\\":null,\\\"CorrelationKey\\\":\\\"8a5bf71a-d9e4-422e-8bdb-33272de66983\\\",\\\"Investigations\\\":[{\\\"$id\\\":\\\"1\\\",\\\"Id\\\":\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\",\\\"InvestigationStatus\\\":\\\"Pending\\\"}],\\\"InvestigationIds\\\":[\\\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\\\"],\\\"Intent\\\":\\\"Probing\\\",\\\"ResourceIdentifiers\\\":[{\\\"$id\\\":\\\"2\\\",\\\"AadTenantId\\\":\\\"275ae857-f201-4a2e-8f43-d48391c56871\\\",\\\"Type\\\":\\\"AAD\\\"}],\\\"AzureResourceId\\\":null,\\\"WorkspaceId\\\":null,\\\"WorkspaceSubscriptionId\\\":null,\\\"WorkspaceResourceGroup\\\":null,\\\"AgentId\\\":null,\\\"AlertDisplayName\\\":\\\"Email messages containing malicious URL removed after delivery\u200b\\\",\\\"Description\\\":\\\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\\\",\\\"ExtendedLinks\\\":[{\\\"Href\\\":\\\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\\\",\\\"Category\\\":null,\\\"Label\\\":\\\"alert\\\",\\\"Type\\\":\\\"webLink\\\"}],\\\"Metadata\\\":{\\\"CustomApps\\\":null,\\\"GenericInfo\\\":null},\\\"Entities\\\":[{\\\"$id\\\":\\\"3\\\",\\\"Recipient\\\":\\\"ggravier@ixina.com\\\",\\\"Urls\\\":[\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"https://zupimages.net/up/24/35/1itk.png\\\"],\\\"Threats\\\":[\\\"ZapPhish\\\",\\\"NormalPhish\\\"],\\\"Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P1Sender\\\":\\\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\\\",\\\"P1SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"SenderIP\\\":\\\"40.107.244.101\\\",\\\"P2Sender\\\":\\\"support.33@wdezd.ersdz.meradebo.com\\\",\\\"P2SenderDisplayName\\\":\\\"Tractor Supply\\\",\\\"P2SenderDomain\\\":\\\"wdezd.ersdz.meradebo.com\\\",\\\"ReceivedDate\\\":\\\"2024-09-02T02:43:12\\\",\\\"NetworkMessageId\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"InternetMessageId\\\":\\\"\\\",\\\"Subject\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\",\\\"AntispamDirection\\\":\\\"Inbound\\\",\\\"DeliveryAction\\\":\\\"DeliveredAsSpam\\\",\\\"ThreatDetectionMethods\\\":[\\\"FingerPrintMatch\\\"],\\\"Language\\\":\\\"en\\\",\\\"DeliveryLocation\\\":\\\"JunkFolder\\\",\\\"OriginalDeliveryLocation\\\":\\\"Inbox\\\",\\\"AdditionalActionsAndResults\\\":[\\\"OriginalDelivery: [N/A]\\\",\\\"Zap: [Success: Message moved]\\\"],\\\"AuthDetails\\\":[{\\\"Name\\\":\\\"SPF\\\",\\\"Value\\\":\\\"Pass\\\"},{\\\"Name\\\":\\\"DKIM\\\",\\\"Value\\\":\\\"None\\\"},{\\\"Name\\\":\\\"DMARC\\\",\\\"Value\\\":\\\"Best guess pass\\\"},{\\\"Name\\\":\\\"Comp Auth\\\",\\\"Value\\\":\\\"pass\\\"}],\\\"SystemOverrides\\\":[],\\\"Type\\\":\\\"mailMessage\\\",\\\"Urn\\\":\\\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"4\\\",\\\"MailboxPrimaryAddress\\\":\\\"ggravier@ixina.com\\\",\\\"Upn\\\":\\\"ggravier@ixina.com\\\",\\\"AadId\\\":\\\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"5\\\",\\\"Url\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"Type\\\":\\\"url\\\",\\\"ClickCount\\\":0,\\\"EmailCount\\\":12,\\\"Urn\\\":\\\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:20:40\\\"},{\\\"$id\\\":\\\"6\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (SenderIp:\\\\\\\"40.107.244.101\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,SenderIp,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;SenderIp;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"7\\\",\\\"NetworkMessageIds\\\":[\\\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\\\",\\\"2019a522-c814-4cd0-b23d-08dccaf8cc37\\\",\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"02c4a467-76c0-4491-737f-08dccaf8d47c\\\",\\\"26c865c1-2187-469c-5c0c-08dccaf8dca1\\\",\\\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\\\",\\\"5f3c47d0-051b-4439-8235-08dccaf8d27a\\\",\\\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\\\",\\\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\\\",\\\"1106f7ec-3c1f-45f6-2640-08dccaf90045\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":6,\\\"Malware\\\":0,\\\"Spam\\\":6,\\\"MaliciousUrl\\\":12},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":6,\\\"Delivered\\\":4,\\\"Blocked\\\":2},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":6,\\\"External\\\":3,\\\"Failed\\\":2,\\\"Forwarded\\\":1},\\\"Query\\\":\\\"( ((NormalizedUrl:\\\\\\\"https://zpr.io/TUZAu6VrAvQT\\\\\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"MailCount\\\":12,\\\"IsVolumeAnamoly\\\":true,\\\"ClusterSourceIdentifier\\\":\\\"https://zpr.io/TUZAu6VrAvQT\\\",\\\"ClusterSourceType\\\":\\\"UrlThreatIndicator\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.7851632Z\\\",\\\"ClusterGroup\\\":\\\"UrlThreatIdentifier\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"NormalizedUrl;ContentType\\\",\\\"ClusterByValue\\\":\\\"https://zpr.io/TUZAu6VrAvQT;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"},{\\\"$id\\\":\\\"8\\\",\\\"NetworkMessageIds\\\":[\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\"],\\\"CountByThreatType\\\":{\\\"HighConfPhish\\\":0,\\\"Phish\\\":1,\\\"Malware\\\":0,\\\"Spam\\\":1},\\\"CountByProtectionStatus\\\":{\\\"DeliveredAsSpam\\\":1},\\\"CountByDeliveryLocation\\\":{\\\"JunkFolder\\\":1},\\\"Query\\\":\\\"( (( (Subject:\\\\\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\\\\\") ) AND ( (P2SenderDomain:\\\\\\\"wdezd.ersdz.meradebo.com\\\\\\\") ) AND ( (AntispamDirection:\\\\\\\"1\\\\\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\\\",\\\"QueryTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"MailCount\\\":1,\\\"IsVolumeAnamoly\\\":false,\\\"ClusterSourceIdentifier\\\":\\\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\\\",\\\"ClusterSourceType\\\":\\\"Similarity\\\",\\\"ClusterQueryStartTime\\\":\\\"2024-08-13T00:00:00Z\\\",\\\"ClusterQueryEndTime\\\":\\\"2024-09-02T03:24:59.8007877Z\\\",\\\"ClusterGroup\\\":\\\"Subject,P2SenderDomain,AntispamDirection\\\",\\\"Type\\\":\\\"mailCluster\\\",\\\"ClusterBy\\\":\\\"Subject;P2SenderDomain;AntispamDirection;ContentType\\\",\\\"ClusterByValue\\\":\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\\\",\\\"QueryStartTime\\\":\\\"8/13/2024 12:00:00 AM\\\",\\\"QueryTime\\\":\\\"9/2/2024 3:24:59 AM\\\",\\\"Urn\\\":\\\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"2024-09-02T03:25:01\\\"}],\\\"LogCreationTime\\\":\\\"2024-09-02T03:33:31.8137435Z\\\",\\\"MachineName\\\":\\\"AM7EUR03BG406\\\",\\\"SourceTemplateType\\\":\\\"Threat_Single\\\",\\\"Category\\\":\\\"ThreatManagement\\\",\\\"SourceAlertType\\\":\\\"System\\\"}\",\"DeepLinkUrl\":\"https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"EndTimeUtc\":\"2024-09-02T03:33:31\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationType\":\"ZappedUrlInvestigation\",\"LastUpdateTimeUtc\":\"2024-09-02T03:28:24\",\"RunningTime\":771,\"StartTimeUtc\":\"2024-09-02T03:20:40\",\"Status\":\"Pending Action\"}", + "event": { + "action": "AirInvestigationData", + "code": "64", + "end": "2024-09-02T03:33:31Z", + "kind": "event", + "outcome": "success", + "start": "2024-09-02T03:20:40Z" + }, + "@timestamp": "2024-09-02T03:33:37Z", + "action": { + "id": 64, + "name": "AirInvestigationData", + "outcome": "success", + "target": "user" + }, + "email": { + "attachments": [], + "from": { + "address": [ + "support.33@wdezd.ersdz.meradebo.com" + ] + }, + "to": { + "address": [ + "ggravier@ixina.com" + ] + } + }, + "host": { + "name": "AM7EUR03BG406" + }, + "log": { + "level": "Informational" + }, + "office365": { + "audit": { + "object_id": "8217bd67-1368-4213-b6be-498cdbff1542" + }, + "investigation": { + "alert": { + "category": "ThreatManagement", + "correlation_key": "8a5bf71a-d9e4-422e-8bdb-33272de66983", + "is_incident": false, + "provider": { + "name": "OATP", + "status": "InProgress" + }, + "severity": "Informational", + "source_type": "System", + "type": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88" + }, + "delivery": { + "action": [ + "DeliveredAsSpam" + ] + }, + "email": { + "sender": { + "domains": [ + "wdezd.ersdz.meradebo.com" + ], + "ip": [ + "40.107.244.101" + ] + }, + "subjects": [ + "\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b" + ], + "urls": [ + "https://zpr.io/TUZAu6VrAvQT", + "https://zupimages.net/up/24/35/1itk.png" + ] + }, + "id": "urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "name": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "status": "Pending Action", + "threats": [ + "['ZapPhish', 'NormalPhish']" + ], + "type": "ZappedUrlInvestigation" + }, + "record_type": 64, + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "275ae857-f201-4a2e-8f43-d48391c56871" + }, + "related": { + "user": [ + "AirInvestigation" + ] + }, + "rule": { + "name": "Email messages containing malicious URL removed after delivery\u200b" + }, + "service": { + "name": "AirInvestigation" + }, + "user": { + "id": "AirInvestigation", + "name": "AirInvestigation" + } + } + + ``` + + === "automated_investigation_and_response_with_attachment.json" ```json @@ -552,6 +671,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "source_type": "System", "type": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2" }, + "delivery": { + "action": [ + "Blocked" + ] + }, "email": { "sender": { "domains": [ @@ -3902,6 +4026,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.investigation.alert.severity` | `keyword` | Investigation alert severity | |`office365.investigation.alert.source_type` | `keyword` | Investigation alert source type | |`office365.investigation.alert.type` | `keyword` | Investigation alert type | +|`office365.investigation.delivery.action` | `keyword` | Investigation delivery action | |`office365.investigation.email.sender.domains` | `keyword` | The domain of the sender. Might be an array | |`office365.investigation.email.sender.ip` | `array` | Email sender IP`s | |`office365.investigation.email.subjects` | `array` | A list of email subjects | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md index 5b261dcb81..619e0ad07e 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99_sample.md @@ -331,6 +331,41 @@ In this section, you will find examples of raw logs as generated natively by the +=== "automated_investigation_and_response_with_additional_fields_1" + + + ```json + { + "CreationTime": "2024-09-02T03:33:37", + "Id": "8217bd67-1368-4213-b6be-498cdbff1542", + "Operation": "AirInvestigationData", + "OrganizationId": "275ae857-f201-4a2e-8f43-d48391c56871", + "RecordType": 64, + "UserKey": "AirInvestigation", + "UserType": 4, + "Version": 1, + "Workload": "AirInvestigation", + "ObjectId": "8217bd67-1368-4213-b6be-498cdbff1542", + "UserId": "AirInvestigation", + "Actions": [ + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:48971b6852ea31ff93989b88b832bca5\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"Recipient\":\"ggravier@ixina.com\",\"Urls\":[\"https://zpr.io/TUZAu6VrAvQT\",\"https://zupimages.net/up/24/35/1itk.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P1Sender\":\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\",\"P1SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"SenderIP\":\"40.107.244.101\",\"P2Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P2SenderDisplayName\":\"Tractor Supply\",\"P2SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"InternetMessageId\":\"\",\"Subject\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"}],\"RelatedAlertIds\":[\"76572799-59c1-0221-8c00-08dccafd4a30\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}", + "{\"$id\":\"1\",\"ActionId\":\"urn:EmailZapper:780880f2766afe9e0a18e7c6fa676ee2\",\"InvestigationId\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ActionApproval\":\"None\",\"ActionType\":\"EmailRemediation\",\"ActionStatus\":\"Pending\",\"Entities\":[{\"$id\":\"2\",\"NetworkMessageIds\":[\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\",\"2019a522-c814-4cd0-b23d-08dccaf8cc37\",\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"02c4a467-76c0-4491-737f-08dccaf8d47c\",\"26c865c1-2187-469c-5c0c-08dccaf8dca1\",\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\",\"5f3c47d0-051b-4439-8235-08dccaf8d27a\",\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\",\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\",\"1106f7ec-3c1f-45f6-2640-08dccaf90045\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://zpr.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://zpr.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://zpr.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"RelatedAlertIds\":[\"76572799-59c1-0221-8c00-08dccafd4a30\"],\"StartTimeUtc\":\"2024-09-02T03:27:33\",\"LastUpdateTimeUtc\":\"2024-09-02T03:33:31.8137435Z\",\"TimestampUtc\":\"2024-09-02T03:27:33\",\"BulkName\":\"Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"ResourceIdentifiers\":[{\"$id\":\"3\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"PendingType\":\"User\",\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"Description\":\"For malicious emails, you can move to junk, soft or hard delete from user's mailbox.\"}" + ], + "Data": "{\"Version\":\"3.0\",\"VendorName\":\"Microsoft\",\"ProviderName\":\"OATP\",\"AlertType\":\"8e6ba277-ef39-404e-aaf1-294f6d9a2b88\",\"StartTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"EndTimeUtc\":\"2024-09-02T03:14:37.3349438Z\",\"TimeGenerated\":\"2024-09-02T03:16:43.91Z\",\"ProcessingEndTime\":\"2024-09-02T03:33:31.8137435Z\",\"Status\":\"InProgress\",\"DetectionTechnology\":\"URLList\",\"Severity\":\"Informational\",\"ConfidenceLevel\":\"Unknown\",\"ConfidenceScore\":1.0,\"IsIncident\":false,\"ProviderAlertId\":\"76572799-59c1-0221-8c00-08dccafd4a30\",\"SystemAlertId\":null,\"CorrelationKey\":\"8a5bf71a-d9e4-422e-8bdb-33272de66983\",\"Investigations\":[{\"$id\":\"1\",\"Id\":\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\",\"InvestigationStatus\":\"Pending\"}],\"InvestigationIds\":[\"urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8\"],\"Intent\":\"Probing\",\"ResourceIdentifiers\":[{\"$id\":\"2\",\"AadTenantId\":\"275ae857-f201-4a2e-8f43-d48391c56871\",\"Type\":\"AAD\"}],\"AzureResourceId\":null,\"WorkspaceId\":null,\"WorkspaceSubscriptionId\":null,\"WorkspaceResourceGroup\":null,\"AgentId\":null,\"AlertDisplayName\":\"Email messages containing malicious URL removed after delivery\u200b\",\"Description\":\"Emails with malicious URL that were delivered and later removed -V1.0.0.3\",\"ExtendedLinks\":[{\"Href\":\"https://security.microsoft.com/alerts/fa76572799-59c1-0221-8c00-08dccafd4a30\",\"Category\":null,\"Label\":\"alert\",\"Type\":\"webLink\"}],\"Metadata\":{\"CustomApps\":null,\"GenericInfo\":null},\"Entities\":[{\"$id\":\"3\",\"Recipient\":\"ggravier@ixina.com\",\"Urls\":[\"https://zpr.io/TUZAu6VrAvQT\",\"https://zupimages.net/up/24/35/1itk.png\"],\"Threats\":[\"ZapPhish\",\"NormalPhish\"],\"Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P1Sender\":\"okhmqyjdcdn.bfwmwyytludfovodgfouzyeg@wdezd.ersdz.meradebo.com\",\"P1SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"SenderIP\":\"40.107.244.101\",\"P2Sender\":\"support.33@wdezd.ersdz.meradebo.com\",\"P2SenderDisplayName\":\"Tractor Supply\",\"P2SenderDomain\":\"wdezd.ersdz.meradebo.com\",\"ReceivedDate\":\"2024-09-02T02:43:12\",\"NetworkMessageId\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"InternetMessageId\":\"\",\"Subject\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\",\"AntispamDirection\":\"Inbound\",\"DeliveryAction\":\"DeliveredAsSpam\",\"ThreatDetectionMethods\":[\"FingerPrintMatch\"],\"Language\":\"en\",\"DeliveryLocation\":\"JunkFolder\",\"OriginalDeliveryLocation\":\"Inbox\",\"AdditionalActionsAndResults\":[\"OriginalDelivery: [N/A]\",\"Zap: [Success: Message moved]\"],\"AuthDetails\":[{\"Name\":\"SPF\",\"Value\":\"Pass\"},{\"Name\":\"DKIM\",\"Value\":\"None\"},{\"Name\":\"DMARC\",\"Value\":\"Best guess pass\"},{\"Name\":\"Comp Auth\",\"Value\":\"pass\"}],\"SystemOverrides\":[],\"Type\":\"mailMessage\",\"Urn\":\"urn:MailEntity:98fed74e812bdb3dd6241259c9afe88d\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"4\",\"MailboxPrimaryAddress\":\"ggravier@ixina.com\",\"Upn\":\"ggravier@ixina.com\",\"AadId\":\"3339ab32-9c9a-4dab-a67b-d9316a37b2d3\",\"RiskLevel\":\"None\",\"Type\":\"mailbox\",\"Urn\":\"urn:UserEntity:9b5a6776b9acaade0704a7a3ed836036\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"5\",\"Url\":\"https://zpr.io/TUZAu6VrAvQT\",\"Type\":\"url\",\"ClickCount\":0,\"EmailCount\":12,\"Urn\":\"urn:UrlEntity:0436a04039e1a1bd9af706cbef1a6b7a\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:20:40\"},{\"$id\":\"6\",\"NetworkMessageIds\":[\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\") ) AND ( (SenderIp:\\\"40.107.244.101\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,SenderIp,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;SenderIp;AntispamDirection;ContentType\",\"ClusterByValue\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;40.107.244.101;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:88f2ce520265ef415e7f63e840feec95\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"7\",\"NetworkMessageIds\":[\"41e9cae8-deaa-4d89-6036-08dccaf8db1a\",\"2019a522-c814-4cd0-b23d-08dccaf8cc37\",\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"02c4a467-76c0-4491-737f-08dccaf8d47c\",\"26c865c1-2187-469c-5c0c-08dccaf8dca1\",\"c4ccc77c-0004-4c60-5f7d-08dccaf8d5b1\",\"5f3c47d0-051b-4439-8235-08dccaf8d27a\",\"1035a7d2-723e-4e0b-9b50-08dccaf8cf41\",\"1a8a159c-6655-45c4-8eef-08dccaf8d0e7\",\"1106f7ec-3c1f-45f6-2640-08dccaf90045\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":6,\"Malware\":0,\"Spam\":6,\"MaliciousUrl\":12},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":6,\"Delivered\":4,\"Blocked\":2},\"CountByDeliveryLocation\":{\"JunkFolder\":6,\"External\":3,\"Failed\":2,\"Forwarded\":1},\"Query\":\"( ((NormalizedUrl:\\\"https://zpr.io/TUZAu6VrAvQT\\\") AND (ContentType: 1)) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.7851632Z\",\"MailCount\":12,\"IsVolumeAnamoly\":true,\"ClusterSourceIdentifier\":\"https://zpr.io/TUZAu6VrAvQT\",\"ClusterSourceType\":\"UrlThreatIndicator\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.7851632Z\",\"ClusterGroup\":\"UrlThreatIdentifier\",\"Type\":\"mailCluster\",\"ClusterBy\":\"NormalizedUrl;ContentType\",\"ClusterByValue\":\"https://zpr.io/TUZAu6VrAvQT;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:b2738e6d2385fbb888114d4d12dbb665\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"},{\"$id\":\"8\",\"NetworkMessageIds\":[\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\"],\"CountByThreatType\":{\"HighConfPhish\":0,\"Phish\":1,\"Malware\":0,\"Spam\":1},\"CountByProtectionStatus\":{\"DeliveredAsSpam\":1},\"CountByDeliveryLocation\":{\"JunkFolder\":1},\"Query\":\"( (( (Subject:\\\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b\\\") ) AND ( (P2SenderDomain:\\\"wdezd.ersdz.meradebo.com\\\") ) AND ( (AntispamDirection:\\\"1\\\") ) AND ( (ContentType: 1) )) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:PhishEdu) AND NOT(XmiInfoTenantPolicyFinalVerdictSource:SecOps))\",\"QueryTime\":\"2024-09-02T03:24:59.8007877Z\",\"MailCount\":1,\"IsVolumeAnamoly\":false,\"ClusterSourceIdentifier\":\"ee73bbc9-c170-438a-82eb-08dccaf8fa4f\",\"ClusterSourceType\":\"Similarity\",\"ClusterQueryStartTime\":\"2024-08-13T00:00:00Z\",\"ClusterQueryEndTime\":\"2024-09-02T03:24:59.8007877Z\",\"ClusterGroup\":\"Subject,P2SenderDomain,AntispamDirection\",\"Type\":\"mailCluster\",\"ClusterBy\":\"Subject;P2SenderDomain;AntispamDirection;ContentType\",\"ClusterByValue\":\"\ud835\ude7c\ud835\ude92\ud835\ude95\ud835\udea0\ud835\ude8a\ud835\ude9e\ud835\ude94\ud835\ude8e\ud835\ude8e \ud835\ude72\ud835\ude98\ud835\ude9b\ud835\ude8d\ud835\ude95\ud835\ude8e\ud835\ude9c\ud835\ude9c \ud835\ude7f\ud835\ude98\ud835\udea0\ud835\ude8e\ud835\ude9b \ud835\ude83\ud835\ude98\ud835\ude98\ud835\ude95 \ud835\ude82\ud835\ude8e\ud835\ude9d \ud835\ude86\ud835\ude92\ud835\ude97\ud835\ude97\ud835\ude8e\ud835\ude9b;wdezd.ersdz.meradebo.com;1;1\",\"QueryStartTime\":\"8/13/2024 12:00:00 AM\",\"QueryTime\":\"9/2/2024 3:24:59 AM\",\"Urn\":\"urn:MailClusterEntity:7350e5b982beaa3846d327a005dd57d6\",\"Source\":\"OATP\",\"FirstSeen\":\"2024-09-02T03:25:01\"}],\"LogCreationTime\":\"2024-09-02T03:33:31.8137435Z\",\"MachineName\":\"AM7EUR03BG406\",\"SourceTemplateType\":\"Threat_Single\",\"Category\":\"ThreatManagement\",\"SourceAlertType\":\"System\"}", + "DeepLinkUrl": "https://security.microsoft.com/mtp-investigation/urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "EndTimeUtc": "2024-09-02T03:33:31", + "InvestigationId": "urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "InvestigationName": "Mail with malicious urls is zapped - urn:ZappedUrlInvestigation:c85d59e9ff9d6393504a822ac49176c8", + "InvestigationType": "ZappedUrlInvestigation", + "LastUpdateTimeUtc": "2024-09-02T03:28:24", + "RunningTime": 771, + "StartTimeUtc": "2024-09-02T03:20:40", + "Status": "Pending Action" + } + ``` + + + === "automated_investigation_and_response_with_attachment" diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index e6b479b737..f1ec00ae5e 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -487,6 +487,103 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_event_web3.json" + + ```json + + { + "message": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" : {\"datetime\":\"2024-08-26 13:27:54\",\"reason\":\"Allowed\",\"event_id\":\"1111111111111111\",\"protocol\":\"HTTPS\",\"action\":\"Allowed\",\"transactionsize\":\"1706\",\"responsesize\":\"758\",\"requestsize\":\"948\",\"urlcategory\":\"Online Chat\",\"serverip\":\"1.2.3.4\",\"requestmethod\":\"GET\",\"refererURL\":\"exemple.url.com/\",\"useragent\":\"Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36\",\"product\":\"NSS\",\"location\":\"FR-Re\",\"ClientIP\":\"5.6.7.8\",\"status\":\"200\",\"user\":\"john.doe@mail.com\",\"url\":\"api.chat.org/bot/sendmessage\",\"vendor\":\"Zscaler\",\"hostname\":\"api.chat.org\",\"clientpublicIP\":\"5.6.7.8\",\"threatcategory\":\"None\",\"threatname\":\"None\",\"filetype\":\"None\",\"appname\":\"Random Chat\",\"pagerisk\":\"10\",\"department\":\"FR\",\"urlsupercategory\":\"Internet Communication\",\"appclass\":\"Sales and Marketing\",\"dlpengine\":\"None\",\"urlclass\":\"Business Use\",\"threatclass\":\"None\",\"dlpdictionaries\":\"None\",\"fileclass\":\"None\",\"bwthrottle\":\"NO\",\"contenttype\":\"application/json\",\"unscannabletype\":\"None\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"keyprotectiontype\":\"Software Protection\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "dataset": "web", + "type": [ + "info" + ] + }, + "@timestamp": "2024-08-26T13:27:54Z", + "destination": { + "address": "api.chat.org", + "domain": "api.chat.org", + "ip": "1.2.3.4", + "registered_domain": "chat.org", + "subdomain": "api", + "top_level_domain": "org" + }, + "host": { + "name": "NA" + }, + "http": { + "request": { + "bytes": 948, + "method": "GET", + "referrer": "exemple.url.com/" + }, + "response": { + "bytes": 758, + "mime_type": "application/json" + } + }, + "network": { + "protocol": "HTTPS" + }, + "related": { + "hosts": [ + "api.chat.org" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "NA" + ] + }, + "server": { + "ip": "1.2.3.4" + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "url": { + "domain": "api.chat.org", + "original": "api.chat.org/bot/sendmessage", + "path": "bot/sendmessage" + }, + "user": { + "email": "john.doe@mail.com", + "name": "NA" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36", + "os": { + "name": "Windows" + }, + "version": "128.0.0" + }, + "zscaler": { + "zia": { + "appname": "Random Chat", + "department": "FR", + "event_id": "1111111111111111", + "keyprotectiontype": "Software Protection", + "product": "NSS", + "source_type": "zscalernss-web", + "vendor": "Zscaler" + } + } + } + + ``` + + === "test_saas_security_event.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md index ce056e2423..26eba91a28 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941_sample.md @@ -266,6 +266,60 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_event_web3" + + + ```json + { + "sourcetype": "zscalernss-web", + "event": { + "datetime": "2024-08-26 13:27:54", + "reason": "Allowed", + "event_id": "1111111111111111", + "protocol": "HTTPS", + "action": "Allowed", + "transactionsize": "1706", + "responsesize": "758", + "requestsize": "948", + "urlcategory": "Online Chat", + "serverip": "1.2.3.4", + "requestmethod": "GET", + "refererURL": "exemple.url.com/", + "useragent": "Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML%2c%20like%20Gecko)%20Chrome/128.0.0.0%20Safari/537.36", + "product": "NSS", + "location": "FR-Re", + "ClientIP": "5.6.7.8", + "status": "200", + "user": "john.doe@mail.com", + "url": "api.chat.org/bot/sendmessage", + "vendor": "Zscaler", + "hostname": "api.chat.org", + "clientpublicIP": "5.6.7.8", + "threatcategory": "None", + "threatname": "None", + "filetype": "None", + "appname": "Random Chat", + "pagerisk": "10", + "department": "FR", + "urlsupercategory": "Internet Communication", + "appclass": "Sales and Marketing", + "dlpengine": "None", + "urlclass": "Business Use", + "threatclass": "None", + "dlpdictionaries": "None", + "fileclass": "None", + "bwthrottle": "NO", + "contenttype": "application/json", + "unscannabletype": "None", + "deviceowner": "NA", + "devicehostname": "NA", + "keyprotectiontype": "Software Protection" + } + } + ``` + + + === "test_saas_security_event" diff --git a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md index 715bd4f742..f3dae76d68 100644 --- a/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md +++ b/_shared_content/operations_center/integrations/generated/de9ca004-991e-4f5c-89c5-e075f3fb3216.md @@ -469,9 +469,26 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "netskope": { "dlp": { + "action": "useralert", + "forensic_id": "2222222222222222222", "incident": { "id": "2222222222222222222" - } + }, + "policy": "[DLP] Block sensitive files on Cloud Storage", + "profile_name": "DLP-PII", + "rules": [ + { + "count": 5, + "data_identifiers": { + "industries/healthcare/medical_conditions/eng": 5, + "persons/proper_names/us/last": 5 + }, + "name": "Name-Medical Condition", + "score": 10, + "severity": "Low", + "unique_count": false + } + ] }, "events": { "access_method": "Client", @@ -910,8 +927,13 @@ The following table lists the fields that are extracted, normalized under the EC |`http.request.referrer` | `keyword` | Referrer for this HTTP request. | |`netskope.alerts.name` | `keyword` | The name of the alert | |`netskope.alerts.type` | `keyword` | The type of the alert | +|`netskope.dlp.action` | `keyword` | The action done on the DLP incident | +|`netskope.dlp.forensic_id` | `keyword` | The identifier of the forensic | |`netskope.dlp.incident.id` | `keyword` | The identifier of the DLP incident | |`netskope.dlp.incident.parent_id` | `keyword` | The identifier of the DLP incident parent | +|`netskope.dlp.policy` | `keyword` | The policy that triggered the DLP incident | +|`netskope.dlp.profile_name` | `keyword` | The name of the DLP profile | +|`netskope.dlp.rules` | `array` | Rules that triggered the DLP incident | |`netskope.events.access_method` | `keyword` | The action done on the application | |`netskope.events.action.type` | `keyword` | The name of the action | |`netskope.events.action.values` | `array` | The targets of the action | diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index 2bfac6d493..9dcec8b0a4 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -623,6 +623,80 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "client_information_25.json" + + ```json + + { + "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0", + "event": { + "category": [ + "network" + ], + "reason": "TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-05T14:39:31Z", + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 12399 + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "user": { + "name": "john.doe" + } + } + + ``` + + +=== "client_information_26.json" + + ```json + + { + "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: Username/Password authentication deferred for username 'john.doe'", + "event": { + "category": [ + "network" + ], + "reason": "TLS: Username/Password authentication deferred for username 'john.doe'", + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-05T14:39:31Z", + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 12399 + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "user": { + "name": "john.doe" + } + } + + ``` + + === "client_information_3.json" ```json @@ -1056,6 +1130,46 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "tls_information_1.json" + + ```json + + { + "message": "2024-09-05 14:39:31 john.doe/1.2.3.4:12399 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X12345", + "event": { + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-09-05T14:39:31Z", + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 12399 + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "v1.3" + }, + "user": { + "name": "john.doe" + } + } + + ``` + + === "tunnel_0.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md index 402e1b1fa0..635c30a0bf 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b_sample.md @@ -180,6 +180,22 @@ In this section, you will find examples of raw logs as generated natively by the +=== "client_information_25" + + ``` + 2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: soft reset sec=3289/3289 bytes=781236/-1 pkts=3065/0 + ``` + + + +=== "client_information_26" + + ``` + 2024-09-05 14:39:31 john.doe/1.2.3.4:12399 TLS: Username/Password authentication deferred for username 'john.doe' + ``` + + + === "client_information_3" ``` @@ -300,6 +316,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "tls_information_1" + + ``` + 2024-09-05 14:39:31 john.doe/1.2.3.4:12399 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X12345 + ``` + + + === "tunnel_0" ``` diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index a13e2b6e93..87989c720e 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -1277,7 +1277,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "log": { "syslog": { - "appname": "postfix/local" + "appname": "" } }, "network": { @@ -5105,7 +5105,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I }, "log": { "syslog": { - "appname": "postfix/smtp" + "appname": "-" } }, "network": { diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md index 3cb9e3f6c1..993b39f9fc 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md @@ -448,6 +448,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "CEF_drop_1.json" + + ```json + + { + "message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=Drop cs4Label=TCP Flags cs4=SYN-ACK deviceDirection=0 rt=1723938549000 spt=443 dpt=2384 ifname=test151.420 logid=1 loguid={0x66c136f5,0xf4,0x1b6410ac,0x151daa25} origin=1.2.3.4 originsicname=CN=cip-fw-test-1,O=CPSRVP.test.test sequencenum=103 version=5 dst=3.4.5.6 product=VPN-1 & FireWall-1 proto=6 src=1.2.3.4 tcp_packet_out_of_state=First packet isn't SYN", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "drop", + "outcome": "success", + "properties": { + "loguid": "{0x66c136f5,0xf4,0x1b6410ac,0x151daa25}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "1.2.3.4", + "originsicname": "CN=cip-fw-test-1,O=CPSRVP.test.test", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "checkpoint": { + "firewall": { + "tcp_flags": "SYN-ACK" + } + }, + "destination": { + "address": "3.4.5.6", + "ip": "3.4.5.6", + "port": 2384 + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "test151.420" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "3.4.5.6" + ] + }, + "rule": { + "version": "5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 443 + } + } + + ``` + + === "CEF_geo_protection.json" ```json @@ -1473,6 +1535,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.vpn_feature_name` | `keyword` | | |`action.properties.vpn_peer_gateway` | `keyword` | | |`action.target` | `keyword` | | +|`checkpoint.firewall.tcp_flags` | `keyword` | The control flag of the data flow | |`destination.address` | `keyword` | Destination network address. | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md index a75f25ed98..fb1ee86d2a 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69_sample.md @@ -67,6 +67,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "CEF_drop_1" + + ``` + CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=Drop cs4Label=TCP Flags cs4=SYN-ACK deviceDirection=0 rt=1723938549000 spt=443 dpt=2384 ifname=test151.420 logid=1 loguid={0x66c136f5,0xf4,0x1b6410ac,0x151daa25} origin=1.2.3.4 originsicname=CN=cip-fw-test-1,O=CPSRVP.test.test sequencenum=103 version=5 dst=3.4.5.6 product=VPN-1 & FireWall-1 proto=6 src=1.2.3.4 tcp_packet_out_of_state=First packet isn't SYN + ``` + + + === "CEF_geo_protection" ``` diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index f528c3541e..c235987812 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -2708,42 +2708,42 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "action": { "id": "1117", "properties": { - "action_id": "2", - "action_name": "Quarantine", - "additional_actions_id": "0", - "additional_actions_string": "No additional actions required", - "category_id": "8", - "category_name": "Trojan", - "detection_id": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}", - "detection_time": "2024-03-22T14:01:20.550Z", - "detection_user": "DESKTOP-001\\Lab", - "engine_version": "AM: 1.1.24020.9, NIS: 1.1.24020.9", - "error_code": "0x00000000", - "error_description": "The operation completed successfully. ", - "execution_id": "0", - "execution_name": "Unknown", - "fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0", - "origin_id": "4", - "origin_name": "Internet", - "path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048", - "post_clean_status": "0", - "pre_execution_status": "0", - "process_name": "Unknown", - "product_name": "Microsoft Defender Antivirus", - "product_version": "4.18.23110.3", - "remediation_user": "NT AUTHORITY\\SYSTEM", - "security_intelligence_version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0", - "severity_id": "5", - "severity_name": "Severe", - "source_id": "4", - "source_name": "Downloads and attachments", - "state": "2", - "status_code": "4", - "task": "0", - "threat_id": "2147818424", - "threat_name": "Trojan:Win32/BatTamper.A", - "type_id": "0", - "type_name": "Concrete" + "ActionId": "2", + "ActionName": "Quarantine", + "AdditionalActionsId": "0", + "AdditionalActionsString": "No additional actions required", + "CategoryId": "8", + "CategoryName": "Trojan", + "DetectionId": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}", + "DetectionTime": "2024-03-22T14:01:20.550Z", + "DetectionUser": "DESKTOP-001\\Lab", + "EngineVersion": "AM: 1.1.24020.9, NIS: 1.1.24020.9", + "ErrorCode": "0x00000000", + "ErrorDescription": "The operation completed successfully. ", + "ExecutionId": "0", + "ExecutionName": "Unknown", + "Fwlink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0", + "OriginId": "4", + "OriginName": "Internet", + "Path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048", + "PostCleanStatus": "0", + "PreExecutionStatus": "0", + "ProcessName": "Unknown", + "ProductName": "Microsoft Defender Antivirus", + "ProductVersion": "4.18.23110.3", + "RemediationUser": "NT AUTHORITY\\SYSTEM", + "SecurityIntelligenceVersion": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0", + "SeverityId": "5", + "SeverityName": "Severe", + "SourceId": "4", + "SourceName": "Downloads and attachments", + "State": "2", + "StatusCode": "4", + "Task": "0", + "ThreatId": "2147818424", + "ThreatName": "Trojan:Win32/BatTamper.A", + "TypeId": "0", + "TypeName": "Concrete" }, "record_id": "613" }, @@ -6525,45 +6525,45 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.id` | `keyword` | stormshield action id | +|`action.properties.ActionId` | `keyword` | stormshield property Action ID | +|`action.properties.ActionName` | `keyword` | stormshield property Action Name | +|`action.properties.AdditionalActionsId` | `keyword` | stormshield property Additional Actions ID | +|`action.properties.AdditionalActionsString` | `keyword` | stormshield property Additional Actions String | +|`action.properties.CategoryId` | `keyword` | stormshield property Category ID | +|`action.properties.CategoryName` | `keyword` | stormshield property Category Name | +|`action.properties.DetectionId` | `keyword` | stormshield property Detection ID | +|`action.properties.DetectionTime` | `keyword` | stormshield property Detection Time | +|`action.properties.DetectionUser` | `keyword` | stormshield property Detection User | +|`action.properties.EngineVersion` | `keyword` | stormshield property Engine Version | +|`action.properties.ErrorCode` | `keyword` | stormshield property Error Code | +|`action.properties.ErrorDescription` | `keyword` | stormshield property Error Description | +|`action.properties.ExecutionId` | `keyword` | stormshield property Execution ID | +|`action.properties.ExecutionName` | `keyword` | stormshield property Execution Name | +|`action.properties.Fwlink` | `keyword` | stormshield property FWLink | +|`action.properties.Opcode` | `keyword` | stormshield action opcode | +|`action.properties.OriginId` | `keyword` | stormshield property Origin ID | +|`action.properties.OriginName` | `keyword` | stormshield property Origin Name | +|`action.properties.Path` | `keyword` | stormshield property Path | +|`action.properties.PostCleanStatus` | `keyword` | stormshield property Post Clean Status | +|`action.properties.PreExecutionStatus` | `keyword` | stormshield property Pre Execution Status | +|`action.properties.ProcessName` | `keyword` | stormshield property Process Name | +|`action.properties.ProductName` | `keyword` | stormshield property Product Name | +|`action.properties.ProductVersion` | `keyword` | stormshield property Product Version | +|`action.properties.RemediationUser` | `keyword` | stormshield property Remediation User | +|`action.properties.SecurityIntelligenceVersion` | `keyword` | stormshield property Security intelligence Version | +|`action.properties.SeverityId` | `keyword` | stormshield property Severity ID | +|`action.properties.SeverityName` | `keyword` | stormshield property Severity Name | +|`action.properties.SourceId` | `keyword` | stormshield property Source ID | +|`action.properties.SourceName` | `keyword` | stormshield property Source Name | +|`action.properties.State` | `keyword` | stormshield property State | +|`action.properties.StatusCode` | `keyword` | stormshield property Status Code | |`action.properties.TargetCommandLine` | `keyword` | stormshield targeted process command line | |`action.properties.TargetImage` | `keyword` | stormshield targeted process executable | -|`action.properties.action_id` | `keyword` | stormshield property Action ID | -|`action.properties.action_name` | `keyword` | stormshield property Action Name | -|`action.properties.additional_actions_id` | `keyword` | stormshield property Additional Actions ID | -|`action.properties.additional_actions_string` | `keyword` | stormshield property Additional Actions String | -|`action.properties.category_id` | `keyword` | stormshield property Category ID | -|`action.properties.category_name` | `keyword` | stormshield property Category Name | -|`action.properties.detection_id` | `keyword` | stormshield property Detection ID | -|`action.properties.detection_time` | `keyword` | stormshield property Detection Time | -|`action.properties.detection_user` | `keyword` | stormshield property Detection User | -|`action.properties.engine_version` | `keyword` | stormshield property Engine Version | -|`action.properties.error_code` | `keyword` | stormshield property Error Code | -|`action.properties.error_description` | `keyword` | stormshield property Error Description | -|`action.properties.execution_id` | `keyword` | stormshield property Execution ID | -|`action.properties.execution_name` | `keyword` | stormshield property Execution Name | -|`action.properties.fwlink` | `keyword` | stormshield property FWLink | -|`action.properties.opcode` | `keyword` | stormshield action opcode | -|`action.properties.origin_id` | `keyword` | stormshield property Origin ID | -|`action.properties.origin_name` | `keyword` | stormshield property Origin Name | -|`action.properties.path` | `keyword` | stormshield property Path | -|`action.properties.post_clean_status` | `keyword` | stormshield property Post Clean Status | -|`action.properties.pre_execution_status` | `keyword` | stormshield property Pre Execution Status | -|`action.properties.process_name` | `keyword` | stormshield property Process Name | -|`action.properties.product_name` | `keyword` | stormshield property Product Name | -|`action.properties.product_version` | `keyword` | stormshield property Product Version | -|`action.properties.remediation_user` | `keyword` | stormshield property Remediation User | -|`action.properties.security_intelligence_version` | `keyword` | stormshield property Security intelligence Version | -|`action.properties.severity_id` | `keyword` | stormshield property Severity ID | -|`action.properties.severity_name` | `keyword` | stormshield property Severity Name | -|`action.properties.source_id` | `keyword` | stormshield property Source ID | -|`action.properties.source_name` | `keyword` | stormshield property Source Name | -|`action.properties.state` | `keyword` | stormshield property State | -|`action.properties.status_code` | `keyword` | stormshield property Status Code | -|`action.properties.task` | `keyword` | stormshield action task | -|`action.properties.threat_id` | `keyword` | stormshield property Threat ID | -|`action.properties.threat_name` | `keyword` | stormshield property Threat Name | -|`action.properties.type_id` | `keyword` | stormshield property Type ID | -|`action.properties.type_name` | `keyword` | stormshield property Type Name | +|`action.properties.Task` | `keyword` | stormshield action task | +|`action.properties.ThreatId` | `keyword` | stormshield property Threat ID | +|`action.properties.ThreatName` | `keyword` | stormshield property Threat Name | +|`action.properties.TypeId` | `keyword` | stormshield property Type ID | +|`action.properties.TypeName` | `keyword` | stormshield property Type Name | |`action.record_id` | `keyword` | stormshield action record id | |`agent.id` | `keyword` | Unique identifier of this agent. | |`destination.ip` | `ip` | IP address of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md index d9df5af0d7..db8f85cd53 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644.md @@ -704,6 +704,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "dns_https_short.json" + + ```json + + { + "message": "client 1.2.3.4#52023 (youtube-ui.l.google.com.): answer: youtube-ui.l.google.com. IN TYPE65 (5.6.7.8) -> NOERROR 2122 HTTPS 1 .", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 52023 + }, + "dns": { + "answers": [ + { + "data": ".", + "ttl": 2122, + "type": "HTTPS" + } + ], + "question": { + "class": "IN", + "name": "youtube-ui.l.google.com.", + "registered_domain": "google.com", + "subdomain": "youtube-ui.l", + "top_level_domain": "com", + "type": "TYPE65" + }, + "response_code": "NOERROR", + "type": "answer" + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "youtube-ui.l.google.com." + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + } + } + + ``` + + === "dns_https_wo_ipv6.json" ```json @@ -1319,6 +1381,48 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_refused_notify.json" + + ```json + + { + "message": "zone example.com/IN: refused notify from non-master: 1.2.3.4#49304", + "event": { + "action": "refused notify", + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "1.2.3.4#49304", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + }, + "source": { + "name": "non-master" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } + + ``` + + === "test_rpz_notify.json" ```json @@ -1502,7 +1606,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ] }, - "server": { + "source": { + "address": "1.2.3.4", "ip": "1.2.3.4", "port": 53 } @@ -1550,7 +1655,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ] }, - "server": { + "source": { + "address": "1.2.3.4", "ip": "1.2.3.4", "port": 53 } @@ -1598,7 +1704,104 @@ This section demonstrates how the raw logs will be transformed by our parsers. I "1.2.3.4" ] }, - "server": { + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 53 + } + } + + ``` + + +=== "test_rpz_transfer_4.json" + + ```json + + { + "message": "transfer of 'example.com/IN' from 1.2.3.4#53: Transfer completed: 1 messages, 5 records, 275 bytes, 0.001 secs (275000 bytes/sec) (serial 2024121937)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "Transfer completed: 1 messages, 5 records, 275 bytes, 0.001 secs (275000 bytes/sec) (serial 2024121937)", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 53 + } + } + + ``` + + +=== "test_rpz_transfer_5.json" + + ```json + + { + "message": "transfer of 'example.com/IN' from 1.2.3.4#53: Transfer completed: 1 messages, 10 records, 353 bytes, 0.026 secs (13576 bytes/sec) (serial 22910862)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "Transfer completed: 1 messages, 10 records, 353 bytes, 0.026 secs (13576 bytes/sec) (serial 22910862)", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", "ip": "1.2.3.4", "port": 53 } @@ -1607,6 +1810,217 @@ This section demonstrates how the raw logs will be transformed by our parsers. I ``` +=== "test_rpz_transfer_6.json" + + ```json + + { + "message": "client @0x8871827c 1.2.3.4#25484 (example.com): transfer of 'example.com/IN': IXFR ended: 2 messages, 422 records, 14227 bytes, 0.001 secs (14227000 bytes/sec) (serial 2024121946)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "IXFR ended: 2 messages, 422 records, 14227 bytes, 0.001 secs (14227000 bytes/sec) (serial 2024121946)", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 25484 + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_sending_notifies.json" + + ```json + + { + "message": "zone example.com/IN: sending notifies (serial 2024121928)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "sending notifies (serial 2024121928)", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } + + ``` + + +=== "test_transfer_started.json" + + ```json + + { + "message": "zone example.com/IN: Transfer started.", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "Transfer started.", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } + + ``` + + +=== "test_transferred.json" + + ```json + + { + "message": "zone example.com/IN: transferred serial 2024121928", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "transferred serial 2024121928", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } + + ``` + + +=== "test_zone_up_to_date.json" + + ```json + + { + "message": "zone example.com/IN: notify from 1.2.3.4#49754: zone is up to date", + "event": { + "action": "notify", + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "reason": "zone is up to date", + "type": [ + "info" + ] + }, + "dns": { + "type": "query" + }, + "efficientip": { + "rpz": { + "domain": "example.com", + "query": { + "class": "IN" + } + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49754 + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md index 3b25becbcf..c183fffa6b 100644 --- a/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md +++ b/_shared_content/operations_center/integrations/generated/f95fea50-533c-4897-9272-2f8361e63644_sample.md @@ -100,6 +100,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "dns_https_short" + + ``` + client 1.2.3.4#52023 (youtube-ui.l.google.com.): answer: youtube-ui.l.google.com. IN TYPE65 (5.6.7.8) -> NOERROR 2122 HTTPS 1 . + ``` + + + === "dns_https_wo_ipv6" ``` @@ -188,6 +196,14 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_refused_notify" + + ``` + zone example.com/IN: refused notify from non-master: 1.2.3.4#49304 + ``` + + + === "test_rpz_notify" ``` @@ -236,3 +252,59 @@ In this section, you will find examples of raw logs as generated natively by the +=== "test_rpz_transfer_4" + + ``` + transfer of 'example.com/IN' from 1.2.3.4#53: Transfer completed: 1 messages, 5 records, 275 bytes, 0.001 secs (275000 bytes/sec) (serial 2024121937) + ``` + + + +=== "test_rpz_transfer_5" + + ``` + transfer of 'example.com/IN' from 1.2.3.4#53: Transfer completed: 1 messages, 10 records, 353 bytes, 0.026 secs (13576 bytes/sec) (serial 22910862) + ``` + + + +=== "test_rpz_transfer_6" + + ``` + client @0x8871827c 1.2.3.4#25484 (example.com): transfer of 'example.com/IN': IXFR ended: 2 messages, 422 records, 14227 bytes, 0.001 secs (14227000 bytes/sec) (serial 2024121946) + ``` + + + +=== "test_sending_notifies" + + ``` + zone example.com/IN: sending notifies (serial 2024121928) + ``` + + + +=== "test_transfer_started" + + ``` + zone example.com/IN: Transfer started. + ``` + + + +=== "test_transferred" + + ``` + zone example.com/IN: transferred serial 2024121928 + ``` + + + +=== "test_zone_up_to_date" + + ``` + zone example.com/IN: notify from 1.2.3.4#49754: zone is up to date + ``` + + +