Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app @github-actions
sekoia-io-cross-repo-comm-app[bot] authored and github-actions[bot] committed May 21, 2024
1 parent 5e6e0de commit 18cf8ff
Show file tree
Hide file tree
Showing 4 changed files with 560 additions and 2 deletions.
9 changes: 9 additions & 0 deletions ...perations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1088,6 +1088,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"2b684979d6174bad69d895c7d8a852e7b206b95f",
"4d5b7b6c06159d6b967f2c2c73f10145"
],
"hosts": [
"www.example.org"
],
"ip": [
"1.2.3.4",
"5.6.7.8"
Expand All @@ -1097,6 +1100,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 59985
},
"url": {
"domain": "www.example.org",
"registered_domain": "example.org",
"subdomain": "www",
"top_level_domain": "org"
}
}
Expand Down
241 changes: 241 additions & 0 deletions ...perations_center/integrations/generated/59991ced-c2a0-4fb0-91f3-49e3993c16f5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,248 @@ The following table lists the data source offered by this integration.



In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `file`, `network`, `process`, `registry` |
| Type | `allowed`, `change`, `creation`, `deletion`, `end`, `info`, `start` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "tanium_file_open.json"

```json

{
"message": "{\"event\":\"file_open\",\"hostname\":\"2256269043\",\"host\":\"172.16.2.1\",\"fields\":{\"tanium_process_id\":\"-6966335309415971179\",\"read_flag\":true,\"full_path\":\"/var/lib/rrdcached/db/pve2-vm/115\",\"process__login__user_id\":4294967295,\"process__login__user_name\":null,\"process__pid\":1685,\"process__user__group\":\"root\",\"process__file__full_path\":\"/usr/bin/rrdcached\",\"process__user__name\":\"root\"}}",
"event": {
"action": "file-open",
"category": [
"file"
],
"kind": "event",
"type": [
"info"
]
},
"file": {
"directory": "/var/lib/rrdcached/db/pve2-vm",
"name": "115",
"path": "/var/lib/rrdcached/db/pve2-vm/115"
},
"group": {
"name": "root"
},
"host": {
"hostname": "2256269043",
"ip": [
"172.16.2.1"
],
"name": "2256269043"
},
"observer": {
"name": "2256269043",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"executable": "/usr/bin/rrdcached",
"name": "rrdcached",
"pid": 1685
},
"related": {
"hosts": [
"2256269043"
],
"ip": [
"172.16.2.1"
]
},
"user": {
"id": "4294967295"
}
}
```


=== "tanium_network_connect.json"

```json

{
"message": "{\"event\":\"network_connect\",\"hostname\":\"2421864415\",\"host\":\"172.16.2.1\",\"fields\":{\"remote_port\":80,\"process__login__user_name\":null,\"process__pid\":2540,\"process__user__group\":\"NT AUTHORITY\",\"local_ip\":\"172.16.4.1\",\"local_port\":53671,\"process__file__full_path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"tanium_process_id\":\"-4314545011392247632\",\"process__login__user_id\":0,\"remote_ip\":\"184.25.50.65\",\"process__user__name\":\"NETWORK SERVICE\"}}",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"start"
]
},
"destination": {
"address": "184.25.50.65",
"ip": "184.25.50.65",
"port": 80
},
"group": {
"name": "NT AUTHORITY"
},
"host": {
"hostname": "2421864415",
"ip": [
"172.16.2.1"
],
"name": "2421864415"
},
"observer": {
"name": "2421864415",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"executable": "C:\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"pid": 2540
},
"related": {
"hosts": [
"2421864415"
],
"ip": [
"172.16.2.1",
"172.16.4.1",
"184.25.50.65"
]
},
"source": {
"address": "172.16.4.1",
"ip": "172.16.4.1",
"port": 53671
},
"user": {
"id": "0"
}
}
```


=== "tanium_process_start.json"

```json

{
"message": "{\"event\":\"process_start\",\"hostname\":\"1345671024\",\"host\":\"172.16.2.1\",\"fields\":{\"file__md5\":\"8ed54b7dcf043252441bca716b8c461f\",\"tanium_parent_process_id\":\"-6966498655612172786\",\"create_time\":\"2021-07-15T13:47:13.084000+00:00\",\"parent__command_line\":\"pve-firewall\",\"file__full_path\":\"/usr/sbin/ipset\",\"tanium_process_id\":\"-6166594163916654264\",\"pid\":14664,\"login__user_name\":null,\"command_line\":\"ipset save\",\"login__user_id\":4294967295,\"parent__file__full_path\":\"/usr/bin/perl\",\"user__name\":\"root\",\"parent_pid\":1550,\"user__group\":\"root\"}}",
"event": {
"category": [
"process"
],
"kind": "event",
"type": [
"start"
]
},
"file": {
"directory": "/usr/sbin",
"name": "ipset",
"path": "/usr/sbin/ipset"
},
"host": {
"hostname": "1345671024",
"ip": [
"172.16.2.1"
],
"name": "1345671024"
},
"observer": {
"name": "1345671024",
"product": "XEM",
"type": "sensor",
"vendor": "Tanium"
},
"process": {
"command_line": "ipset save",
"executable": "/usr/sbin/ipset",
"hash": {
"md5": "8ed54b7dcf043252441bca716b8c461f"
},
"parent": {
"command_line": "pve-firewall",
"executable": "/usr/bin/perl",
"name": "perl",
"pid": 1550
},
"start": "2021-07-15T13:47:13.084000Z"
},
"related": {
"hash": [
"8ed54b7dcf043252441bca716b8c461f"
],
"hosts": [
"1345671024"
],
"ip": [
"172.16.2.1"
]
}
}
```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`dns.answers` | `object` | Array of DNS answers. |
|`dns.question.name` | `keyword` | The name being queried. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`file.directory` | `keyword` | Directory where the file is located. |
|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
|`file.path` | `keyword` | Full path to the file, including the file name. |
|`group.name` | `keyword` | Name of the group. |
|`host.hostname` | `keyword` | Hostname of the host. |
|`host.ip` | `ip` | Host ip addresses. |
|`observer.name` | `keyword` | Custom name of the observer. |
|`observer.product` | `keyword` | The product name of the observer. |
|`observer.type` | `keyword` | The type of the observer the data is coming from. |
|`observer.vendor` | `keyword` | Vendor name of the observer. |
|`process.command_line` | `wildcard` | Full command line that started the process. |
|`process.executable` | `keyword` | Absolute path to the process executable. |
|`process.hash.md5` | `keyword` | MD5 hash. |
|`process.name` | `keyword` | Process name. |
|`process.parent.command_line` | `wildcard` | Full command line that started the process. |
|`process.parent.executable` | `keyword` | Absolute path to the process executable. |
|`process.parent.name` | `keyword` | Process name. |
|`process.parent.pid` | `long` | Process id. |
|`process.pid` | `long` | Process id. |
|`process.start` | `date` | The time the process started. |
|`registry.path` | `keyword` | Full path, including hive, key and value |
|`registry.value` | `keyword` | Name of the value written. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.name` | `keyword` | Short name or login of the user. |

73 changes: 73 additions & 0 deletions ...perations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1690,6 +1690,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"alert": {
"category": "ThreatManagement",
"display_name": "Mass download by a single user",
"id": "c299a0a0-14da-428a-b08d-481d562298cb",
"severity": "High",
"source": "Cloud App Security",
"status": "Active"
Expand Down Expand Up @@ -2159,6 +2160,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"alert": {
"category": "ThreatManagement",
"display_name": "Phish delivered due to an ETR override",
"id": "77f6d9ce-da8f-46bf-a651-4bec3c189770",
"severity": "Informational",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2245,6 +2247,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "DataLossPrevention",
"display_name": "description",
"entity_type": "DlpRuleMatch",
"id": "cf0708c6-e2c5-4962-ae99-9af4799175f4",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2326,6 +2329,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "MailFlow",
"display_name": "Phishing detected",
"entity_type": "MalwareFamily",
"id": "178fa649-642f-4d41-943c-451e2266f4a7",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2406,6 +2410,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": "ThreatManagement",
"display_name": "Email reported by user as junk",
"entity_type": "User",
"id": "be2ee3c6-2b3c-42ae-aefe-69f185114418",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Active"
Expand Down Expand Up @@ -2443,6 +2448,73 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "security_compliance_alert_5.json"

```json

{
"message": "{\"CreationTime\": \"2024-04-16T08:01:42\", \"Id\": \"d7cab54f-77b1-4ad5-8f2d-b4bba61e4e93\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"e0ff0845-9d15-4399-86ae-15081e39a16a\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"[email protected]\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertEntityId\": \"[email protected]\", \"AlertId\": \"a3ce0859-c92c-4f57-b50b-a63dad75ec4a\", \"AlertLinks\": [], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"\", \"EntityType\": \"User\", \"Name\": \"Email reported by user as malware or phish\", \"PolicyId\": \"88d533c5-bad6-4cfb-9245-1776726b55d7\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Investigating\"}",
"event": {
"action": "AlertEntityGenerated",
"category": [
"intrusion_detection"
],
"code": "40",
"kind": "alert",
"outcome": "success",
"type": [
"info"
]
},
"@timestamp": "2024-04-16T08:01:42Z",
"action": {
"id": 40,
"name": "AlertEntityGenerated",
"outcome": "success",
"target": "user"
},
"office365": {
"alert": {
"category": "ThreatManagement",
"display_name": "Email reported by user as malware or phish",
"id": "a3ce0859-c92c-4f57-b50b-a63dad75ec4a",
"severity": "Low",
"source": "Office 365 Security & Compliance",
"status": "Investigating"
},
"audit": {
"object_id": "[email protected]"
},
"record_type": 40,
"result_status": "Succeeded",
"user_type": {
"code": 4,
"name": "System"
}
},
"organization": {
"id": "e0ff0845-9d15-4399-86ae-15081e39a16a"
},
"related": {
"user": [
"SecurityComplianceAlerts"
]
},
"rule": {
"id": "88d533c5-bad6-4cfb-9245-1776726b55d7"
},
"service": {
"name": "SecurityComplianceCenter"
},
"user": {
"id": "SecurityComplianceAlerts",
"name": "SecurityComplianceAlerts"
}
}
```


=== "source_log.json"

```json
Expand Down Expand Up @@ -3204,6 +3276,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`office365.alert.description` | `keyword` | |
|`office365.alert.display_name` | `keyword` | |
|`office365.alert.entity_type` | `keyword` | |
|`office365.alert.id` | `keyword` | |
|`office365.alert.severity` | `keyword` | |
|`office365.alert.source` | `keyword` | |
|`office365.alert.status` | `keyword` | |
Expand Down
Loading

0 comments on commit 18cf8ff

Please sign in to comment.