Merge pull request #1372 from SEKOIA-IO/update-intake-documentation

Refresh intakes documentation
SEKOIA-IO · Oct 15, 2023 · 1d012da · 1d012da
2 parents 7580a49 + a6cca1e
commit 1d012da
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 195 deletions.
diff --git a/...perations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/...perations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md
@@ -492,19 +492,20 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "type": "Microsoft-Windows-Sysmon/Operational",
             "id": 1,
             "properties": {
-                "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe",
-                "AccountName": "SYSTEM",
-                "AccountType": "User",
-                "Domain": "NT AUTHORITY",
+                "Keywords": "-9223372036854775808",
                 "EventType": "INFO",
-                "OpcodeValue": 0,
-                "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}",
-                "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
                 "Severity": "INFO",
+                "SourceName": "Microsoft-Windows-Sysmon",
+                "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
                 "Task": 1,
+                "OpcodeValue": 0,
+                "Domain": "NT AUTHORITY",
+                "AccountName": "SYSTEM",
+                "AccountType": "User",
+                "ProcessGuid": "{478F86EF-B101-64E4-F904-00000000E900}",
+                "Image": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe",
                 "User": "NT AUTHORITY\\\\SYSTEM",
-                "SourceName": "Microsoft-Windows-Sysmon",
-                "Keywords": "-9223372036854775808"
+                "ParentImage": "C:\\\\Program Files\\\\NSClient++\\\\nscp.exe"
             },
             "name": "Process creation"
         },
@@ -5981,6 +5982,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
             "family": "windows",
             "platform": "windows"
         },
+        "action": {
+            "properties": {}
+        },
         "related": {
             "hosts": [
                 "mycorp.net"
@@ -6002,234 +6006,48 @@ The following table lists the fields that are extracted, normalized under the EC
 | ---- | ---- | ---------------------------|
 |`@timestamp` | `date` | Date/time when the event originated. |
 |`action.id` | `number` |  |
-|`action.properties.AccessList` | `keyword` |  |
-|`action.properties.AccessMask` | `keyword` |  |
-|`action.properties.AccessReason` | `keyword` |  |
 |`action.properties.Accesses` | `keyword` |  |
-|`action.properties.AccountName` | `keyword` |  |
-|`action.properties.AccountType` | `keyword` |  |
-|`action.properties.ActionName` | `keyword` |  |
-|`action.properties.Adapter` | `keyword` |  |
-|`action.properties.AdapterName` | `keyword` |  |
-|`action.properties.AdapterSuffixName` | `keyword` |  |
-|`action.properties.AllowedToDelegateTo` | `keyword` |  |
-|`action.properties.ApiCallerName` | `keyword` |  |
-|`action.properties.Application` | `keyword` |  |
-|`action.properties.AttributeLDAPDisplayName` | `keyword` |  |
-|`action.properties.AttributeValue` | `keyword` |  |
-|`action.properties.AuditPolicyChanges` | `keyword` |  |
-|`action.properties.Auth` | `keyword` |  |
-|`action.properties.AuthenticationAlgorithm` | `keyword` |  |
-|`action.properties.AuthenticationPackageName` | `keyword` |  |
 |`action.properties.BytesTotal` | `keyword` |  |
 |`action.properties.CallTrace` | `keyword` |  |
-|`action.properties.CallerProcessName` | `keyword` |  |
-|`action.properties.Cipher` | `keyword` |  |
-|`action.properties.CipherAlgorithm` | `keyword` |  |
-|`action.properties.ClassName` | `keyword` |  |
-|`action.properties.ClientAddress` | `keyword` |  |
-|`action.properties.ComputerName` | `keyword` |  |
 |`action.properties.ConfigurationFile` | `keyword` |  |
-|`action.properties.ConfigurationFileHash` | `keyword` |  |
 |`action.properties.Content` | `keyword` |  |
 |`action.properties.ContextInfo` | `keyword` |  |
-|`action.properties.DCName` | `keyword` |  |
-|`action.properties.Destination` | `keyword` |  |
 |`action.properties.DestinationPort` | `integer` |  |
-|`action.properties.Details` | `keyword` |  |
 |`action.properties.DetectionUser` | `keyword` |  |
-|`action.properties.Device` | `keyword` | Name of concerned device |
-|`action.properties.DeviceDescription` | `keyword` |  |
-|`action.properties.DeviceInstance` | `keyword` |  |
-|`action.properties.DeviceInstanceId` | `keyword` |  |
-|`action.properties.DeviceName` | `keyword` |  |
-|`action.properties.DisplayName` | `keyword` |  |
-|`action.properties.DnsServerList` | `keyword` |  |
-|`action.properties.Domain` | `keyword` |  |
-|`action.properties.DomainPeer` | `keyword` |  |
-|`action.properties.DriverName` | `keyword` |  |
 |`action.properties.ErrorCode` | `keyword` |  |
-|`action.properties.EventType` | `keyword` |  |
 |`action.properties.Execution Name` | `keyword` |  |
-|`action.properties.ExtensibleModulePath` | `keyword` |  |
 |`action.properties.FailureCode` | `integer` |  |
-|`action.properties.FailureName` | `keyword` |  |
-|`action.properties.FileList` | `keyword` |  |
-|`action.properties.GrantedAccess` | `keyword` |  |
-|`action.properties.HandleId` | `keyword` |  |
-|`action.properties.Hash` | `keyword` |  |
 |`action.properties.HealthAttestationServer` | `keyword` |  |
-|`action.properties.HiveName` | `keyword` |  |
-|`action.properties.HomeDirectory` | `keyword` |  |
 |`action.properties.HostApplication` | `keyword` |  |
 |`action.properties.HostName` | `keyword` |  |
 |`action.properties.HostUrl` | `keyword` |  |
-|`action.properties.IOCTL` | `keyword` |  |
-|`action.properties.Id` | `keyword` |  |
 |`action.properties.Image` | `keyword` |  |
 |`action.properties.ImageLoaded` | `keyword` | Image file loaded by the process |
-|`action.properties.ImagePath` | `keyword` |  |
-|`action.properties.InstanceName` | `keyword` |  |
-|`action.properties.InterfaceDescription` | `keyword` |  |
-|`action.properties.InterfaceGuid` | `keyword` |  |
-|`action.properties.IpAddress` | `keyword` |  |
-|`action.properties.IpPort` | `keyword` |  |
-|`action.properties.Ipaddress` | `keyword` |  |
-|`action.properties.KeyFilePath` | `keyword` |  |
-|`action.properties.KeyLength` | `keyword` |  |
-|`action.properties.KeyName` | `keyword` |  |
-|`action.properties.KeyType` | `keyword` |  |
 |`action.properties.Keywords` | `keyword` |  |
 |`action.properties.LastASSecurityIntelligenceAge` | `keyword` |  |
 |`action.properties.LastAVSecurityIntelligenceAge` | `keyword` |  |
 |`action.properties.LastFullScanAge` | `keyword` |  |
 |`action.properties.LastQuickScanAge` | `keyword` |  |
-|`action.properties.Library` | `keyword` |  |
-|`action.properties.LocalMAC` | `keyword` |  |
-|`action.properties.LocalMac` | `keyword` |  |
-|`action.properties.LocalName` | `keyword` |  |
-|`action.properties.LogonProcessName` | `keyword` |  |
-|`action.properties.LogonType` | `keyword` |  |
-|`action.properties.MemberName` | `keyword` |  |
-|`action.properties.MemberSid` | `keyword` |  |
 |`action.properties.MessEventType` | `keyword` |  |
-|`action.properties.MinimumPasswordLength` | `keyword` |  |
-|`action.properties.MinimumPasswordLengthAudit` | `keyword` |  |
-|`action.properties.NAME` | `keyword` |  |
 |`action.properties.New Value` | `keyword` |  |
-|`action.properties.NewName` | `keyword` |  |
-|`action.properties.NewTargetUserName` | `keyword` |  |
 |`action.properties.NewValue` | `keyword` |  |
-|`action.properties.ObjectClass` | `keyword` |  |
-|`action.properties.ObjectName` | `keyword` |  |
-|`action.properties.ObjectServer` | `keyword` |  |
-|`action.properties.ObjectType` | `keyword` |  |
-|`action.properties.ObjectValueName` | `keyword` |  |
 |`action.properties.Old Value` | `keyword` |  |
-|`action.properties.OldTargetUserName` | `keyword` |  |
-|`action.properties.OpcodeValue` | `number` |  |
-|`action.properties.Operation` | `keyword` |  |
-|`action.properties.OperationType` | `keyword` |  |
-|`action.properties.PHYType` | `keyword` |  |
-|`action.properties.PID` | `keyword` |  |
-|`action.properties.ParentDeviceInstanceId` | `keyword` |  |
 |`action.properties.ParentImage` | `keyword` |  |
 |`action.properties.Path` | `keyword` |  |
-|`action.properties.Payload` | `keyword` |  |
-|`action.properties.PipeName` | `keyword` |  |
-|`action.properties.PolicyName` | `keyword` |  |
-|`action.properties.PreAuthType` | `keyword` |  |
-|`action.properties.PrivilegeList` | `keyword` |  |
-|`action.properties.ProcessGuid` | `keyword` |  |
 |`action.properties.ProcessName` | `keyword` |  |
-|`action.properties.ProcessPath` | `keyword` |  |
-|`action.properties.ProcessPid` | `keyword` |  |
-|`action.properties.Properties` | `keyword` |  |
-|`action.properties.ProviderGuid` | `keyword` |  |
 |`action.properties.ProxyServer` | `keyword` |  |
 |`action.properties.ReferrerUrl` | `keyword` |  |
-|`action.properties.RelativeTargetName` | `keyword` | Filename of the target |
-|`action.properties.RelaxMinimumPasswordLengthLimits` | `keyword` |  |
-|`action.properties.ResetCount` | `keyword` |  |
-|`action.properties.ResetReason` | `keyword` |  |
-|`action.properties.ReturnCode` | `keyword` |  |
-|`action.properties.RunspaceId` | `keyword` |  |
-|`action.properties.SSID` | `keyword` |  |
-|`action.properties.SamAccountName` | `keyword` |  |
-|`action.properties.ScriptBlockId` | `keyword` |  |
-|`action.properties.ScriptBlockText` | `keyword` |  |
-|`action.properties.ScriptPath` | `keyword` |  |
 |`action.properties.SentUpdateServer` | `keyword` |  |
-|`action.properties.Service` | `keyword` |  |
-|`action.properties.ServiceAccount` | `keyword` |  |
 |`action.properties.ServiceFileName` | `keyword` |  |
-|`action.properties.ServiceName` | `keyword` | Name of the service |
-|`action.properties.ServicePrincipalNames` | `keyword` |  |
-|`action.properties.ServiceSid` | `keyword` |  |
-|`action.properties.ServiceStartType` | `keyword` |  |
-|`action.properties.ServiceType` | `keyword` |  |
-|`action.properties.Severity` | `keyword` |  |
-|`action.properties.ShareLocalPath` | `keyword` |  |
-|`action.properties.ShareName` | `keyword` |  |
-|`action.properties.SidHistory` | `keyword` |  |
-|`action.properties.Signature` | `keyword` |  |
-|`action.properties.SignatureStatus` | `keyword` |  |
-|`action.properties.Signed` | `keyword` |  |
-|`action.properties.Source` | `keyword` |  |
 |`action.properties.SourceImage` | `keyword` | Name of the source image |
-|`action.properties.SourceName` | `keyword` |  |
-|`action.properties.SourceProcessId` | `keyword` |  |
-|`action.properties.StartAddress` | `keyword` |  |
 |`action.properties.StartFunction` | `keyword` |  |
 |`action.properties.StartModule` | `keyword` |  |
-|`action.properties.StartType` | `keyword` |  |
-|`action.properties.Status` | `keyword` |  |
 |`action.properties.StatusInformation` | `keyword` |  |
-|`action.properties.StopTime` | `keyword` |  |
-|`action.properties.SubStatus` | `keyword` |  |
-|`action.properties.SubjectDomainName` | `keyword` |  |
-|`action.properties.SubjectLogonId` | `keyword` |  |
-|`action.properties.SubjectUserName` | `keyword` |  |
-|`action.properties.SubjectUserSid` | `keyword` |  |
-|`action.properties.TargetDomainName` | `keyword` | Domain of the target user |
-|`action.properties.TargetFilename` | `keyword` |  |
 |`action.properties.TargetImage` | `keyword` | Name of the target image |
-|`action.properties.TargetInfo` | `keyword` |  |
-|`action.properties.TargetObject` | `keyword` |  |
-|`action.properties.TargetOutboundDomainName` | `keyword` |  |
-|`action.properties.TargetOutboundUserName` | `keyword` |  |
-|`action.properties.TargetProcessId` | `keyword` |  |
-|`action.properties.TargetServerName` | `keyword` | Name of the target server |
-|`action.properties.TargetSid` | `keyword` |  |
-|`action.properties.TargetUserName` | `keyword` | Name of the target user |
-|`action.properties.TargetUserSid` | `keyword` | SID of the target user |
-|`action.properties.Task` | `number` |  |
-|`action.properties.TaskContentNew` | `keyword` |  |
 |`action.properties.TaskContentNew_Args` | `keyword` |  |
 |`action.properties.TaskContentNew_Command` | `keyword` |  |
-|`action.properties.TaskName` | `keyword` |  |
 |`action.properties.ThreatName` | `keyword` |  |
-|`action.properties.TicketEncryptionType` | `keyword` |  |
-|`action.properties.TicketOptions` | `keyword` |  |
-|`action.properties.TimeSource` | `keyword` |  |
-|`action.properties.Type` | `keyword` |  |
-|`action.properties.User` | `keyword` |  |
-|`action.properties.UserContext` | `keyword` |  |
-|`action.properties.UserName` | `keyword` |  |
-|`action.properties.UserPrincipalName` | `keyword` |  |
-|`action.properties.UserSid` | `keyword` |  |
-|`action.properties.Volume` | `keyword` |  |
-|`action.properties.VolumeGuid` | `keyword` |  |
-|`action.properties.VolumeName` | `keyword` |  |
-|`action.properties.VsmPolicy` | `keyword` |  |
-|`action.properties.Workstation` | `keyword` | Name of the workstation |
-|`action.properties.WorkstationName` | `keyword` |  |
-|`action.properties.WritePhase` | `keyword` |  |
-|`action.properties.Zone` | `keyword` |  |
 |`action.properties.ZoneId` | `keyword` |  |
-|`action.properties.bytesTransferred` | `keyword` |  |
-|`action.properties.cfgattr` | `keyword` |  |
-|`action.properties.cfgpath` | `keyword` |  |
-|`action.properties.desc` | `keyword` |  |
-|`action.properties.devname` | `keyword` |  |
-|`action.properties.fid_UsbDevice` | `keyword` |  |
-|`action.properties.fid_bcdDevice` | `keyword` |  |
-|`action.properties.fid_idProduct` | `keyword` |  |
-|`action.properties.fid_idVendor` | `keyword` |  |
-|`action.properties.job` | `keyword` |  |
-|`action.properties.jobTitle` | `keyword` |  |
-|`action.properties.param1` | `keyword` |  |
-|`action.properties.param2` | `keyword` |  |
-|`action.properties.param3` | `keyword` |  |
-|`action.properties.param4` | `keyword` |  |
-|`action.properties.param5` | `keyword` |  |
-|`action.properties.param6` | `keyword` |  |
-|`action.properties.param7` | `keyword` |  |
-|`action.properties.param8` | `keyword` |  |
-|`action.properties.param9` | `keyword` |  |
-|`action.properties.server` | `keyword` |  |
-|`action.properties.ui` | `keyword` |  |
-|`action.properties.updateGuid` | `keyword` |  |
 |`action.target` | `keyword` |  |
 |`destination.address` | `keyword` | Destination network address. |
 |`destination.domain` | `keyword` | The domain name of the destination. |

diff --git a/...perations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/...perations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md
@@ -342,6 +342,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
         "server": {
             "ip": "5.6.7.8"
         },
+        "destination": {
+            "ip": "5.6.7.8",
+            "address": "5.6.7.8"
+        },
         "user_agent": {
             "original": "Unknown",
             "device": {