Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
1 parent 76aadeb commit 1d66a5f
Show file tree
Hide file tree
Showing 22 changed files with 2,697 additions and 536 deletions.

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc",
"executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
"parent": {
"executable": "services.exe",
"name": "services.exe",
"pid": 11768266
},
"pid": 4164,
Expand Down Expand Up @@ -138,6 +138,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"platform": "win"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"ip": [
"1.2.3.4"
Expand Down Expand Up @@ -253,6 +256,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"platform": "mac"
}
},
"network": {
"iana_number": "17"
},
"related": {
"ip": [
"2001:cafe:37:ed:6f:51:7d:67",
Expand Down Expand Up @@ -314,7 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"command_line": "\"gpupdate.exe\" /target:computer",
"executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe",
"parent": {
"executable": "svchost.exe",
"name": "svchost.exe",
"pid": 158964342720
},
"pid": 8960,
Expand Down Expand Up @@ -883,7 +889,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
"executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient",
"parent": {
"executable": "launchd",
"name": "launchd",
"pid": 494714991831837524
},
"pid": 6812,
Expand Down Expand Up @@ -1222,7 +1228,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2",
"executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe",
"parent": {
"executable": "AcroCEF.exe",
"name": "AcroCEF.exe",
"pid": 1084277996656
},
"pid": 18184,
Expand Down Expand Up @@ -1733,6 +1739,215 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "telemetry_event_37.json"

```json

{
"message": "{\"ProcessCreateFlags\":\"4\",\"IntegrityLevel\":\"8192\",\"ParentProcessId\":\"288633815511\",\"SourceProcessId\":\"288633815511\",\"aip\":\"89.251.59.206\",\"SHA1HashData\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"UserSid\":\"S-1-5-21-XXXX-XXXXX-9457\",\"event_platform\":\"Win\",\"TokenType\":\"1\",\"ProcessEndTime\":\"\",\"AuthenticodeHashData\":\"e72acf26e8ca12c48d2697e849fd68887515956a\",\"ParentBaseFileName\":\"setup.exe\",\"EventOrigin\":\"1\",\"ImageSubsystem\":\"2\",\"id\":\"93a1f830-c5a3-41f3-a5c0-df8cdd61295f\",\"EffectiveTransmissionClass\":\"3\",\"SessionId\":\"4\",\"Tags\":\"25,27,41,268,874,924,10445360464024,10445360464025,10445360464026,10445360464258,10445360464273,10445360464274,12094627905582,12094627906234,219902325555779\",\"timestamp\":\"1705915256602\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"17600\",\"ConfigStateHash\":\"2529887863\",\"MD5HashData\":\"68b329da9893e34099c7d8ad5cb9c940\",\"SHA256HashData\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"ProcessSxsFlags\":\"64\",\"AuthenticationId\":\"610129406\",\"ConfigBuild\":\"1007.3.0017706.10\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\rundll32.exe\",\"ParentAuthenticationId\":\"610129406\",\"TargetProcessId\":\"288727090872\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\rundll32.exe\",\"SourceThreadId\":\"11362082185143\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2V19\",\"ProcessStartTime\":\"1705915253.929\",\"ProcessParameterFlags\":\"24577\",\"aid\":\"36a2337df811411eb6abeac136945a6c\",\"SignInfoFlags\":\"8683538\",\"cid\":\"7da61e27e34f4b8394081896af72e2c7\"}",
"event": {
"action": "ProcessRollup2",
"category": [
"process"
],
"type": [
"info"
]
},
"@timestamp": "2024-01-22T09:20:56.602000Z",
"agent": {
"id": "36a2337df811411eb6abeac136945a6c"
},
"crowdstrike": {
"customer_id": "7da61e27e34f4b8394081896af72e2c7"
},
"file": {
"hash": {
"md5": "68b329da9893e34099c7d8ad5cb9c940",
"sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
}
},
"host": {
"ip": [
"89.251.59.206"
],
"os": {
"platform": "win"
}
},
"process": {
"command_line": "C:\\WINDOWS\\System32\\rundll32.exe",
"executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe",
"parent": {
"name": "setup.exe",
"pid": 288633815511
},
"pid": 17600,
"start": "2024-01-22T09:20:53.929000Z",
"thread": {
"id": 11362082185143
}
},
"related": {
"hash": [
"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"68b329da9893e34099c7d8ad5cb9c940",
"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
],
"ip": [
"89.251.59.206"
]
},
"source": {
"nat": {
"ip": "89.251.59.206"
}
},
"user": {
"id": "S-1-5-21-XXXX-XXXXX-9457"
}
}
```


=== "telemetry_event_38.json"

```json

{
"message": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014477.367\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"10406654690112427952\",\"RemotePort\":\"443\",\"OriginatingURL\":\"chat.cdn.whatsapp.net\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"0\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"71d72ce3-8355-4e3e-94e9-eb638c361d56\",\"Protocol\":\"6\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014478084\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}",
"event": {
"action": "NetworkConnectIP4",
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2024-03-21T09:47:58.084000Z",
"agent": {
"id": "1ad825a8bc954a90bc5557c95740795c"
},
"crowdstrike": {
"customer_id": "5a2f76b2897e4170bebccda80c903eb4"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"port": 443
}
},
"host": {
"ip": [
"4.5.6.7"
],
"os": {
"platform": "ios"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"ip": [
"0.0.0.0"
]
},
"related": {
"ip": [
"0.0.0.0",
"4.5.6.7",
"5.6.7.8"
]
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0",
"nat": {
"ip": "4.5.6.7",
"port": 0
}
},
"url": {
"full": "chat.cdn.whatsapp.net"
}
}
```


=== "telemetry_event_39.json"

```json

{
"message": "{\"LocalAddressIP4\":\"1.2.3.4\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014491.759\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"4179223508173316025\",\"RemotePort\":\"443\",\"OriginatingURL\":\"https://outlook.office365.com/Microsoft-Server-ActiveSync\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"50309\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"c1169837-5261-45a4-a1da-1102816304d0\",\"Protocol\":\"17\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014491954\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}",
"event": {
"action": "NetworkConnectIP4",
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2024-03-21T09:48:11.954000Z",
"agent": {
"id": "1ad825a8bc954a90bc5557c95740795c"
},
"crowdstrike": {
"customer_id": "5a2f76b2897e4170bebccda80c903eb4"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"port": 443
}
},
"host": {
"ip": [
"4.5.6.7"
],
"os": {
"platform": "ios"
}
},
"network": {
"iana_number": "17"
},
"observer": {
"ip": [
"1.2.3.4"
]
},
"related": {
"ip": [
"1.2.3.4",
"4.5.6.7",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.5.6.7",
"port": 50309
}
},
"url": {
"full": "https://outlook.office365.com/Microsoft-Server-ActiveSync"
}
}
```


=== "telemetry_event_4.json"

```json
Expand Down Expand Up @@ -2069,7 +2284,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"end": "2022-08-20T19:06:18.014000Z",
"executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
"parent": {
"executable": "services.exe",
"name": "services.exe",
"pid": 11768266
},
"pid": 4164,
Expand Down Expand Up @@ -2132,14 +2347,15 @@ The following table lists the fields that are extracted, normalized under the EC
|`host.mac` | `keyword` | Host MAC addresses. |
|`host.name` | `keyword` | Name of the host. |
|`host.os.platform` | `keyword` | Operating system platform (such centos, ubuntu, windows). |
|`network.iana_number` | `keyword` | IANA Protocol Number. |
|`observer.egress.interface.alias` | `keyword` | Interface alias |
|`observer.ip` | `ip` | IP addresses of the observer. |
|`observer.mac` | `keyword` | MAC addresses of the observer. |
|`process.args` | `keyword` | Array of process arguments. |
|`process.command_line` | `wildcard` | Full command line that started the process. |
|`process.end` | `date` | The time the process ended. |
|`process.executable` | `keyword` | Absolute path to the process executable. |
|`process.parent.executable` | `keyword` | Absolute path to the process executable. |
|`process.parent.name` | `keyword` | Process name. |
|`process.parent.pid` | `long` | Process id. |
|`process.pid` | `long` | Process id. |
|`process.start` | `date` | The time the process started. |
Expand All @@ -2154,6 +2370,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.nat.ip` | `ip` | Source NAT ip |
|`source.nat.port` | `long` | Source NAT port |
|`url.domain` | `keyword` | Domain of the url. |
|`url.full` | `wildcard` | Full unparsed URL. |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.name` | `keyword` | Short name or login of the user. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"code": "deprecated_ssl_tls_individual",
"kind": "alert",
"reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
Expand Down Expand Up @@ -94,6 +95,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"code": "llmnr_activity_individual",
"kind": "alert",
"reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.",
"risk_score": 30,
"start": "2023-11-29T15:04:00Z",
"type": [
"info"
Expand Down Expand Up @@ -135,6 +137,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"code": "weak_cipher_individual",
"kind": "alert",
"reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.",
"risk_score": 30,
"start": "2023-11-30T21:30:23.296000Z",
"type": [
"info"
Expand Down Expand Up @@ -189,6 +192,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.code` | `keyword` | Identification code for this event. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.risk_score` | `float` | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. |
|`event.risk_score_norm` | `float` | Normalized risk score or priority of the event (0-100). |
|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
Expand Down
Loading

0 comments on commit 1d66a5f

Please sign in to comment.