From 1d66a5f341a77bfa592a3b7239c41feda84aa148 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Fri, 5 Apr 2024 11:00:04 +0000 Subject: [PATCH] Refresh intakes documentation --- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 681 ++++++++++++++++++ .../10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md | 229 +++++- .../1df44c62-33d3-41d4-8176-f1fa13589eea.md | 4 + .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 147 ++++ .../340e3bc7-2b76-48e4-9833-e971451b2979.md | 142 ++-- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 105 +++ .../40bac399-2d8e-40e3-af3b-f73a622c9687.md | 115 +++ .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 91 ++- .../46e45417-187b-45bb-bf81-30df7b1963a0.md | 114 ++- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 137 +++- .../5a8ef52f-d143-4735-8546-98539fc07725.md | 4 + .../5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md | 2 + .../622999fe-d383-4d41-9f2d-eed5013fe463.md | 46 +- .../6dbdd199-77ae-4705-a5de-5c2722fa020e.md | 114 +-- .../70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md | 30 +- .../90179796-f949-490c-8729-8cbc9c65be55.md | 114 +++ .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 75 ++ .../a14b1141-2d61-414b-bf79-da99b487b1af.md | 15 +- .../bae128bb-98c6-45f7-9763-aad3451821e5.md | 596 +++++++-------- .../d3a813ac-f9b5-451c-a602-a5994544d9ed.md | 98 +-- .../d719e8b5-85a1-4dad-bf71-46155af56570.md | 60 +- .../ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md | 314 ++++++++ 22 files changed, 2697 insertions(+), 536 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 96d2238658..96b35d8bc5 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -81,6 +81,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "dadca6b5e5-5ab9-4a96-9dbb-ba2f8e7756e3_1", + "severity": "Low", "title": "Executable content from email blocked" }, "entity": { @@ -156,6 +157,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "fa72d6f6a8-39e7-2681-d400-08dbbe90c56e", + "severity": "Informational", "title": "Phish delivered due to an IP allow policy" }, "entity": { @@ -178,6 +180,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_alert_evidence_3.json" + + ```json + + { + "message": "{\"time\":\"2024-03-13T12:57:23.9020375Z\",\"tenantId\":\"07313d70-2f20-4c3c-847a-ecbcfc20afd1\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-AlertEvidence\",\"properties\":{\"Timestamp\":\"2024-03-13T12:57:00Z\",\"AlertId\":\"eb85e8e3-670c-43d7-95f3-c57c91b80a1d\",\"EntityType\":\"Mailbox\",\"EvidenceRole\":\"Impacted\",\"SHA1\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"SHA256\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"RemoteIP\":\"5.6.7.8\",\"LocalIP\":\"1.2.3.4\",\"RemoteUrl\":null,\"AccountName\":\"john.doe\",\"AccountDomain\":\"example\",\"AccountSid\":\"S-1-5-21-1111111111-222222222-444444444-333333\",\"AccountObjectId\":\"356eaca4-b5d5-4c9f-9cea-f566e4ec7570\",\"DeviceId\":null,\"ThreatFamily\":null,\"EvidenceDirection\":null,\"AdditionalFields\":\"{\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"DisplayName\\\":\\\"DOEJohn\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"cb2b1d48-3c0c-4eeb-bf05-2245a6e7aa38\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"StartTimeUtc\\\":\\\"2024-03-13T12:55:00Z\\\",\\\"EndTimeUtc\\\":\\\"2024-03-13T12:57:00Z\\\",\\\"EntitySources\\\":[\\\"Alert\\\"],\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:68b329da9893e34099c7d8ad5cb9c940\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\",\\\"SourceEntityType\\\":\\\"MalwareFamily\\\",\\\"SourceEntityId\\\":\\\"b8ed97e9-82ed-49b2-bf20-ebc413349655\\\",\\\"SourceThreatType\\\":\\\"Phish,Malicious\\\",\\\"SourceThreatName\\\":\\\"Phish,Malicious\\\",\\\"UserSid\\\":\\\"S-1-5-21-1111111111-222222222-444444444-333333\\\",\\\"AccountName\\\":\\\"john.doe\\\",\\\"DomainName\\\":\\\"example\\\",\\\"Role\\\":0,\\\"MergeByKey\\\":\\\"P/0zPBzZgl+0ob6ZK60I7fmCbPU=\\\",\\\"MergeByKeyHex\\\":\\\"3FFD333C1CD9825FB4A1BE992BAD08EDF9826CF5\\\"}\",\"MachineGroup\":null,\"NetworkMessageId\":null,\"ServiceSource\":\"MicrosoftDefenderforOffice365\",\"FileName\":\"splwow64.exe\",\"FolderPath\":\"C:\\\\Windows\",\"ProcessCommandLine\":null,\"EmailSubject\":null,\"ApplicationId\":null,\"Application\":null,\"DeviceName\":null,\"FileSize\":13,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"AccountUpn\":\"john.doe@example.com\",\"OAuthApplicationId\":null,\"Categories\":\"[\\\"InitialAccess\\\"]\",\"Title\":\"PhishdeliveredduetoanETRoverride\",\"AttackTechniques\":\"[\\\"Phishing(T1566)\\\"]\",\"DetectionSource\":\"MicrosoftDefenderforOffice365\",\"Severity\":\"Informational\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "threat" + ], + "dataset": "alert_evidence", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "@timestamp": "2024-03-13T12:57:00Z", + "action": { + "properties": { + "AccountSid": "S-1-5-21-1111111111-222222222-444444444-333333", + "AccountUPN": "john.doe@example.com", + "ServiceSource": "MicrosoftDefenderforOffice365" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "directory": "C:\\Windows", + "hash": { + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "splwow64.exe", + "size": 13 + }, + "microsoft": { + "defender": { + "alert": { + "id": "eb85e8e3-670c-43d7-95f3-c57c91b80a1d", + "severity": "Informational", + "title": "PhishdeliveredduetoanETRoverride" + }, + "entity": { + "type": "Mailbox" + }, + "evidence": { + "role": "Impacted" + }, + "threat": { + "severity": "Informational" + } + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "service": { + "name": "MicrosoftDefenderforOffice365", + "type": "MicrosoftDefenderforOffice365" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example", + "id": "356eaca4-b5d5-4c9f-9cea-f566e4ec7570", + "name": "john.doe" + } + } + + ``` + + === "test_cloud_app.json" ```json @@ -340,6 +428,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "da637977531594995313_968283104", + "severity": "Informational", "title": "'Lodi' unwanted software was prevented" }, "threat": { @@ -1283,6 +1372,597 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_email_events.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "email" + ], + "dataset": "email_events", + "kind": "event", + "type": [ + "denied", + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_email_url_info.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailUrlInfo\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "email" + ], + "dataset": "email_url_info", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_directory.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityDirectoryEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "iam" + ], + "dataset": "identity_directory_events", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_info.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityInfo\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_logon.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityLogonEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "authentication" + ], + "dataset": "identity_logon_events", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_query.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityQueryEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "iam" + ], + "dataset": "identity_query_events", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + === "test_local_ip.json" ```json @@ -1510,6 +2190,7 @@ The following table lists the fields that are extracted, normalized under the EC |`microsoft.defender.activity.objects` | `list` | List of objects, such as files or folders, that were involved in the recorded activity | |`microsoft.defender.activity.type` | `keyword` | Type of activity that triggered the event | |`microsoft.defender.alert.id` | `keyword` | Unique identifier for the alert | +|`microsoft.defender.alert.severity` | `keyword` | The severity of the alert | |`microsoft.defender.alert.title` | `keyword` | The title of the alert | |`microsoft.defender.certificate.counter_signed_at` | `keyword` | Date and time the certificate was countersigned | |`microsoft.defender.certificate.created_at` | `keyword` | Date and time the certificate was created | diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 84bd3d18f3..21af5d625d 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -69,7 +69,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", "parent": { - "executable": "services.exe", + "name": "services.exe", "pid": 11768266 }, "pid": 4164, @@ -138,6 +138,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "network": { + "iana_number": "6" + }, "observer": { "ip": [ "1.2.3.4" @@ -253,6 +256,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "mac" } }, + "network": { + "iana_number": "17" + }, "related": { "ip": [ "2001:cafe:37:ed:6f:51:7d:67", @@ -314,7 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "\"gpupdate.exe\" /target:computer", "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe", "parent": { - "executable": "svchost.exe", + "name": "svchost.exe", "pid": 158964342720 }, "pid": 8960, @@ -883,7 +889,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", "parent": { - "executable": "launchd", + "name": "launchd", "pid": 494714991831837524 }, "pid": 6812, @@ -1222,7 +1228,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2", "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe", "parent": { - "executable": "AcroCEF.exe", + "name": "AcroCEF.exe", "pid": 1084277996656 }, "pid": 18184, @@ -1733,6 +1739,215 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "telemetry_event_37.json" + + ```json + + { + "message": "{\"ProcessCreateFlags\":\"4\",\"IntegrityLevel\":\"8192\",\"ParentProcessId\":\"288633815511\",\"SourceProcessId\":\"288633815511\",\"aip\":\"89.251.59.206\",\"SHA1HashData\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"UserSid\":\"S-1-5-21-XXXX-XXXXX-9457\",\"event_platform\":\"Win\",\"TokenType\":\"1\",\"ProcessEndTime\":\"\",\"AuthenticodeHashData\":\"e72acf26e8ca12c48d2697e849fd68887515956a\",\"ParentBaseFileName\":\"setup.exe\",\"EventOrigin\":\"1\",\"ImageSubsystem\":\"2\",\"id\":\"93a1f830-c5a3-41f3-a5c0-df8cdd61295f\",\"EffectiveTransmissionClass\":\"3\",\"SessionId\":\"4\",\"Tags\":\"25,27,41,268,874,924,10445360464024,10445360464025,10445360464026,10445360464258,10445360464273,10445360464274,12094627905582,12094627906234,219902325555779\",\"timestamp\":\"1705915256602\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"17600\",\"ConfigStateHash\":\"2529887863\",\"MD5HashData\":\"68b329da9893e34099c7d8ad5cb9c940\",\"SHA256HashData\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"ProcessSxsFlags\":\"64\",\"AuthenticationId\":\"610129406\",\"ConfigBuild\":\"1007.3.0017706.10\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\rundll32.exe\",\"ParentAuthenticationId\":\"610129406\",\"TargetProcessId\":\"288727090872\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\rundll32.exe\",\"SourceThreadId\":\"11362082185143\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2V19\",\"ProcessStartTime\":\"1705915253.929\",\"ProcessParameterFlags\":\"24577\",\"aid\":\"36a2337df811411eb6abeac136945a6c\",\"SignInfoFlags\":\"8683538\",\"cid\":\"7da61e27e34f4b8394081896af72e2c7\"}", + "event": { + "action": "ProcessRollup2", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-22T09:20:56.602000Z", + "agent": { + "id": "36a2337df811411eb6abeac136945a6c" + }, + "crowdstrike": { + "customer_id": "7da61e27e34f4b8394081896af72e2c7" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } + }, + "host": { + "ip": [ + "89.251.59.206" + ], + "os": { + "platform": "win" + } + }, + "process": { + "command_line": "C:\\WINDOWS\\System32\\rundll32.exe", + "executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe", + "parent": { + "name": "setup.exe", + "pid": 288633815511 + }, + "pid": 17600, + "start": "2024-01-22T09:20:53.929000Z", + "thread": { + "id": 11362082185143 + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "ip": [ + "89.251.59.206" + ] + }, + "source": { + "nat": { + "ip": "89.251.59.206" + } + }, + "user": { + "id": "S-1-5-21-XXXX-XXXXX-9457" + } + } + + ``` + + +=== "telemetry_event_38.json" + + ```json + + { + "message": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014477.367\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"10406654690112427952\",\"RemotePort\":\"443\",\"OriginatingURL\":\"chat.cdn.whatsapp.net\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"0\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"71d72ce3-8355-4e3e-94e9-eb638c361d56\",\"Protocol\":\"6\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014478084\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}", + "event": { + "action": "NetworkConnectIP4", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-21T09:47:58.084000Z", + "agent": { + "id": "1ad825a8bc954a90bc5557c95740795c" + }, + "crowdstrike": { + "customer_id": "5a2f76b2897e4170bebccda80c903eb4" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "port": 443 + } + }, + "host": { + "ip": [ + "4.5.6.7" + ], + "os": { + "platform": "ios" + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "ip": [ + "0.0.0.0" + ] + }, + "related": { + "ip": [ + "0.0.0.0", + "4.5.6.7", + "5.6.7.8" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "nat": { + "ip": "4.5.6.7", + "port": 0 + } + }, + "url": { + "full": "chat.cdn.whatsapp.net" + } + } + + ``` + + +=== "telemetry_event_39.json" + + ```json + + { + "message": "{\"LocalAddressIP4\":\"1.2.3.4\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014491.759\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"4179223508173316025\",\"RemotePort\":\"443\",\"OriginatingURL\":\"https://outlook.office365.com/Microsoft-Server-ActiveSync\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"50309\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"c1169837-5261-45a4-a1da-1102816304d0\",\"Protocol\":\"17\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014491954\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}", + "event": { + "action": "NetworkConnectIP4", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-21T09:48:11.954000Z", + "agent": { + "id": "1ad825a8bc954a90bc5557c95740795c" + }, + "crowdstrike": { + "customer_id": "5a2f76b2897e4170bebccda80c903eb4" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "port": 443 + } + }, + "host": { + "ip": [ + "4.5.6.7" + ], + "os": { + "platform": "ios" + } + }, + "network": { + "iana_number": "17" + }, + "observer": { + "ip": [ + "1.2.3.4" + ] + }, + "related": { + "ip": [ + "1.2.3.4", + "4.5.6.7", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.5.6.7", + "port": 50309 + } + }, + "url": { + "full": "https://outlook.office365.com/Microsoft-Server-ActiveSync" + } + } + + ``` + + === "telemetry_event_4.json" ```json @@ -2069,7 +2284,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-08-20T19:06:18.014000Z", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", "parent": { - "executable": "services.exe", + "name": "services.exe", "pid": 11768266 }, "pid": 4164, @@ -2132,6 +2347,7 @@ The following table lists the fields that are extracted, normalized under the EC |`host.mac` | `keyword` | Host MAC addresses. | |`host.name` | `keyword` | Name of the host. | |`host.os.platform` | `keyword` | Operating system platform (such centos, ubuntu, windows). | +|`network.iana_number` | `keyword` | IANA Protocol Number. | |`observer.egress.interface.alias` | `keyword` | Interface alias | |`observer.ip` | `ip` | IP addresses of the observer. | |`observer.mac` | `keyword` | MAC addresses of the observer. | @@ -2139,7 +2355,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.end` | `date` | The time the process ended. | |`process.executable` | `keyword` | Absolute path to the process executable. | -|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.name` | `keyword` | Process name. | |`process.parent.pid` | `long` | Process id. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | @@ -2154,6 +2370,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.nat.ip` | `ip` | Source NAT ip | |`source.nat.port` | `long` | Source NAT port | |`url.domain` | `keyword` | Domain of the url. | +|`url.full` | `wildcard` | Full unparsed URL. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md index 03adecc237..2ebd3fcaa4 100644 --- a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md +++ b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md @@ -41,6 +41,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "deprecated_ssl_tls_individual", "kind": "alert", "reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.", + "risk_score": 30, "start": "2023-11-30T21:30:23.296000Z", "type": [ "info" @@ -94,6 +95,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "llmnr_activity_individual", "kind": "alert", "reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.", + "risk_score": 30, "start": "2023-11-29T15:04:00Z", "type": [ "info" @@ -135,6 +137,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "weak_cipher_individual", "kind": "alert", "reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.", + "risk_score": 30, "start": "2023-11-30T21:30:23.296000Z", "type": [ "info" @@ -189,6 +192,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.risk_score` | `float` | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | |`event.risk_score_norm` | `float` | Normalized risk score or priority of the event (0-100). | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md index 656658e06c..a21a91698e 100644 --- a/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md +++ b/_shared_content/operations_center/integrations/generated/250e4095-fa08-4101-bb02-e72f870fcbd1.md @@ -76,6 +76,151 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "agent_logs_1.json" + + ```json + + { + "message": "{\"user\":{\"target\":{\"name\":\"VM-001$@EXAMPLE.LOCAL\",\"domain\":\"EXAMPLE.LOCAL\"}},\"action\":{\"properties\":{\"EventType\":\"AUDIT_SUCCESS\",\"IpAddress\":\"::ffff:10.0.30.42\",\"IpPort\":\"57111\",\"Keywords\":\"0x8020000000000000\",\"LogonGuid\":\"{345a31bc-e0d8-4d9b-98e7-d7c27a2404f2}\",\"ProviderGuid\":\"{9341bdd5-a0aa-4978-8f7b-36d0c7f5de05}\",\"ServiceName\":\"eXampl-AZRWE-AA00$\",\"ServiceSid\":\"S-1-5-21-2222222-111111111-1197373316-51000\",\"Severity\":\"LOG_ALWAYS\",\"SourceName\":\"Microsoft-Windows-Security-Auditing\",\"Status\":\"0x0\",\"TargetDomainName\":\"EXAMPLE.LOCAL\",\"TargetUserName\":\"VM-1111@EXAMPLE.LOCAL\",\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"TransmittedServices\":\"-\"},\"id\":4769},\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":4769},\"agent\":{\"id\":\"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\",\"version\":\"v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd\"},\"host\":{\"os\":{\"type\":\"windows\"},\"hostname\":\"eXampl-AZRWE-AAAA\",\"ip\":[\"fe80::76e9:3115:c5b4:aaaa\",\"10.0.11.1\"]},\"source\":{\"address\":\"10.0.11.11\",\"ip\":\"10.0.11.12\"},\"@timestamp\":\"2024-01-19T13:18:38.703193Z\"}", + "event": { + "code": "4769", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-01-19T13:18:38.703193Z", + "action": { + "id": 4769, + "properties": { + "EventType": "AUDIT_SUCCESS", + "IpAddress": "::ffff:10.0.30.42", + "IpPort": "57111", + "Keywords": "0x8020000000000000", + "LogonGuid": "{345a31bc-e0d8-4d9b-98e7-d7c27a2404f2}", + "ProviderGuid": "{9341bdd5-a0aa-4978-8f7b-36d0c7f5de05}", + "ServiceName": "eXampl-AZRWE-AA00$", + "ServiceSid": "S-1-5-21-2222222-111111111-1197373316-51000", + "Severity": "LOG_ALWAYS", + "SourceName": "Microsoft-Windows-Security-Auditing", + "Status": "0x0", + "TargetDomainName": "EXAMPLE.LOCAL", + "TargetUserName": "VM-1111@EXAMPLE.LOCAL", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "id": "d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c", + "version": "v1.4.0+a903da97d806b129d8f0c5c7d1c4f71cb36849bd" + }, + "host": { + "hostname": "eXampl-AZRWE-AAAA", + "ip": [ + "10.0.11.1", + "fe80::76e9:3115:c5b4:aaaa" + ], + "name": "eXampl-AZRWE-AAAA", + "os": { + "type": "windows" + } + }, + "related": { + "hosts": [ + "eXampl-AZRWE-AAAA" + ], + "ip": [ + "10.0.11.1", + "10.0.11.12", + "fe80::76e9:3115:c5b4:aaaa" + ] + }, + "source": { + "address": "10.0.11.11", + "ip": "10.0.11.12" + }, + "user": { + "target": { + "domain": "EXAMPLE.LOCAL", + "name": "VM-1111@EXAMPLE.LOCAL" + } + } + } + + ``` + + +=== "agent_logs_2.json" + + ```json + + { + "message": "{\n \"user\": {\n \"id\": \"S-1-5-18\",\n \"name\": \"EXPL111$\",\n \"domain\": \"EXAMPLE\"\n },\n \"action\": {\n \"properties\": {\n \"ClientProcessId\": \"10704\",\n \"ClientProcessStartKey\": \"14918173765668009\",\n \"EventType\": \"AUDIT_SUCCESS\",\n \"FQDN\": \"EXPL111.example.org\",\n \"Keywords\": \"0x8020000000000000\",\n \"ProviderGuid\": \"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\n \"RpcCallClientLocality\": \"0\",\n \"Severity\": \"LOG_ALWAYS\",\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"SubjectDomainName\": \"EXAMPLE\",\n \"SubjectLogonId\": \"0x3E7\",\n \"SubjectUserName\": \"EXPL111$\",\n \"SubjectUserSid\": \"S-1-5-18\",\n \"TaskContent\": \"\\r\\n\\r\\n \\r\\n EXAMPLE\\\\master\\r\\n d\u00e9ploiement de l'agent SYSMON sur les PC\\r\\n \\\\Agent Sysmon\\r\\n \\r\\n \\r\\n \\r\\n 2024-03-27T10:58:36\\r\\n 2024-03-27T10:59:31\\r\\n true\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n HighestAvailable\\r\\n NT AUTHORITY\\\\System\\r\\n S4U\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n false\\r\\n false\\r\\n false\\r\\n true\\r\\n false\\r\\n \\r\\n PT5M\\r\\n PT1H\\r\\n false\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n PT0S\\r\\n PT0S\\r\\n 7\\r\\n \\r\\n \\r\\n \\r\\n \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmon.exe\\r\\n -accepteula -i \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmonconfig-export.xml\\r\\n \\r\\n \\r\\n\",\n \"TaskName\": \"\\\\Agent Sysmon\"\n },\n \"id\": 4698\n },\n \"event\": {\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"code\": 4698\n },\n \"agent\": {\n \"id\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"version\": \"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"\n },\n \"host\": {\n \"os\": {\n \"type\": \"windows\"\n },\n \"hostname\": \"EXPL111\",\n \"ip\": [\n \"1.2.3.4\"\n ]\n },\n \"process\": {\n \"parent\": {\n \"pid\": 1188\n }\n },\n \"@timestamp\": \"2024-03-27T09:58:31.8443945Z\"\n}", + "event": { + "code": "4698", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-03-27T09:58:31.844394Z", + "action": { + "id": 4698, + "properties": { + "ClientProcessId": "10704", + "ClientProcessStartKey": "14918173765668009", + "EventType": "AUDIT_SUCCESS", + "FQDN": "EXPL111.example.org", + "Keywords": "0x8020000000000000", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "RpcCallClientLocality": "0", + "Severity": "LOG_ALWAYS", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x3E7", + "SubjectUserName": "EXPL111$", + "SubjectUserSid": "S-1-5-18", + "TaskContent": "\r\n\r\n \r\n EXAMPLE\\master\r\n d\u00e9ploiement de l'agent SYSMON sur les PC\r\n \\Agent Sysmon\r\n \r\n \r\n \r\n 2024-03-27T10:58:36\r\n 2024-03-27T10:59:31\r\n true\r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n false\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT0S\r\n PT0S\r\n 7\r\n \r\n \r\n \r\n \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmon.exe\r\n -accepteula -i \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmonconfig-export.xml\r\n \r\n \r\n", + "TaskContentNew_Args": "-accepteula -i \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmonconfig-export.xml", + "TaskContentNew_Command": "\\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmon.exe", + "TaskName": "\\Agent Sysmon" + } + }, + "agent": { + "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db" + }, + "host": { + "hostname": "EXPL111", + "ip": [ + "1.2.3.4" + ], + "name": "EXPL111", + "os": { + "type": "windows" + } + }, + "process": { + "parent": { + "pid": 1188 + } + }, + "related": { + "hosts": [ + "EXPL111" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "EXPL111$" + ] + }, + "user": { + "domain": "EXAMPLE", + "id": "S-1-5-18", + "name": "EXPL111$" + } + } + + ``` + + === "dns_results.json" ```json @@ -1141,6 +1286,8 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties.TaskContentNew_Args` | `keyword` | | +|`action.properties.TaskContentNew_Command` | `keyword` | | |`auditd.data.a1` | `keyword` | argument 1 of syscall | |`auditd.data.a2` | `keyword` | argument 2 of syscall | |`auditd.data.a3` | `keyword` | argument 3 of syscall | diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 019901077f..aa77cb8e6d 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -38,54 +38,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"begin\",\"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1493763938,1.2.3.4,5.6.7.8,35370,23,T,I,A,B,,,,\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", + "kind": "event", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowVnetOutBound" - }, "action": { - "type": "DefaultRule_AllowVnetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents", "Version": "2" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowVnetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 23 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "inbound" - }, - "source": { - "ip": "1.2.3.4", - "port": 35370, - "mac": "DB831EFEC376", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 23, - "address": "5.6.7.8" + "direction": "inbound", + "transport": "tcp" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "DB831EFEC376", + "port": 35370 } } @@ -99,58 +99,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"end\", \"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1607984156,1.2.3.4,5.6.7.8,36422,8086,T,O,A,E,1,74,1,74\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", + "kind": "event", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowVnetOutBound" - }, "action": { - "type": "DefaultRule_AllowVnetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", "FlowState": "end", + "OperationName": "NetworkSecurityGroupFlowEvents", "Version": "2" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowVnetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 74, + "ip": "5.6.7.8", + "packets": 1, + "port": 8086 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "outbound" - }, - "source": { - "ip": "1.2.3.4", - "port": 36422, - "packets": 1, - "bytes": 74, - "mac": "DB831EFEC376", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 8086, - "packets": 1, - "bytes": 74, - "address": "5.6.7.8" + "direction": "outbound", + "transport": "tcp" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "source": { + "address": "1.2.3.4", + "bytes": 74, + "ip": "1.2.3.4", + "mac": "DB831EFEC376", + "packets": 1, + "port": 36422 } } @@ -164,53 +164,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"begin\", \"source_addr\": \"1.3.4.2\", \"macAddress\": \"DB831EFEC376\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\", \"time\": \"2021-03-24T10:55:03.0680749Z\", \"rule\": \"DefaultRule_AllowInternetOutBound\", \"flow.0\": \"1616583277,1.2.3.4,5.6.7.8,55486,443,T,O,A\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", + "kind": "event", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowInternetOutBound" - }, "action": { - "type": "DefaultRule_AllowInternetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", - "FlowState": "begin" + "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowInternetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "inbound" - }, - "source": { - "ip": "1.3.4.2", - "port": 55486, - "mac": "DB831EFEC376", - "address": "1.3.4.2" - }, - "destination": { - "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" + "direction": "inbound", + "transport": "tcp" }, "related": { "ip": [ "1.3.4.2", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowInternetOutBound" + }, + "source": { + "address": "1.3.4.2", + "ip": "1.3.4.2", + "mac": "DB831EFEC376", + "port": 55486 } } diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 8d63e95328..368c83b73b 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -366,6 +366,110 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "alert_3.json" + + ```json + + { + "message": "{\"@version\":\"1\",\"maturity\":\"stable\",\"log_type\":\"alert\",\"rule_name\":\"PowerShellInvoke-CommandExecutedonRemoteHost\",\"status\":\"new\",\"alert_type\":\"sigma\",\"level\":\"low\",\"quarantine\":4,\"threat_type\":\"commandline\",\"groups\":[{\"name\":\"Servers\",\"id\":\"19d20ee5-e12a-4f61-9321-edee5887ae1f\"}],\"rule_id\":\"59182ccc-f0e2-44a7-8531-4c586aea8c50\",\"msg\":\"DetectstheexecutionofPowerShellcommandInvoke-Commandonremotehost.\\nAttackerscanusethistechniquetoexecuteremotecommandsonatargethost,aspartoflateralmovement.\",\"alert_time\":\"2024-03-15T16:36:41.300+00:00\",\"alert_subtype\":\"process\",\"@event_create_date\":\"2024-03-15T16:36:41.300Z\",\"tags\":[\"attack.execution\",\"attack.lateral_movement\",\"attack.t1021.006\",\"attack.t1059.001\"],\"agent\":{\"domainname\":\"Example\",\"ostype\":\"windows\",\"hostname\":\"SRV001\",\"osproducttype\":\"WindowsServer2016Standard\",\"osversion\":\"10.0.14393\",\"additional_info\":{},\"version\":\"3.2.9\",\"distroid\":null,\"agentid\":\"8ba078ee-320f-406f-aa22-1ae08c94a699\",\"dnsdomainname\":\"example.org\",\"domain\":null},\"level_int\":20,\"type\":\"rtlogs\",\"detection_origin\":\"agent\",\"threat_values\":[\":\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell_ise.exe\"],\"details_powershell\":{\"PowershellCommand\":\"\\nfunctionGetWindowsServers{\\n$servers=Get-ADComputer-Filter{OperatingSystem-like\\\"*WindowsServer*\\\"}|Select-Object-ExpandPropertyName-First10\\nreturn$servers\\n}\\n\\n\\nfunctionGetWindowsRoles{\\nparam(\\n[string]$server\\n)\\n\\n$roles=Get-WindowsFeature-ComputerName$server|Where-Object{$_.Installed-eq$true}|Select-Object-ExpandPropertyName\\nreturn$roles\\n}\\n\\n\\nfunctionGetInstalledApplications{\\nparam(\\n[string]$server\\n)\\n\\n$applications=Get-WmiObject-ClassWin32_Product-ComputerName$server|Select-ObjectName,Version\\nreturn$applications\\n}\\n\\n\\nfunctionGetServices{\\nparam(\\n[string]$server\\n)\\n\\n$services=Get-Service-ComputerName$server\\nreturn$services\\n}\\n\\nfunctionGetOpenFlows{\\nparam(\\n[string]$server\\n)\\n\\n$flows=Invoke-Command-ComputerName$server-ScriptBlock{Get-NetTCPConnection|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort}\\nreturn$flows\\n}\\n\\n\\nfunctionSortFlows{\\nparam(\\n[array]$flows\\n)\\n\\n$sortedFlows=$flows|Group-ObjectLocalPort,RemoteAddress|Sort-ObjectCount,Name\\nreturn$sortedFlows\\n}\\n\\n\\nfunctionEstablishLink{\\nparam(\\n[array]$flows,\\n[array]$servers\\n)\\n\\n$link=@{}\\n\\nforeach($flowin$flows){\\n$link[$flow]=$servers|Where-Object{$_-ne$flow}\\n}\\n\\nreturn$link\\n}\\n\\n\\nfunctionExportResults{\\nparam(\\n[hashtable]$results,\\n[string]$outputPath\\n)\\n\\n$results.GetEnumerator()|ForEach-Object{\\n$server=$_.Key\\n$flows=$_.Value\\n\\n$table=$flows|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort\\n$table|Export-Csv-Path\\\"$outputPath\\\\$server.csv\\\"-NoTypeInformation-Delimiter\\\";\\\"-EncodingDefault\\n}\\n}\\n\\n\\n$servers=GetWindowsServers\\n\\nforeach($serverin$servers){\\n$roles=GetWindowsRoles-server$server\\n\\n$applications=GetInstalledApplications-server$server\\n\\n$services=GetServices-server$server\\n\\n$flows=GetOpenFlows-server$server\\n\\n$sortedFlows=SortFlows-flows$flows\\n\\n$link=EstablishLink-flows$sortedFlows-servers$servers\\n\\nExportResults-results$link-outputPath\\\"C:\\\\Scripts\\\\JIV\\\\Network\\\\Get-FaInterco\\\\Result\\\"\\n}\",\"PowershellScriptPath\":\"C:\\\\Scripts\\\\SomeWhere\\\\Get-FaInterco\\\\Get-FaNetworkFlowV2.ps1\"},\"threat_key\":16364,\"tenant\":\"\",\"alert_unique_id\":\"7202cdc8-0db4-49b6-809b-f5ebca7e55c7\",\"execution\":0,\"mitre_cells\":[\"execution__t1059.001\",\"lateral-movement__t1021.006\"],\"process\":{\"pid\":88872,\"size\":212992,\"usersid\":\"S-1-5-21-111111111-2222222222-333333333-44444\",\"fake_parent_commandline\":\"\",\"pe_timestamp\":\"2020-10-29T03:43:18.000Z\",\"hashes\":{\"md5\":\"8a2122e8162dbef04620b9c3e0b6cdee\",\"sha1\":\"f1efb0fddc156e4c61c5f89a54700e4e7984d55d\",\"sha256\":\"b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"},\"log_type\":\"process\",\"status\":0,\"log_platform_flag\":0,\"parent_unique_id\":\"cd7f1659-df4d-4c65-9d64-5b865a6e6ffc\",\"signature_info\":{\"signer_info\":{\"thumbprint_sha256\":\"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1\",\"issuer_name\":\"MicrosoftWindowsProductionPCA2011\",\"display_name\":\"MicrosoftWindows\",\"thumbprint\":\"8870483e0e833965a53f422494f1614f79286851\",\"serial_number\":\"33000004158295a1a3d82e2857000000000415\"},\"root_info\":{\"thumbprint_sha256\":\"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e\",\"issuer_name\":\"MicrosoftRootCertificateAuthority2010\",\"display_name\":\"MicrosoftRootCertificateAuthority2010\",\"thumbprint\":\"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\"serial_number\":\"28cc3a25bfba44ac449a9b586b4339aa\"},\"signed_authenticode\":false,\"signed_catalog\":true},\"integrity_level\":\"High\",\"current_directory\":\"C:\\\\Windows\\\\system32\\\\\",\"parent_commandline\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe-Embedding\",\"parent_integrity_level\":\"Medium\",\"process_unique_id\":\"12b26748-e6af-46ff-9f16-994a7e3b6948\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"pe_info\":{\"pe_timestamp\":\"2020-10-29T03:43:18.000Z\",\"company_name\":\"MicrosoftCorporation\",\"original_filename\":\"powershell_ise.EXE\",\"legal_copyright\":\"\u00a9MicrosoftCorporation.Allrightsreserved.\",\"product_version\":\"10.0.14393.4046\",\"product_name\":\"Microsoft\u00aeWindows\u00aeOperatingSystem\",\"internal_name\":\"POWERSHELL_ISE\",\"file_description\":\"WindowsPowerShellISE\",\"file_version\":\"10.0.14393.4046(rs1_release.201028-1803)\"},\"ancestors\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe|C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"signed\":true,\"ppid\":502776,\"ioc_matches\":[],\"commandline\":\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\",\"logonid\":14859541118,\"fake_parent_image\":\"\",\"grandparent_commandline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe-kDcomLaunch\",\"dont_create_process\":true,\"grandparent_unique_id\":\"6b6af4c3-490c-4abf-81e0-33e914084c53\",\"fake_ppid\":0,\"create_time\":\"2024-03-15T15:22:56.982Z\",\"username\":\"EXAMPLE\\\\j.doe\",\"grandparent_integrity_level\":\"System\",\"pe_timestamp_int\":1603942998,\"parent_image\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",\"session\":123,\"process_name\":\"powershell_ise.exe\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\"},\"aggregation_key\":\"40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1\",\"@timestamp\":\"2024-03-15T16:35:28.973874124Z\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\"}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-03-15T16:36:41.300000Z", + "agent": { + "id": "8ba078ee-320f-406f-aa22-1ae08c94a699", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "8a2122e8162dbef04620b9c3e0b6cdee", + "sha1": "f1efb0fddc156e4c61c5f89a54700e4e7984d55d", + "sha256": "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" + } + }, + "harfanglab": { + "aggregation_key": "40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1", + "alert_subtype": "process", + "alert_time": "2024-03-15T16:36:41.300+00:00", + "alert_unique_id": "7202cdc8-0db4-49b6-809b-f5ebca7e55c7", + "execution": 0, + "groups": [ + "{\"id\": \"19d20ee5-e12a-4f61-9321-edee5887ae1f\", \"name\": \"Servers\"}" + ], + "level": "low", + "process": { + "powershell": { + "command": "\nfunctionGetWindowsServers{\n$servers=Get-ADComputer-Filter{OperatingSystem-like\"*WindowsServer*\"}|Select-Object-ExpandPropertyName-First10\nreturn$servers\n}\n\n\nfunctionGetWindowsRoles{\nparam(\n[string]$server\n)\n\n$roles=Get-WindowsFeature-ComputerName$server|Where-Object{$_.Installed-eq$true}|Select-Object-ExpandPropertyName\nreturn$roles\n}\n\n\nfunctionGetInstalledApplications{\nparam(\n[string]$server\n)\n\n$applications=Get-WmiObject-ClassWin32_Product-ComputerName$server|Select-ObjectName,Version\nreturn$applications\n}\n\n\nfunctionGetServices{\nparam(\n[string]$server\n)\n\n$services=Get-Service-ComputerName$server\nreturn$services\n}\n\nfunctionGetOpenFlows{\nparam(\n[string]$server\n)\n\n$flows=Invoke-Command-ComputerName$server-ScriptBlock{Get-NetTCPConnection|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort}\nreturn$flows\n}\n\n\nfunctionSortFlows{\nparam(\n[array]$flows\n)\n\n$sortedFlows=$flows|Group-ObjectLocalPort,RemoteAddress|Sort-ObjectCount,Name\nreturn$sortedFlows\n}\n\n\nfunctionEstablishLink{\nparam(\n[array]$flows,\n[array]$servers\n)\n\n$link=@{}\n\nforeach($flowin$flows){\n$link[$flow]=$servers|Where-Object{$_-ne$flow}\n}\n\nreturn$link\n}\n\n\nfunctionExportResults{\nparam(\n[hashtable]$results,\n[string]$outputPath\n)\n\n$results.GetEnumerator()|ForEach-Object{\n$server=$_.Key\n$flows=$_.Value\n\n$table=$flows|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort\n$table|Export-Csv-Path\"$outputPath\\$server.csv\"-NoTypeInformation-Delimiter\";\"-EncodingDefault\n}\n}\n\n\n$servers=GetWindowsServers\n\nforeach($serverin$servers){\n$roles=GetWindowsRoles-server$server\n\n$applications=GetInstalledApplications-server$server\n\n$services=GetServices-server$server\n\n$flows=GetOpenFlows-server$server\n\n$sortedFlows=SortFlows-flows$flows\n\n$link=EstablishLink-flows$sortedFlows-servers$servers\n\nExportResults-results$link-outputPath\"C:\\Scripts\\JIV\\Network\\Get-FaInterco\\Result\"\n}", + "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" + } + }, + "status": "new" + }, + "host": { + "domain": "Example", + "hostname": "SRV001", + "name": "SRV001", + "os": { + "full": "WindowsServer2016Standard", + "version": "10.0.14393" + } + }, + "log": { + "hostname": "SRV001" + }, + "process": { + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "name": "powershell_ise.exe", + "parent": { + "command_line": "C:\\Windows\\System32\\RuntimeBroker.exe-Embedding", + "executable": "C:\\Windows\\System32\\RuntimeBroker.exe" + }, + "pe": { + "company": "MicrosoftCorporation", + "description": "WindowsPowerShellISE", + "file_version": "10.0.14393.4046(rs1_release.201028-1803)", + "original_file_name": "powershell_ise.EXE", + "product": "Microsoft\u00aeWindows\u00aeOperatingSystem" + }, + "pid": 88872, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "8a2122e8162dbef04620b9c3e0b6cdee", + "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "f1efb0fddc156e4c61c5f89a54700e4e7984d55d" + ], + "hosts": [ + "SRV001" + ], + "user": [ + "EXAMPLE\\j.doe" + ] + }, + "rule": { + "category": "sigma", + "description": "DetectstheexecutionofPowerShellcommandInvoke-Commandonremotehost.\nAttackerscanusethistechniquetoexecuteremotecommandsonatargethost,aspartoflateralmovement.", + "id": "59182ccc-f0e2-44a7-8531-4c586aea8c50", + "name": "PowerShellInvoke-CommandExecutedonRemoteHost" + }, + "user": { + "name": "EXAMPLE\\j.doe", + "roles": "Servers" + } + } + + ``` + + === "alert_false_positive.json" ```json @@ -2112,6 +2216,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.groups` | `keyword` | harfanglab groups | |`harfanglab.level` | `keyword` | The risk level associated to the event | |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed | +|`harfanglab.process.powershell.script_path` | `keyword` | The powershell script path | |`harfanglab.status` | `keyword` | The status of the event | |`harfanglab.threat_id` | `keyword` | Id of the threat | |`host.domain` | `keyword` | Name of the directory the group is a member of. | diff --git a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md index 51d1684e4c..ba73f25cd0 100644 --- a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md +++ b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md @@ -518,7 +518,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "url": { + "full": "https://ping-edge.smartscreen.microsoft.com/", + "original": "/", "path": "/", + "port": 443, "scheme": "https" }, "user": { @@ -529,6 +532,114 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "skyhigh_swg_1.json" + + ```json + + { + "message": "user_id=-1 username=user source_ip=1.2.3.4 http_action=PUT server_to_client_bytes=7976 client_to_server_bytes=860 requested_host=wetransfer.com requested_path=/api/v4/transfers/azerty123/finalize result=OBSERVED virus= request_timestamp_epoch=1699464228 request_timestamp=2023-11-08 17:23:48 uri_scheme=https category=Personal Network Storage media_type=text/plain application_type=WeTransfer Channel reputation=Minimal Risk last_rule=Block URLs Whose Category Is in Category Blocklist http_status_code=200 client_ip=4.3.2.1 location= block_reason= user_agent_product=Chrome user_agent_version=119.0.0.0 user_agent_comment=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 process_name=chrome.exe destination_ip=5.6.7.8 destination_port=443 pop_country_code=FR referer=https://wetransfer.com/ ssl_scanned=t av_scanned_up=t av_scanned_down=t rbi=f dlp=f client_system_name=por-005003 filename=finalize pop_egress_ip=4.5.6.7 pop_ingress_ip=4.5.6.7 proxy_port=8080", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "access", + "allowed", + "connection" + ] + }, + "@timestamp": "2023-11-08T17:23:48Z", + "destination": { + "address": "wetransfer.com", + "bytes": 7976, + "domain": "wetransfer.com", + "ip": "5.6.7.8", + "port": 443, + "registered_domain": "wetransfer.com", + "top_level_domain": "com" + }, + "file": { + "name": "finalize" + }, + "host": { + "name": "por-005003" + }, + "http": { + "request": { + "method": "PUT", + "mime_type": "text/plain" + }, + "response": { + "mime_type": "text/plain", + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "McAfee Web Gateway", + "type": "proxy", + "vendor": "McAfee Corp." + }, + "process": { + "name": "chrome.exe" + }, + "related": { + "hosts": [ + "wetransfer.com" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ], + "user": [ + "user" + ] + }, + "rule": { + "category": "Personal Network Storage", + "name": "Block URLs Whose Category Is in Category Blocklist" + }, + "skyhighsecurity": { + "application_type": "WeTransfer Channel", + "av_scanned_down": "true", + "av_scanned_up": "true", + "dlp": "false", + "proxy_port": 8080, + "rbi": "false", + "referer": "https://wetransfer.com/", + "reputation": "Minimal Risk", + "ssl_scanned": "true", + "user_agent_comment": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "user_agent_version": "119.0.0.0" + }, + "source": { + "address": "4.3.2.1", + "bytes": 860, + "ip": "4.3.2.1", + "nat": { + "ip": "1.2.3.4" + } + }, + "url": { + "full": "https://wetransfer.com/api/v4/transfers/azerty123/finalize", + "original": "/api/v4/transfers/azerty123/finalize", + "path": "/api/v4/transfers/azerty123/finalize", + "port": 443, + "scheme": "https" + }, + "user": { + "name": "user" + } + } + + ``` + + === "skyhigh_swg_block.json" ```json @@ -614,7 +725,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "url": { + "full": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "original": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", "path": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "port": 80, "scheme": "http" }, "user": { @@ -676,6 +790,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.nat.ip` | `ip` | Source NAT ip | |`url.domain` | `keyword` | Domain of the url. | +|`url.full` | `wildcard` | Full unparsed URL. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.port` | `long` | Port of the request, such as 443. | diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index 6d2f9c1571..8203709025 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -21,7 +21,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | | Kind | `alert`, `event` | -| Category | `file`, `intrusion_detection`, `malware`, `network` | +| Category | `authentication`, `file`, `intrusion_detection`, `malware`, `network` | | Type | `change`, `connection`, `end`, `info`, `start` | @@ -603,6 +603,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_ASA_113004.json" + + ```json + + { + "message": "%ASA-6-113004: AAA user authentication Successful : server = 10.79.48.28 : user = jdoe001566", + "event": { + "category": [ + "authentication" + ], + "code": "113004", + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "destination": { + "address": "10.79.48.28", + "ip": "10.79.48.28" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.79.48.28" + ], + "user": [ + "jdoe001566" + ] + }, + "user": { + "name": "jdoe001566" + } + } + + ``` + + === "test_ASA_199019.json" ```json @@ -1934,6 +1978,50 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_FTD_113004.json" + + ```json + + { + "message": "%FTD-6-113004: AAA user authentication Successful : server = 10.10.48.61 : user = jdoe", + "event": { + "category": [ + "authentication" + ], + "code": "113004", + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "destination": { + "address": "10.10.48.61", + "ip": "10.10.48.61" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.10.48.61" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "test_FTD_430002_1.json" ```json @@ -2850,6 +2938,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.extension` | `keyword` | File extension, excluding the leading dot. | diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index 0a77e0fa68..5eb345036a 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -104,7 +104,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/config/postProcessing/testNaming", - "path": "/config/postProcessing/testNaming" + "path": "/config/postProcessing/testNaming", + "query": "REDACTED" }, "user_agent": { "device": { @@ -123,6 +124,98 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Block2.json" + + ```json + + { + "message": "{\"timestamp\":1709166517900,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:eu-east-1:111111111111:regional/webacl/web-acl-corp/2f718aae-1809-4772-a5c6-e82327f6012f\",\"terminatingRuleId\":\"block-wheel-calls\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"lb\",\"httpSourceId\":\"1111111111-app/dom-example-lb/68b329da9893e34\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"1.2.3.4\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"dom.example.com\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/69.0.3497.12Safari/537.36\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"Accept-Language\",\"value\":\"en\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/console/\",\"args\":\"_param1=true&_pageLabel\u00b6m2=value1\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"1-65dfcfb5-68b329da9893e34099c7d8ad\"},\"ja3Fingerprint\":\"68b329da9893e34099c7d8ad5cb9c940\",\"labels\":[{\"name\":\"awswaf:111111111111:webacl:web-acl-corp:wheel\"}]}", + "event": { + "action": "BLOCK", + "category": [ + "network" + ], + "kind": "event", + "module": "aws.waf", + "type": [ + "access" + ] + }, + "@timestamp": "2024-02-29T00:28:37.900000Z", + "action": { + "target": "network-traffic" + }, + "aws": { + "waf": { + "rule": { + "arn": "arn:aws:wafv2:eu-east-1:111111111111:regional/webacl/web-acl-corp/2f718aae-1809-4772-a5c6-e82327f6012f" + } + } + }, + "cloud": { + "provider": "aws", + "region": "eu-east-1", + "service": { + "name": "waf" + } + }, + "destination": { + "address": "dom.example.com", + "domain": "dom.example.com", + "registered_domain": "example.com", + "subdomain": "dom", + "top_level_domain": "com" + }, + "http": { + "request": { + "id": "1-65dfcfb5-68b329da9893e34099c7d8ad", + "method": "GET" + }, + "version": "HTTP/1.1" + }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "dom.example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "category": "REGULAR", + "name": "block-wheel-calls" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "US" + }, + "ip": "1.2.3.4" + }, + "url": { + "original": "/console/", + "path": "/console/", + "query": "_param1=true&_pageLabel\u00b6m2=value1" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/69.0.3497.12Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "69.0.3497" + } + } + + ``` + + === "SQL_injection.json" ```json @@ -203,7 +296,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/login.php", - "path": "/login.php" + "path": "/login.php", + "query": "REDACTED" }, "user_agent": { "device": { @@ -298,7 +392,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/wp-admin/options-general.php", - "path": "/wp-admin/options-general.php" + "path": "/wp-admin/options-general.php", + "query": "REDACTED" }, "user_agent": { "device": { @@ -395,7 +490,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/graphql", - "path": "/graphql" + "path": "/graphql", + "query": "REDACTED" }, "user_agent": { "device": { @@ -488,7 +584,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/subscriptions", - "path": "/subscriptions" + "path": "/subscriptions", + "query": "REDACTED" }, "user_agent": { "device": { @@ -585,7 +682,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/graphql", - "path": "/graphql" + "path": "/graphql", + "query": "REDACTED" }, "user_agent": { "device": { @@ -677,7 +775,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/subscriptions", - "path": "/subscriptions" + "path": "/subscriptions", + "query": "REDACTED" }, "user_agent": { "device": { @@ -732,5 +831,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.geo.country_iso_code` | `keyword` | Country ISO code. | |`source.ip` | `ip` | IP address of the source. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.query` | `keyword` | Query string of the request. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 3bda9997ff..2445795cdf 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -260,6 +260,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "1685", + "poluuid": "4470d4c5-7e12-4a8f-a369-08eff4a43b5b", "virtual_domain": "root" } }, @@ -345,6 +347,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "770", + "poluuid": "f2aef0f2-a721-49cf-9dd3-b27f7f5b90bc", "virtual_domain": "root" } }, @@ -868,6 +872,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "desc": "illegal parameter", "type": "event" }, + "policyid": "0", "virtual_domain": "PRX1-AA" } }, @@ -1597,6 +1602,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "dns" }, + "policyid": "1", "virtual_domain": "vdom1" } }, @@ -1873,6 +1879,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "1", "virtual_domain": "root" } }, @@ -1961,6 +1968,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", + "poluuid": "1520e1aa-823a-51e9-984f-a55e1f39b3c7", "virtual_domain": "root" } }, @@ -2043,6 +2052,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "0", "virtual_domain": "root" } }, @@ -2196,6 +2206,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "637", + "poluuid": "b23818a6-8f49-51ea-9db7-4e4965a3483c", "virtual_domain": "ROUTER" } }, @@ -2366,6 +2378,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": "low", "type": "utm" }, + "policyid": "494", + "poluuid": "aecacfaf-8d3f-4809-a60f-bf873e0fcab3", "virtual_domain": "root" } }, @@ -2455,6 +2469,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "37", + "poluuid": "6a8f76d0-1459-4ddb-948a-62700ddbf241", "user": { "source": "kerberos" }, @@ -2462,7 +2478,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { - "name": "computer-039482" + "name": "C-3424", + "os": { + "family": "Windows" + } }, "log": { "hostname": "computer-039482", @@ -2844,9 +2863,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", "virtual_domain": "root" } }, + "host": { + "os": { + "family": "Apple" + } + }, "log": { "level": "notice" }, @@ -2926,9 +2951,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", "virtual_domain": "root" } }, + "host": { + "os": { + "family": "Apple" + } + }, "log": { "level": "notice" }, @@ -3005,6 +3036,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", + "poluuid": "1eb429d4-ff52-51ea-d119-d1db60e409a6", "virtual_domain": "PRX1-AA" } }, @@ -3159,6 +3192,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "207", + "poluuid": "d77c53b2-a3c6-51e9-49b2-61c9e68c1f7e", "virtual_domain": "root" } }, @@ -3214,6 +3249,102 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "traffic_nat_1.STANDARD.json" + + ```json + + { + "message": "timestamp=1709762763 devname=\"FW-001\" devid=\"FG100D6G11111111\" vd=\"root\" date=2024-03-06 time=22:06:03 logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" eventtime=1709762764028577926 tz=\"+0000\" srcip=1.2.3.4 srcname=\"DESKTOP-00001\" srcport=62979 srcintf=\"Port3.999\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"undefined\" sessionid=538959618 proto=17 action=\"accept\" policyid=41 policytype=\"policy\" poluuid=\"703570eee-edfc-4565-8599-c6a75fd3e1e8\" service=\"DNS\" dstcountry=\"France\" srccountry=\"Reserved\" trandisp=\"snat\" transip=4.5.6.7 transport=62979 appid=16195 app=\"DNS\" appcat=\"Network.Service\" apprisk=\"elevated\" applist=\"EMEA_Monitor\" duration=189 sentbyte=285 rcvdbyte=0 sentpkt=5 rcvdpkt=0 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"54:13:79:a3:8a:a3\" srcmac=\"54:13:79:a3:8a:a3\" srcserver=0", + "event": { + "action": "accept", + "category": "traffic", + "code": "0000000013", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0000" + }, + "@timestamp": "2024-03-06T22:06:03Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 0, + "ip": "5.6.7.8", + "packets": 0, + "port": 53 + }, + "fortinet": { + "fortigate": { + "apprisk": "elevated", + "event": { + "type": "traffic" + }, + "policyid": "41", + "poluuid": "703570eee-edfc-4565-8599-c6a75fd3e1e8", + "virtual_domain": "root" + } + }, + "host": { + "name": "DESKTOP-00001", + "os": { + "family": "Windows" + } + }, + "log": { + "hostname": "FW-001", + "level": "notice" + }, + "network": { + "application": "DNS", + "bytes": 285, + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "wan1" + } + }, + "hostname": "FW-001", + "ingress": { + "interface": { + "name": "Port3.999" + } + }, + "serial_number": "FG100D6G11111111" + }, + "related": { + "hosts": [ + "FW-001" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "apprisk": "elevated", + "category": "Network.Service", + "ruleset": "EMEA_Monitor" + }, + "source": { + "address": "1.2.3.4", + "bytes": 285, + "ip": "1.2.3.4", + "mac": "54:13:79:a3:8a:a3", + "packets": 5, + "port": 62979 + } + } + + ``` + + === "tunnel.json" ```json @@ -3700,6 +3831,8 @@ The following table lists the fields that are extracted, normalized under the EC |`fortinet.fortigate.event.type` | `keyword` | Type of the event. | |`fortinet.fortigate.icmp.request.code` | `keyword` | The request code. | |`fortinet.fortigate.icmp.request.type` | `keyword` | The request type. | +|`fortinet.fortigate.policyid` | `keyword` | ID of the policy | +|`fortinet.fortigate.poluuid` | `keyword` | UUID of pol | |`fortinet.fortigate.tunnel.id` | `keyword` | The id of the tunnel | |`fortinet.fortigate.tunnel.ip` | `keyword` | The ip of the tunnel | |`fortinet.fortigate.tunnel.name` | `keyword` | The name of the tunnel | @@ -3707,6 +3840,8 @@ The following table lists the fields that are extracted, normalized under the EC |`fortinet.fortigate.tunnel.version` | `keyword` | The version of the tunnel | |`fortinet.fortigate.user.source` | `keyword` | The source of the username | |`fortinet.fortigate.virtual_domain` | `keyword` | Name of the virtual domain in which the event was observed | +|`host.name` | `keyword` | Name of the host. | +|`host.os.family` | `keyword` | OS family (such as redhat, debian, freebsd, windows). | |`http.request.method` | `keyword` | HTTP request method. | |`log.level` | `keyword` | Log level of the log event. | |`network.application` | `keyword` | Application level protocol name. | diff --git a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md index 4ec211f23b..5bba9524b6 100644 --- a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md +++ b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md @@ -30,6 +30,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:31:38Z", "action": { "name": "request", "outcome": "success", @@ -106,6 +107,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:30:59Z", "action": { "name": "request", "outcome": "success", @@ -162,6 +164,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2024-03-03T20:28:52Z", "action": { "name": "request", "outcome": "success", @@ -245,6 +248,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.target` | `keyword` | The target of the action | |`destination.address` | `keyword` | Destination network address. | |`destination.domain` | `keyword` | The domain name of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md index 0e10c51377..ba2b852eb4 100644 --- a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md +++ b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md @@ -32,6 +32,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:31:52Z", "action": { "name": "block", "outcome": "success", @@ -74,6 +75,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.target` | `keyword` | Target of the action | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md index a228ccfa71..94c1eeeb55 100644 --- a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md +++ b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md @@ -35,54 +35,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=sslvpn sn=111111111111 time=\"2023-09-18 07:43:15\" vp_time=\"2023-09-18 05:43:15 UTC\" fw=5.6.7.8 pri=5 m=1 c=1 src=1.2.3.4 dst=\"off0123.example.com\" user=\"JDOE@OFF0123\" usr=\"JDOE@OFF0123\" msg=\"User login successful\" portal=\"off0123\" domain=\"off0123\" agent=\"SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64\"", "event": { - "kind": "event", "category": [ "network" ], + "kind": "event", "type": [ "info" ] }, + "@timestamp": "2023-09-18T05:43:15Z", + "destination": { + "address": "off0123.example.com" + }, "observer": { - "vendor": "SonicWall", + "ip": [ + "5.6.7.8" + ], "product": "Secure Mobile Access", "type": "firewall", + "vendor": "SonicWall" + }, + "related": { "ip": [ + "1.2.3.4", "5.6.7.8" + ], + "user": [ + "JDOE" ] }, - "@timestamp": "2023-09-18T05:43:15Z", "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, - "destination": { - "address": "off0123.example.com" + "user": { + "domain": "OFF0123", + "name": "JDOE" }, "user_agent": { - "original": "SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64", "device": { "name": "Other" }, "name": "IE", - "version": "7.0", + "original": "SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64", "os": { "name": "Windows", "version": "10" - } - }, - "user": { - "name": "JDOE", - "domain": "OFF0123" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "JDOE" - ] + }, + "version": "7.0" } } diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index ef170cc856..d5be9864bb 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -171,6 +171,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"2576cdd6c17d441234567891234\",\"@timestamp\":\"1688012345678\",\"timestamp\":\"1688012345678\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"monespacetest.com\"},{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"User-Agent\",\"value\":\"ContentSquare Static Resource Scraper\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip,deflate\"},{\"key\":\"X-Forwarded-For\",\"value\":\"1.2.3.4\"}],\"hostname\":\"monespacetest.com\",\"ipDst\":\"1.2.3.4\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/redirect\",\"portDst\":443,\"protocol\":\"HTTP/1.1\",\"query\":\"token=123456789123456789\",\"requestUid\":\"ZJ1EyTzEESxHZlPdslM1MgAAAQw\"},\"context\":{\"tags\":\"\",\"applianceName\":\"zzzzz.test\",\"applianceUid\":\"bde804caa644121234567891234567\",\"backendHost\":\"monespacetest.com\",\"backendPort\":443,\"reverseProxyName\":\"Rp-test-02\",\"reverseProxyUid\":\"61d95350a8f99874123456789\",\"tunnelName\":\"NEC PROD v10 #1\",\"tunnelUid\":\"317a891996f275b12345678912345\",\"workflowName\":\"Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter\",\"workflowUid\":\"f00058d7c75c34e123456789987654\"},\"events\":[{\"eventUid\":\"fe767ff2e8574789941b998e6\",\"tokens\":{\"date\":14012345678999,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ContentSquare Static Resource Scraper\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"43333333333333333333\",\"botMitigationConfigurationName\":\"PREVOIR Bot mitigation Configuration\"}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -178,16 +179,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "Bot Mitigation", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2023-06-29T04:19:05.678000Z", "destination": { @@ -203,6 +198,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "monespacetest.com" @@ -225,6 +225,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "27" + } + }, "tunnel": { "name": "NEC PROD v10 #1", "uuid": "317a891996f275b12345678912345" @@ -232,11 +237,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter", "uuid": "f00058d7c75c34e123456789987654" - }, - "tokens": { - "risk": { - "level": "27" - } } } }, @@ -272,6 +272,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"ddf61af5388949b486059409e9a10d23\",\"@timestamp\":\"1570176199762\",\"timestamp\":\"1570176199762\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"\",\"requestUid\":\"e380e3bef3814649aebc50e940c8bf98\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - Bot Mitigation\",\"workflowUid\":\"8c73e669cea1a99016ccacb21eccfa69\"},\"events\":[{\"eventUid\":\"3ce7643dbe52433bb481ff8a401c6301\",\"tokens\":{\"date\":140422462751864,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ApacheBench/2.3\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"0d990aa0b2f5265ad8ea74cc0e3e09f7\",\"botMitigationConfigurationName\":\"BM_conf\"}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -279,16 +280,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "Bot Mitigation", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2019-10-04T08:03:19.762000Z", "destination": { @@ -304,6 +299,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -327,6 +327,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "27" + } + }, "tunnel": { "name": "Tunnel1", "uuid": "28ebc9deec52dd1b3a5c51eaf52b0606" @@ -334,11 +339,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - Bot Mitigation", "uuid": "8c73e669cea1a99016ccacb21eccfa69" - }, - "tokens": { - "risk": { - "level": "27" - } } } }, @@ -373,6 +373,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -380,15 +381,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "ICX Engine", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -404,6 +400,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -429,6 +429,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "80" + } + }, "tunnel": { "name": "tunnel1", "uuid": "a4ae3647b1e7e868b2d0e6ff47b02fd1" @@ -436,11 +441,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" - }, - "tokens": { - "risk": { - "level": "80" - } } } }, @@ -476,6 +476,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -483,15 +484,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "ICX Engine", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -507,6 +503,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -532,6 +532,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "80" + } + }, "tunnel": { "name": "tunnel1", "uuid": "a4ae3647b1e7e868b2d0e6ff47b02fd1" @@ -539,11 +544,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" - }, - "tokens": { - "risk": { - "level": "80" - } } } }, @@ -579,6 +579,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"fe79950502024cf1951504b01b28cb60\",\"@timestamp\":\"1570179501178\",\"timestamp\":\"1570179501178\",\"request\":{\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0\"},{\"key\":\"Accept\",\"value\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},{\"key\":\"Accept-Language\",\"value\":\"en-US,en;q=0.5\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip, deflate\"},{\"key\":\"Content-Type\",\"value\":\"application/x-www-form-urlencoded\"},{\"key\":\"Content-Length\",\"value\":\"45\"},{\"key\":\"Connection\",\"value\":\"keep-alive\"},{\"key\":\"Referer\",\"value\":\"http://example.org/auth/login\"},{\"key\":\"Upgrade-Insecure-Requests\",\"value\":\"1\"}],\"hostname\":\"example.org\",\"ipSrc\":\"1.2.3.4\",\"method\":\"POST\",\"path\":\"/auth/authentication\",\"query\":\"username=test&context=111111111\",\"requestUid\":\"6bf5057e1ad64b1c99ee6ad8c21f098e\"},\"context\":{\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - WAM\",\"workflowUid\":\"061b2aaca542ad07e9873fcb6f3e2a85\"},\"events\":[{\"eventUid\":\"90e826d3889443b286ab4fdd4854d379\",\"eventType\":1,\"eventDetails\":\"Perimeter authentication failed\",\"userId\":\"user1\",\"sessionId\":\"5jfh2myazzq6l6gjmz9qtabw4e\",\"resource\":\"Perim1\",\"ticketId\":\"\",\"logindate\":1570179496322223,\"expiredate\":1570183101178725}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -587,13 +588,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "module": "ubika.waf", "type": [ "indicator" - ], - "action": "block" - }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" + ] }, "@timestamp": "2019-10-04T08:58:21.178000Z", "host": { @@ -605,6 +600,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "referrer": "http://example.org/auth/login" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" diff --git a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md index d355743091..12737d4a99 100644 --- a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md +++ b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md @@ -71,6 +71,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -97,11 +102,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Linux" }, "version": "119.0.0" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -150,6 +150,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "10.0.0.10" + ] + }, "source": { "address": "10.0.0.10", "ip": "10.0.0.10", @@ -176,11 +181,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Windows", "version": "95" } - }, - "related": { - "ip": [ - "10.0.0.10" - ] } } @@ -229,6 +229,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -255,11 +260,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Linux" }, "version": "119.0.0" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } diff --git a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md index 2206a1f253..058a08c190 100644 --- a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md +++ b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md @@ -30,6 +30,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2021-02-21T15:30:49Z", "action": { "name": "DNS query", "outcome": "success", @@ -85,6 +86,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:29:47Z", "action": { "name": "DNS query", "outcome": "success", @@ -139,6 +141,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "failure" }, + "@timestamp": "2020-06-12T14:29:48Z", "action": { "name": "DNS query", "outcome": "failure", @@ -190,6 +193,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "failure" }, + "@timestamp": "2024-03-04T11:17:25Z", "action": { "name": "DNS query", "outcome": "failure", @@ -234,6 +238,115 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "umbrella-dns-5.json" + + ```json + + { + "message": " \"2024-01-15 17:29:16\",\"CORP - IP INTERNET\",\"CORP - IP INTERNET\",\"1.1.1.1\",\"1.1.1.1\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"emea.corp.\",\"\",\"Networks\",\"Networks\",\"\"", + "event": { + "outcome": "success" + }, + "@timestamp": "2024-01-15T17:29:16Z", + "action": { + "name": "DNS query", + "outcome": "success", + "target": "network-traffic", + "type": "allowed" + }, + "dns": { + "question": { + "name": "emea.corp.", + "subdomain": "emea", + "type": "A" + }, + "response_code": "NOERROR", + "size_in_char": "10", + "type": "query" + }, + "related": { + "hosts": [ + "emea.corp." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "CORP - IP INTERNET" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1" + } + }, + "user": { + "name": "CORP - IP INTERNET" + } + } + + ``` + + +=== "umbrella-dns-6.json" + + ```json + + { + "message": " \"2024-03-12 09:09:48\",\"CD111\",\"CD111\",\"1.1.1.1\",\"1.1.1.1\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"substrate.office.com.\",\"Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Computers and Internet\",\"Anyconnect Roaming Client\",\"Anyconnect Roaming Client\",\"Allow List\"", + "event": { + "outcome": "success" + }, + "@timestamp": "2024-03-12T09:09:48Z", + "action": { + "name": "DNS query", + "outcome": "success", + "properties": { + "Categories": "Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Computers and Internet" + }, + "target": "network-traffic", + "type": "allowed" + }, + "dns": { + "question": { + "name": "substrate.office.com.", + "registered_domain": "office.com", + "subdomain": "substrate", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "size_in_char": "21", + "type": "query" + }, + "related": { + "hosts": [ + "substrate.office.com." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "CD111" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1" + } + }, + "user": { + "name": "CD111" + } + } + + ``` + + @@ -243,6 +356,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.properties.Categories` | `keyword` | | |`action.target` | `keyword` | the target of the action | |`dns.question.name` | `keyword` | The name being queried. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 29246571ba..0461a49b58 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -619,6 +619,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Event_4698.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2024-03-27 10:57:48\",\n \"Hostname\": \"server001.example.org\",\n \"Keywords\": -9214364837600035000,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4698,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{70F17275-E2D6-40BF-9990-D3347AD59BBF}\",\n \"Version\": 1,\n \"Task\": 12804,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 60217389,\n \"ActivityID\": \"{70F17275-E2D6-40BF-9990-D3347AD59BBF}\",\n \"ProcessID\": 816,\n \"ThreadID\": 3272,\n \"Channel\": \"Security\",\n \"SubjectUserSid\": \"S-1-5-18\",\n \"SubjectUserName\": \"JDOE$\",\n \"SubjectDomainName\": \"EXAMPLE\",\n \"SubjectLogonId\": \"0x3e7\",\n \"TaskName\": \"\\\\MicrosoftEdgeUpdateBrowserReplacementTask\",\n \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <Version>1.3.185.27</Version>\\r\\n <Description>Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.</Description>\\r\\n <URI>\\\\MicrosoftEdgeUpdateBrowserReplacementTask</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <BootTrigger>\\r\\n <Enabled>true</Enabled>\\r\\n </BootTrigger>\\r\\n </Triggers>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <UserId>S-1-5-18</UserId>\\r\\n <RunLevel>HighestAvailable</RunLevel>\\r\\n </Principal>\\r\\n </Principals>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <Enabled>true</Enabled>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>false</WakeToRun>\\r\\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\\r\\n <Priority>4</Priority>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe</Command>\\r\\n <Arguments>/browserreplacement</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n</Task>\",\n \"ClientProcessStartKey\": \"20829148276605418\",\n \"ClientProcessId\": \"5632\",\n \"ParentProcessId\": \"808\",\n \"RpcCallClientLocality\": \"0\",\n \"FQDN\": \"server001.example.org\",\n \"EventReceivedTime\": \"2024-03-27 10:58:34\",\n \"SourceModuleName\": \"eventlog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}", + "event": { + "code": "4698", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4698, + "name": "A scheduled task was created", + "outcome": "success", + "properties": { + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600035000", + "OpcodeValue": 0, + "ProviderGuid": "{70F17275-E2D6-40BF-9990-D3347AD59BBF}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "JDOE$", + "SubjectUserSid": "S-1-5-18", + "Task": 12804, + "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Version>1.3.185.27</Version>\r\n <Description>Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.</Description>\r\n <URI>\\MicrosoftEdgeUpdateBrowserReplacementTask</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <BootTrigger>\r\n <Enabled>true</Enabled>\r\n </BootTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <Enabled>true</Enabled>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe</Command>\r\n <Arguments>/browserreplacement</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>", + "TaskContentNew_Args": "/browserreplacement", + "TaskContentNew_Command": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "TaskName": "\\MicrosoftEdgeUpdateBrowserReplacementTask" + }, + "record_id": 60217389, + "type": "Security" + }, + "host": { + "hostname": "server001.example.org", + "name": "server001.example.org" + }, + "log": { + "hostname": "server001.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 816, + "pid": 816, + "ppid": "808", + "thread": { + "id": 3272 + } + }, + "related": { + "hosts": [ + "server001.example.org" + ], + "user": [ + "JDOE$" + ] + }, + "user": { + "domain": "EXAMPLE", + "id": "S-1-5-18", + "name": "JDOE$" + } + } + + ``` + + === "Event_4768.json" ```json @@ -4125,6 +4198,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "srv-foo$", "SubjectUserSid": "S-1-5-18", "Task": 12804, + "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Author>KEY\\adm_foo</Author>\r\n <URI>\\CORP-Dump_Installed_Updates</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <Repetition>\r\n <Interval>PT1H</Interval>\r\n <Duration>P1D</Duration>\r\n <StopAtDurationEnd>true</StopAtDurationEnd>\r\n </Repetition>\r\n <StartBoundary>2016-05-02T04:45:00</StartBoundary>\r\n <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <RunLevel>HighestAvailable</RunLevel>\r\n <UserId>NT AUTHORITY\\System</UserId>\r\n <LogonType>S4U</LogonType>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT5M</Duration>\r\n <WaitTimeout>PT1H</WaitTimeout>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n <RestartOnFailure>\r\n <Interval>PT15M</Interval>\r\n <Count>3</Count>\r\n </RestartOnFailure>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe</Command>\r\n <Arguments>-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>", "TaskContentNew_Args": "-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"", "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "TaskName": "\\CORP-Dump_Installed_Updates" @@ -7137,6 +7211,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.StartFunction` | `keyword` | | |`action.properties.StartModule` | `keyword` | | |`action.properties.StatusInformation` | `keyword` | | +|`action.properties.TaskContent` | `keyword` | | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | |`action.properties.ThreatName` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 1d6f55be28..ecf4d5f359 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -954,20 +954,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "kind": "event", + "reason": "Sec-Fetch-User: ?1", "type": [ "info" ] }, + "action": { + "type": "tmm1" + }, "os": { "family": "linux", "platform": "linux" }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "No fields extracted from original event" - ] - } + "rule": { + "name": "/Common/Log-all-the-HTTP-Requests" } } @@ -985,6 +985,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "kind": "event", + "reason": "DNT: 1", "type": [ "info" ] @@ -1015,6 +1016,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "kind": "event", + "reason": "Request: GET example.com/a/path/to/an/image.png", "type": [ "info" ] @@ -1053,6 +1055,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "kind": "event", + "reason": "Referer: https://example.com/a/path/to/anywhere", "type": [ "info" ] diff --git a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md index 58a45ab0cc..99388f1dec 100644 --- a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md +++ b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md @@ -35,63 +35,63 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|DM|domain-match|1|src=1.2.3.4 spt=48255 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=53 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=93000001 cn3Label=cncPort cn3=53 cs1Label=sname cs1=DTI:Bot.Mariposa.DNS cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612 cs5Label=cncHost cs5=butterfly.bigmoney.biz proto=udp rt=Sep 05 2023 16:47:48 UTC externalId=20967020 act=notified devicePayloadId=cd467397-8c43-4e03-acaa-398cf2e8c612 start=Sep 05 2023 16:47:48 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "domain-match", - "severity": 1, - "start": "2023-09-05T16:47:48Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612", "category": [ "network" ], + "dataset": "domain-match", + "kind": "event", + "severity": 1, + "start": "2023-09-05T16:47:48Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612" }, "@timestamp": "2023-09-05T16:47:48Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 53 + }, + "network": { + "transport": "udp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "udp" - }, - "trellix": { - "nx": { - "sname": "DTI:Bot.Mariposa.DNS", - "cnc_port": "53", - "cnc_host": "butterfly.bigmoney.biz" - } - }, - "destination": { - "port": 53, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 48255, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 48255 + }, + "trellix": { + "nx": { + "cnc_host": "butterfly.bigmoney.biz", + "cnc_port": "53", + "sname": "DTI:Bot.Mariposa.DNS" + } } } @@ -105,80 +105,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|IM|infection-match|1|spt=1046 smac=6c:af:1a:fb:fe:a7 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=607378 cn3Label=cncPort cn3=80 cs1Label=sname cs1=Local.Infection cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 cs5Label=cncHost cs5=2011::1:6377:90aa cs6Label=channel cs6=GET /m/web.php HTTP/1.1::~~Host: zebrabel1.co.cc::~~User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5::~~Accept: text/html,application/xhtml+xml,application/xml;q\\=0.9,*/*;q\\=0.8::~~Accept-Language: en-us,en;q\\=0.5::~~Accept-Encoding: gzip,deflate::~~Accept-Charset: ISO-8859-1,utf-8;q\\=0.7,*;q\\=0.7::~~Keep-Alive: 300::~~Connection: keep-alive::~~Referer: http://zebrabel1.co.cc/m/::~~::~~ proto=tcp rt=Sep 05 2023 16:28:55 UTC externalId=20966332 act=notified c6a3=1c83:125e:807c:d317:d732:d30b:6af0:d34f c6a3Label=Attacker IP c6a2=decc:4ab1:133a:f9ce:18d2:7c83:2142:601e c6a2Label=Victim IP requestMethod=GET requestClientApplication=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 requestContext=http://zebrabel1.co.cc/m/ devicePayloadId=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 start=Sep 05 2023 16:28:55 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "infection-match", - "severity": 1, - "start": "2023-09-05T16:28:55Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6", "category": [ "intrusion_detection" ], + "dataset": "infection-match", + "kind": "event", + "severity": 1, + "start": "2023-09-05T16:28:55Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6" }, "@timestamp": "2023-09-05T16:28:55Z", + "destination": { + "address": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", + "ip": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + } + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" + }, + "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], + "ip": [ + "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "3.4.5.6", + "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" ] }, - "network": { - "transport": "tcp" + "source": { + "address": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "ip": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1046 }, - "http": { - "request": { - "method": "GET" + "trellix": { + "nx": { + "cnc_host": "2011::1:6377:90aa", + "cnc_port": "80", + "sname": "Local.Infection" } }, "user_agent": { - "original": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5", "device": { "name": "Other" }, "name": "Firefox Beta", - "version": "3.0.b5", + "original": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5", "os": { "name": "Windows", "version": "XP" - } - }, - "trellix": { - "nx": { - "sname": "Local.Infection", - "cnc_port": "80", - "cnc_host": "2011::1:6377:90aa" - } - }, - "destination": { - "port": 80, - "mac": "00:78:db:db:96:f6", - "ip": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", - "address": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" - }, - "source": { - "port": 1046, - "mac": "6c:af:1a:fb:fe:a7", - "ip": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", - "address": "1c83:125e:807c:d317:d732:d30b:6af0:d34f" - }, - "related": { - "ip": [ - "1c83:125e:807c:d317:d732:d30b:6af0:d34f", - "3.4.5.6", - "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" - ] + }, + "version": "3.0.b5" } } @@ -192,61 +192,61 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|IE|ips-event|7|externalId=3463232 rt=Sep 05 2023 16:46:51 UTC proto=tcp src=1.2.3.4 spt=80 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=1109 dmac=00:78:db:db:96:f6 cnt=1 cs1Label=sname cs1=Exploit Kit Landing Page act=notified dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 dvcmac=e3:e9:d0:5e:ba:8e cn2=85305161 cn2Label=sid cfp1=12 cfp1Label=signature revision cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd cs4Label=link flexString2=client flexString2Label=attack mode msg=MVX Correlation Status:N/A cn1=0 cn1Label=vlan", "event": { - "kind": "event", - "dataset": "ips-event", - "severity": 7, "action": "notified", - "reason": "MVX Correlation Status:N/A", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd", "category": [ "intrusion_detection" ], + "dataset": "ips-event", + "kind": "event", + "reason": "MVX Correlation Status:N/A", + "severity": 7, "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd" }, "@timestamp": "2023-09-05T16:46:51Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 1109 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "tcp" - }, - "trellix": { - "nx": { - "sname": "Exploit Kit Landing Page" - } - }, - "destination": { - "port": 1109, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 80, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 80 + }, + "trellix": { + "nx": { + "sname": "Exploit Kit Landing Page" + } } } @@ -260,68 +260,68 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|MC|malware-callback|7|src=1.2.3.4 spt=1133 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=443 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=33332506 cn3Label=cncPort cn3=443 cs1Label=sname cs1=Bot.Pushdo.C1 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b cs5Label=cncHost cs5=223.92.214.59 proto=tcp rt=Sep 05 2023 16:28:40 UTC shost=ip-095-223-164-201.um35.pools.vodafone-ip.de externalId=20966324 act=notified devicePayloadId=8a4875e0-195e-436a-b3a1-e2a52c544d4b start=Sep 05 2023 16:28:40 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "malware-callback", - "severity": 7, - "start": "2023-09-05T16:28:40Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b", "category": [ "intrusion_detection" ], + "dataset": "malware-callback", + "kind": "event", + "severity": 7, + "start": "2023-09-05T16:28:40Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b" }, "@timestamp": "2023-09-05T16:28:40Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 443 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "tcp" - }, - "trellix": { - "nx": { - "sname": "Bot.Pushdo.C1", - "cnc_port": "443", - "cnc_host": "223.92.214.59" - } - }, - "destination": { - "port": 443, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 1133, - "ip": "1.2.3.4", - "domain": "ip-095-223-164-201.um35.pools.vodafone-ip.de", - "mac": "6c:af:1a:fb:fe:a7", - "address": "ip-095-223-164-201.um35.pools.vodafone-ip.de", - "top_level_domain": "de", - "subdomain": "ip-095-223-164-201.um35.pools", - "registered_domain": "vodafone-ip.de" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "ip-095-223-164-201.um35.pools.vodafone-ip.de" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com", - "ip-095-223-164-201.um35.pools.vodafone-ip.de" ] + }, + "source": { + "address": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "domain": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1133, + "registered_domain": "vodafone-ip.de", + "subdomain": "ip-095-223-164-201.um35.pools", + "top_level_domain": "de" + }, + "trellix": { + "nx": { + "cnc_host": "223.92.214.59", + "cnc_port": "443", + "sname": "Bot.Pushdo.C1" + } } } @@ -335,82 +335,82 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|MO|malware-object|4|src=1.2.3.4 spt=49207 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=8816733 cs1Label=sname cs1=Exploit.JAVA.CVE-2013-0422.FEC2 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87 filePath=kentuckyautoexchange.com/tsh.jar rt=Sep 05 2023 16:28:42 UTC shost=dynamic-ip-adsl.viettel.vn fileHash=517f9835592fe08912c702c70219b20a externalId=8838994 act=notified devicePayloadId=860e5b30-5a8b-4159-8eb5-148ec3387e87 fileType=jar sproc=Java JDK JRE 7.13 fsize=13676 fname=tsh.jar flexString1Label=sha256sum flexString1=6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2 start=Sep 04 2023 11:26:23 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "malware-object", - "severity": 4, - "start": "2023-09-04T11:26:23Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87", "category": [ "malware" ], + "dataset": "malware-object", + "kind": "event", + "severity": 4, + "start": "2023-09-04T11:26:23Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87" }, "@timestamp": "2023-09-04T11:26:23Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "file": { + "extension": "jar", + "hash": { + "md5": "517f9835592fe08912c702c70219b20a", + "sha256": "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2" + }, + "name": "tsh.jar", + "path": "kentuckyautoexchange.com/tsh.jar", + "size": 13676 + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "file": { - "path": "kentuckyautoexchange.com/tsh.jar", - "name": "tsh.jar", - "hash": { - "sha256": "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2", - "md5": "517f9835592fe08912c702c70219b20a" - }, - "size": 13676, - "extension": "jar" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "process": { "parent": { "title": "Java JDK JRE 7.13" } }, - "trellix": { - "nx": { - "sname": "Exploit.JAVA.CVE-2013-0422.FEC2" - } - }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 49207, - "ip": "1.2.3.4", - "domain": "dynamic-ip-adsl.viettel.vn", - "mac": "6c:af:1a:fb:fe:a7", - "address": "dynamic-ip-adsl.viettel.vn", - "top_level_domain": "vn", - "subdomain": "dynamic-ip-adsl", - "registered_domain": "viettel.vn" - }, "related": { "hash": [ "517f9835592fe08912c702c70219b20a", "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2" ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "dynamic-ip-adsl.viettel.vn" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com", - "dynamic-ip-adsl.viettel.vn" ] + }, + "source": { + "address": "dynamic-ip-adsl.viettel.vn", + "domain": "dynamic-ip-adsl.viettel.vn", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 49207, + "registered_domain": "viettel.vn", + "subdomain": "dynamic-ip-adsl", + "top_level_domain": "vn" + }, + "trellix": { + "nx": { + "sname": "Exploit.JAVA.CVE-2013-0422.FEC2" + } } } @@ -424,72 +424,72 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|RC|riskware-callback|1|rt=Sep 05 2023 16:46:47 UTC start=Sep 05 2023 16:46:47 UTC end=Sep 05 2023 16:46:47 UTC src=1.2.3.4 dst=5.6.7.8 request=hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 cs1Label=sname cs1=Adware.Downloader.Generic act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 spt=1072 dpt=80 cn1Label=vlan cn1=0 externalId=20966952 devicePayloadId=ae490699-29f0-4680-abb1-9db7ff757cad msg=risk ware detected:13436744 proto=tcp cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad cs6Label=channel cs6=GET /abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: stan.mxp2142.com::~~Connection: Keep-Alive::~~::~~", "event": { - "kind": "event", - "dataset": "riskware-callback", - "severity": 1, - "start": "2023-09-05T16:46:47Z", - "end": "2023-09-05T16:46:47Z", "action": "notified", - "reason": "risk ware detected:13436744", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad", "category": [ "intrusion_detection" ], + "dataset": "riskware-callback", + "end": "2023-09-05T16:46:47Z", + "kind": "event", + "reason": "risk ware detected:13436744", + "severity": 1, + "start": "2023-09-05T16:46:47Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad" }, "@timestamp": "2023-09-05T16:46:47Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, - "network": { - "transport": "tcp" + "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] }, - "url": { - "original": "hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", - "domain": "stan.mxp2142.com", - "top_level_domain": "com", - "subdomain": "stan", - "registered_domain": "mxp2142.com", - "path": "/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", - "scheme": "hxxp" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1072 }, "trellix": { "nx": { "sname": "Adware.Downloader.Generic" } }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 1072, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" - }, - "related": { - "ip": [ - "1.2.3.4", - "3.4.5.6", - "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" - ] + "url": { + "domain": "stan.mxp2142.com", + "original": "hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "path": "/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "registered_domain": "mxp2142.com", + "scheme": "hxxp", + "subdomain": "stan", + "top_level_domain": "com" } } @@ -503,82 +503,82 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|RO|riskware-object|1|rt=Sep 05 2023 16:45:08 UTC start=Sep 04 2023 11:27:16 UTC end=Sep 05 2023 16:45:08 UTC src=1.2.3.4 dst=5.6.7.8 request=16.16.16.11/043d611854b9c141a36798ac813ff9f7 fname=043d611854b9c141a36798ac813ff9f7 fileType=dmg cs1Label=sname cs1=PUP.MacOS.Bnodlero.FEC3 act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e fileHash=043d611854b9c141a36798ac813ff9f7 smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 fsize=1315301 spt=37640 dpt=80 cn1Label=vlan cn1=0 requestMethod=GET externalId=8839150 devicePayloadId=c61444e1-64a5-41b3-b31d-3aa4408af602 msg=risk ware detected:13436641 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602 flexString1Label=sha256sum flexString1=b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", "event": { - "kind": "event", - "dataset": "riskware-object", - "severity": 1, - "start": "2023-09-04T11:27:16Z", - "end": "2023-09-05T16:45:08Z", "action": "notified", - "reason": "risk ware detected:13436641", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602", "category": [ "malware" ], + "dataset": "riskware-object", + "end": "2023-09-05T16:45:08Z", + "kind": "event", + "reason": "risk ware detected:13436641", + "severity": 1, + "start": "2023-09-04T11:27:16Z", "type": [ "info" - ] - }, - "@timestamp": "2023-09-04T11:27:16Z", - "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", - "ip": [ - "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", - "mac": [ - "e3:e9:d0:5e:ba:8e" - ] - }, - "url": { - "original": "16.16.16.11/043d611854b9c141a36798ac813ff9f7", - "path": "16.16.16.11/043d611854b9c141a36798ac813ff9f7" + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602" }, - "http": { - "request": { - "method": "GET" - } + "@timestamp": "2023-09-04T11:27:16Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 }, "file": { - "name": "043d611854b9c141a36798ac813ff9f7", + "extension": "dmg", "hash": { - "sha256": "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", - "md5": "043d611854b9c141a36798ac813ff9f7" + "md5": "043d611854b9c141a36798ac813ff9f7", + "sha256": "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c" }, - "size": 1315301, - "extension": "dmg" + "name": "043d611854b9c141a36798ac813ff9f7", + "size": 1315301 }, - "trellix": { - "nx": { - "sname": "PUP.MacOS.Bnodlero.FEC3" + "http": { + "request": { + "method": "GET" } }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 37640, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + "observer": { + "hostname": "cms-nx5600-1.eng.fireeye.com", + "ip": [ + "3.4.5.6" + ], + "mac": [ + "e3:e9:d0:5e:ba:8e" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { "hash": [ "043d611854b9c141a36798ac813ff9f7", "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c" ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 37640 + }, + "trellix": { + "nx": { + "sname": "PUP.MacOS.Bnodlero.FEC3" + } + }, + "url": { + "original": "16.16.16.11/043d611854b9c141a36798ac813ff9f7", + "path": "16.16.16.11/043d611854b9c141a36798ac813ff9f7" } } diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index b251ec6aae..84a3ad6f56 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -257,81 +257,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventVersion\": \"1.08\",\n \"userIdentity\": {\n \"type\": \"IAMUser\",\n \"principalId\": \"demo\",\n \"arn\": \"arn:aws:iam::0:user/demo\",\n \"accountId\": \"00000\",\n \"accessKeyId\": \"AAAAAAAAA\",\n \"userName\": \"AAAAAAAAAAAA\"\n },\n \"eventTime\": \"2023-09-29T15:06:45Z\",\n \"eventSource\": \"ecs.amazonaws.com\",\n \"eventName\": \"PutClusterCapacityProviders\",\n \"awsRegion\": \"eu-west-1\",\n \"sourceIPAddress\": \"00.000.000.00\",\n \"userAgent\": \"APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)\",\n \"requestParameters\": {\n \"cluster\": \"cluster_name\",\n \"capacityProviders\": [\n \"DEMO\"\n ],\n \"defaultCapacityProviderStrategy\": [\n {\n \"capacityProvider\": \"DEMO\",\n \"weight\": 0,\n \"base\": 0\n }\n ]\n },\n \"responseElements\": {\n \"cluster\": {\n \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\",\n \"clusterName\": \"cluster_name\",\n \"configuration\": {\n \"executeCommandConfiguration\": {\n \"logging\": \"OVERRIDE\",\n \"logConfiguration\": {\n \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\",\n \"cloudWatchEncryptionEnabled\": true,\n \"s3EncryptionEnabled\": false\n }\n }\n },\n \"status\": \"ACTIVE\",\n \"registeredContainerInstancesCount\": 0,\n \"runningTasksCount\": 0,\n \"pendingTasksCount\": 0,\n \"activeServicesCount\": 0,\n \"statistics\": [],\n \"tags\": [],\n \"settings\": [\n {\n \"name\": \"containerInsights\",\n \"value\": \"enabled\"\n }\n ],\n \"capacityProviders\": [\n \"DEMO\"\n ],\n \"defaultCapacityProviderStrategy\": [\n {\n \"capacityProvider\": \"DEMO\",\n \"weight\": 0,\n \"base\": 0\n }\n ],\n \"attachments\": [],\n \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\"\n }\n },\n \"readOnly\": false,\n \"eventType\": \"AwsApiCall\",\n \"managementEvent\": true,\n \"recipientAccountId\": \"007\",\n \"eventCategory\": \"Management\",\n \"tlsDetails\": {\n \"tlsVersion\": \"TLSv1.3\",\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\n \"clientProvidedHostHeader\": \"sekoia.eu-west-1.amazonaws.com\"\n }\n}", "event": { - "kind": "event", + "action": "PutClusterCapacityProviders", "category": [ "network" ], - "type": [ - "access" - ], "dataset": "cloudtrail", - "action": "PutClusterCapacityProviders", + "kind": "event", + "outcome": "success", "provider": "ecs.amazonaws.com", - "outcome": "success" + "type": [ + "access" + ] }, "@timestamp": "2023-09-29T15:06:45Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-1", - "account": { - "id": "00000" - } - }, "action": { - "type": "AwsApiCall", "name": "PutClusterCapacityProviders", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "007", "userIdentity": { - "type": "IAMUser", - "principalId": "demo", - "arn": "arn:aws:iam::0:user/demo", - "accountId": "00000", "accessKeyId": "AAAAAAAAA", + "accountId": "00000", + "arn": "arn:aws:iam::0:user/demo", + "principalId": "demo", + "type": "IAMUser", "userName": "AAAAAAAAAAAA" } - } - }, - "user_agent": { - "original": "APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)", - "device": { - "name": "Other" }, - "name": "aws-sdk-go", - "version": "1.44.221", - "os": { - "name": "Linux" - } - }, - "user": { - "id": "00000" - }, - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "version": "TLSv1.3" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { + "cluster_name": "cluster_name", "event_version": "1.08", + "flattened": { + "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}", + "response_elements": "{\"cluster\": {\"activeServicesCount\": 0, \"attachments\": [], \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\", \"capacityProviders\": [\"DEMO\"], \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\", \"clusterName\": \"cluster_name\", \"configuration\": {\"executeCommandConfiguration\": {\"logConfiguration\": {\"cloudWatchEncryptionEnabled\": true, \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\", \"s3EncryptionEnabled\": false}, \"logging\": \"OVERRIDE\"}}, \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}], \"pendingTasksCount\": 0, \"registeredContainerInstancesCount\": 0, \"runningTasksCount\": 0, \"settings\": [{\"name\": \"containerInsights\", \"value\": \"enabled\"}], \"statistics\": [], \"status\": \"ACTIVE\", \"tags\": []}}" + }, "recipient_account_id": "007", "user_identity": { - "type": "IAMUser", - "principalId": "demo", - "arn": "arn:aws:iam::0:user/demo", + "accessKeyId": "AAAAAAAAA", "accountId": "00000", - "accessKeyId": "AAAAAAAAA" - }, - "cluster_name": "cluster_name", - "flattened": { - "response_elements": "{\"cluster\": {\"activeServicesCount\": 0, \"attachments\": [], \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\", \"capacityProviders\": [\"DEMO\"], \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\", \"clusterName\": \"cluster_name\", \"configuration\": {\"executeCommandConfiguration\": {\"logConfiguration\": {\"cloudWatchEncryptionEnabled\": true, \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\", \"s3EncryptionEnabled\": false}, \"logging\": \"OVERRIDE\"}}, \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}], \"pendingTasksCount\": 0, \"registeredContainerInstancesCount\": 0, \"runningTasksCount\": 0, \"settings\": [{\"name\": \"containerInsights\", \"value\": \"enabled\"}], \"statistics\": [], \"status\": \"ACTIVE\", \"tags\": []}}", - "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}" + "arn": "arn:aws:iam::0:user/demo", + "principalId": "demo", + "type": "IAMUser" } } + }, + "cloud": { + "account": { + "id": "00000" + }, + "provider": "aws", + "region": "eu-west-1", + "service": { + "name": "cloudtrail" + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "version": "TLSv1.3" + }, + "user": { + "id": "00000" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-sdk-go", + "original": "APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)", + "os": { + "name": "Linux" + }, + "version": "1.44.221" } } diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index 0046c92354..cff35e2a03 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -29,6 +29,58 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "auth_was_rejected.json" + + ```json + + { + "message": "1.0|WatchGuard|XTM|12.10.2.B692269|11000005|host_name=Member2#011serial=AAAAAAAAAAAAA#011msg=Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was rejected, Recv timeout", + "event": { + "category": [ + "authentication" + ], + "code": "11000005", + "kind": "event", + "outcome": "failure", + "reason": "Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was rejected, Recv timeout", + "type": [ + "start" + ] + }, + "observer": { + "product": "XTM", + "serial_number": "AAAAAAAAAAAAA", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.10.2.B692269" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" + }, + "watchguard": { + "firebox": { + "dhcp": { + "operation": "none" + } + } + } + } + + ``` + + === "connection.json" ```json @@ -1122,6 +1174,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "11000004", "kind": "event", + "outcome": "success", "reason": "Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was accepted", "type": [ "start" @@ -1225,9 +1278,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "50000001", "kind": "event", + "outcome": "failure", "reason": "WSM User @Firebox-DB from 1.2.3.4 log in attempt was rejected - unknown reason.", "type": [ - "end" + "start" ] }, "observer": { @@ -1270,9 +1324,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "50000001", "kind": "event", + "outcome": "failure", "reason": "WebUI User page@Firebox-DB from 127.0.0.1 log in attempt was rejected - invalid credentials or user doesn't exist.", "type": [ - "end" + "start" ] }, "observer": { @@ -1402,6 +1457,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md index 4a7d7499d9..cca4ab58c2 100644 --- a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md +++ b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md @@ -16,4 +16,318 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "account_modification.json" + + ```json + + { + "message": "Un compte d\u2019utilisateur a \u00e9t\u00e9 modifi\u00e9.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011CORPDOMAIN$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Compte cible :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-21-241366212-796369622-1890169025-500#015#012#011Nom du compte :#011#011USERNAME#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#015#012Attributs modifi\u00e9s :#015#012#011Nom du compte SAM :#011USERNAME#015#012#011Nom complet :#011#011#015#012#011Nom principal de l\u2019utilisateur :#011-#015#012#011R\u00e9pertoire de base :#011#011#015#012#011Lecteur de base :#011#011#015#012#011Chemin d\u2019acc\u00e8s au script :#011#011#015#012#011Chemin d\u2019acc\u00e8s au profil :#011#011#015#012#011Stations de travail utilisateurs :#011#015#012#011Derni\u00e8re modification du mot de passe le :#01110/06/2020 14:27:09#015#012#011Le compte expire le :#011#011#015#012#011ID de groupe principal :#011513#015#012#011D\u00e9l\u00e9gu\u00e9 autoris\u00e9 :#011-#015#012#011Ancienne valeur UAC :#011#0110x210#015#012#011Nouvelle valeur UAC :#011#0110x210#015#012#011Contr\u00f4le du compte d\u2019utilisateur :#011-#015#012#011Param\u00e8tres utilisateur :#011-#015#012#011Historique SID :#011#011-#015#012#011Horaire d\u2019acc\u00e8s :#011#011Tout#015#012#015#012Informations suppl\u00e9mentaires :#015#012#011Privil\u00e8ges:#011#011-", + "event": { + "code": "4738", + "outcome": "success" + }, + "action": { + "id": 4738, + "name": "Un compte d\u2019utilisateur a \u00e9t\u00e9 modifi\u00e9.", + "properties": { + "domain": "CORPDOMAIN", + "id": "S-1-5-21-241366212-796369622-1890169025-500", + "name": "USERNAME", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "CORPDOMAIN$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "logoff_mess.json" + + ```json + + { + "message": "An account was logged off.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x523d454d#015#012#015#012Logon Type:#011#011#0115#015#012#015#012This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "event": { + "code": "4634", + "outcome": "success" + }, + "action": { + "id": 4634, + "name": "An account was logged off.", + "properties": { + "logon_type": 5, + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "COMPUTERNAME-PC", + "id": "0x523d454d", + "name": "username", + "sid": "S-1-5-21-1494196517-2992400115-1379426628-1000" + } + } + } + + ``` + + +=== "logon_mess.json" + + ```json + + { + "message": "An account was successfully logged on.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x1bc9bbee#015#012#015#012Logon Type:#011#011#0115#015#012#015#012New Logon:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x222c4f34#015#012#011Logon GUID:#011#011{00000000-0000-0000-0000-000000000000}#015#012#015#012Process Information:#015#012#011Process ID:#011#0110x5df8#015#012#011Process Name:#011#011C:\\ABSciex\\drm\\xGate.exe#015#012#015#012Network Information:#015#012#011Workstation Name:#011COMPUTERNAME-PC#015#012#011Source Network Address:#011-#015#012#011Source Port:#011#011-#015#012#015#012Detailed Authentication Information:#015#012#011Logon Process:#011#011Advapi #015#012#011Authentication Package:#011Negotiate#015#012#011Transited Services:#011-#015#012#011Package Name (NTLM only):#011-#015#012#011Key Length:#011#0110#015#012#015#012This event is generated when a logon session is created. It is generated on the computer that was accessed.#015#012#015#012The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.#015#012#015#012The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).#015#012#015#012The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.#015#012#015#012The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.#015#012#015#012The authentication information fields provide detailed information about this specific logon request.#015#012#011- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.#015#012#011- Transited services indicate which intermediate services have participated in this logon request.#015#012#011- Package name indicates which sub-protocol was used among the NTLM protocols.#015#012#011- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "event": { + "category": [ + "authentication" + ], + "code": "4624", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "id": 4624, + "name": "An account was successfully logged on.", + "outcome": "success", + "properties": { + "domain": "COMPUTERNAME-PC", + "id": "S-1-5-21-1494196517-2992400115-1379426628-1000", + "logon_guid": "00000000-0000-0000-0000-000000000000", + "logon_id": "0x222c4f34", + "logon_type": 5, + "name": "username", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": "0x5df8", + "name": "C:\\ABSciex\\drm\\xGate.exe" + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "C:\\ABSciex\\drm\\xGate.exe" + } + }, + "server": { + "os": { + "type": "windows" + } + } + }, + "user": { + "target": { + "domain": "COMPUTERNAME-PC", + "id": "0x1bc9bbee", + "name": "username", + "sid": "S-1-5-21-1494196517-2992400115-1379426628-1000" + } + } + } + + ``` + + +=== "logon_mess_fr.json" + + ```json + + { + "message": "L\u2019ouverture de session d\u2019un compte s\u2019est correctement d\u00e9roul\u00e9e.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011USERNAME$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Type d\u2019ouverture de session :#011#011#0115#015#012#015#012Nouvelle ouverture de session :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011Syst\u00e8me#015#012#011Domaine du compte :#011#011AUTORITE NT#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#011GUID d\u2019ouverture de session :#011#011{00000000-0000-0000-0000-000000000000}#015#012#015#012Informations sur le processus :#015#012#011ID du processus :#011#0110x1d0#015#012#011Nom du processus :#011#011C:\\Windows\\System32\\services.exe#015#012#015#012Informations sur le r\u00e9seau :#015#012#011Nom de la station de travail :#011#015#012#011Adresse du r\u00e9seau source :#011-#015#012#011Port source :#011#011-#015#012#015#012Informations d\u00e9taill\u00e9es sur l\u2019authentification :#015#012#011Processus d\u2019ouverture de session :#011#011Advapi #015#012#011Package d\u2019authentification :#011Negotiate#015#012#011Services en transit :#011-#015#012#011Nom du package (NTLM uniquement) :#011-#015#012#011Longueur de la cl\u00e9 :#011#0110#015#012#015#012Cet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d\u2019une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l\u2019ordinateur sur lequel l\u2019ouverture de session a \u00e9t\u00e9 effectu\u00e9e.#015#012#015#012Le champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l\u2019ouverture de session. Il s\u2019agit le plus souvent d\u2019un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.#015#012#015#012Le champ Type d\u2019ouverture de session indique le type d\u2019ouverture de session qui s\u2019est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).#015#012#015#012Le champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s\u2019est connect\u00e9.#015#012#015#012Les champs relatifs au r\u00e9seau indiquent la provenance d\u2019une demande d\u2019ouverture de session \u00e0 distance. Le nom de la station de travail n\u2019\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.#015#012#015#012Les champs relatifs aux informations d\u2019authentification fournissent des d\u00e9tails sur cette demande d\u2019ouverture de session sp\u00e9cifique.#015#012#011- Le GUID d\u2019ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .#015#012#011- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d\u2019ouverture de session.#015#012#011- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.#015#012#011- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e", + "event": { + "category": [ + "authentication" + ], + "code": "4624", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "id": 4624, + "name": "L\u2019ouverture de session d\u2019un compte s\u2019est correctement d\u00e9roul\u00e9e.", + "outcome": "success", + "properties": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "logon_guid": "00000000-0000-0000-0000-000000000000", + "logon_id": "0x3e7", + "logon_type": 5, + "name": "Syst\u00e8me", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": "0x1d0", + "name": "C:\\Windows\\System32\\services.exe" + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "C:\\Windows\\System32\\services.exe" + } + }, + "server": { + "os": { + "type": "windows" + } + } + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "USERNAME$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "pass_ch.json" + + ```json + + { + "message": "Une tentative de r\u00e9initialisation de mot de passe d\u2019un compte a \u00e9t\u00e9 effectu\u00e9e.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011USERNAME$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Compte cible :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-21-1563151732-852262966-262546994-500#015#012#011Nom du compte :#011#011USERNAME#015#012#011Domaine du compte :#011#011CORPDOMAIN", + "event": { + "code": "4724", + "outcome": "success" + }, + "action": { + "id": 4724, + "name": "Une tentative de r\u00e9initialisation de mot de passe d\u2019un compte a \u00e9t\u00e9 effectu\u00e9e.", + "properties": { + "domain": "CORPDOMAIN", + "id": "S-1-5-21-1563151732-852262966-262546994-500", + "name": "USERNAME", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "USERNAME$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "process2.json" + + ```json + + { + "message": "D\u00e9marrage de Self-Service Plug-in (utilisateur=CORPDOMAIN\\user.name).", + "event": { + "outcome": "success" + }, + "action": { + "name": "D\u00e9marrage de Self-Service Plug-in", + "properties": { + "type": "targetedUser" + }, + "target": "user" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "related": { + "user": [ + "user.name" + ] + }, + "user": { + "domain": "CORPDOMAIN", + "name": "user.name" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.domain` | `keyword` | | +|`action.properties.id` | `keyword` | | +|`action.properties.logon_guid` | `keyword` | | +|`action.properties.logon_id` | `keyword` | | +|`action.properties.logon_type` | `number` | | +|`action.properties.name` | `keyword` | | +|`action.properties.target` | `keyword` | | +|`action.properties.type` | `keyword` | | +|`action.target` | `keyword` | | +|`event.code` | `keyword` | Identification code for this event. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`process.id` | `keyword` | | +|`process.name` | `keyword` | Process name. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user.sid` | `keyword` | | +|`user.target.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.target.id` | `keyword` | Unique identifier of the user. | +|`user.target.name` | `keyword` | Short name or login of the user. | +|`user.target.sid` | `keyword` | |