Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app @github-actions
sekoia-io-cross-repo-comm-app[bot] authored and github-actions[bot] committed Mar 13, 2024
1 parent 146200b commit 21675b1
Show file tree
Hide file tree
Showing 15 changed files with 2,308 additions and 27 deletions.
66 changes: 59 additions & 7 deletions ...perations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"gid": "AAAAAALLLLLL",
"name": "Divers",
Expand All @@ -54,6 +59,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_internally"
}
Expand All @@ -67,16 +75,19 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.2.3.4"
],
"user": [
"RH "
"RH ",
"kim"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "[email protected]",
"id": "ABC123xyz"
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
Expand All @@ -101,11 +112,23 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2014-03-17T15:39:18.460000Z",
"cloud": {
"account": {
"id": "ABC123xyz"
}
},
"file": {
"name": "Meeting notes",
"owner": "[email protected]",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
}
}
},
"network": {
"application": "drive"
},
Expand All @@ -114,6 +137,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.2.3.4"
],
"user": [
"kim",
"[email protected]"
]
},
Expand All @@ -122,8 +146,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "1.2.3.4"
},
"user": {
"domain": "example.com",
"email": "[email protected]",
"id": "ABC123xyz"
"id": "users unique Google Workspace profile ID",
"name": "kim"
}
}
Expand All @@ -148,6 +174,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2023-09-04T08:42:51.615000Z",
"cloud": {
"account": {
"id": "111111111"
}
},
"file": {
"gid": "DDD_111111111111111",
"name": "MyDocs",
Expand All @@ -156,6 +187,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "people_within_domain_with_link"
}
Expand All @@ -169,16 +203,19 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"1.2.3.4"
],
"user": [
"J.DOE"
"J.DOE",
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"domain": "example.org",
"email": "[email protected]",
"id": "111111111"
"id": "444444444444444444444",
"name": "john.doe"
}
}
Expand All @@ -203,13 +240,21 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"@timestamp": "2024-01-17T11:09:39.840000Z",
"cloud": {
"account": {
"id": "XXXXXX"
}
},
"file": {
"name": "Doc Temp",
"owner": "[email protected]",
"type": "document"
},
"google": {
"report": {
"actor": {
"email": "[email protected]"
},
"parameters": {
"visibility": "shared_externally"
}
Expand All @@ -223,16 +268,19 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"0.0.0.0"
],
"user": [
"[email protected]"
"[email protected]",
"senduser"
]
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0"
},
"user": {
"domain": "test.com",
"email": "[email protected]",
"id": "XXXXXX",
"id": "11111",
"name": "senduser",
"target": {
"email": "[email protected]"
}
Expand All @@ -252,6 +300,7 @@ The following table lists the fields that are extracted, normalized under the EC
| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`cloud.account.id` | `keyword` | The cloud account or organization id. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.dataset` | `keyword` | Name of the dataset. |
Expand All @@ -261,10 +310,13 @@ The following table lists the fields that are extracted, normalized under the EC
|`file.name` | `keyword` | Name of the file including the extension, without the directory. |
|`file.owner` | `keyword` | File owner's username. |
|`file.type` | `keyword` | File type (file, dir, or symlink). |
|`google.report.actor.email` | `keyword` | |
|`google.report.parameters.visibility` | `keyword` | Visibility of the Drive item associated with the activity |
|`network.application` | `keyword` | Application level protocol name. |
|`source.ip` | `ip` | IP address of the source. |
|`user.domain` | `keyword` | Name of the directory the user is a member of. |
|`user.email` | `keyword` | User email address. |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.name` | `keyword` | Short name or login of the user. |
|`user.target.email` | `keyword` | User email address. |

92 changes: 92 additions & 0 deletions ...perations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,6 +464,98 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "others_tests_example1_type_6.json"

```json

{
"message": "Event [182269] [1-1] [2024-02-12T10:41:48.631649Z] [vim.event.VmAcquiredTicketEvent] [info] [EXAMPLE.LOCAL\\Administrator] [Datacenter] [182269] [A ticket for root of type MKS on 5.6.7.8 in Datacenter has been acquired]",
"event": {
"category": [
"network"
],
"code": "vim.event.VmAcquiredTicketEvent",
"kind": "event",
"type": [
"connection"
]
},
"@timestamp": "2024-02-12T10:41:48.631649Z",
"host": {
"ip": "5.6.7.8"
},
"log": {
"level": "info"
},
"observer": {
"product": "VCenter",
"vendor": "VMWare"
},
"related": {
"ip": [
"5.6.7.8"
],
"user": [
"root"
]
},
"user": {
"name": "root"
},
"vmware_vcenter": {
"event_id": "182269"
}
}
```


=== "others_tests_example2_type_6.json"

```json

{
"message": "Event [180270] [1-1] [2024-02-09T09:37:10.715328Z] [vim.event.VmAcquiredTicketEvent] [info] [EXAMPLE.LOCAL\\Administrator] [Datacenter] [180270] [A ticket for john.doe of type MKS on 5.6.7.8 in Datacenter has been acquired]",
"event": {
"category": [
"network"
],
"code": "vim.event.VmAcquiredTicketEvent",
"kind": "event",
"type": [
"connection"
]
},
"@timestamp": "2024-02-09T09:37:10.715328Z",
"host": {
"ip": "5.6.7.8"
},
"log": {
"level": "info"
},
"observer": {
"product": "VCenter",
"vendor": "VMWare"
},
"related": {
"ip": [
"5.6.7.8"
],
"user": [
"john.doe"
]
},
"user": {
"name": "john.doe"
},
"vmware_vcenter": {
"event_id": "180270"
}
}
```


=== "others_tests_example3_type3.json"

```json
Expand Down
62 changes: 62 additions & 0 deletions ...perations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,67 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_plugin_waf.json"

```json

{
"message": "10:18-10:42:59 rproxy httpd: id=\"0299\" srcip=\"1.2.3.4\" localip=\"192.168.1.5\" size=\"112\" user=\"-\" host=\"1.2.3.4\" method=\"POST\" statuscode=\"200\" reason=\"-\" extra=\"-\" exceptions=\"-\" time=\"18059\" url=\"/mapi/emsmdb/\" server=\"test.server.fr\" port=\"443\" query=\"[email protected]\" referer=\"-\" cookie=\"MapiContext=MAPIAAAAAPaz4bfyp/XD+tnr2+na98fw3e/f/8/4wvLK8ML6oIOyhLaEs4W0jb6GeOMFAAAAAAA=;MapiRouting=UlVNOjZhOThhYjI0LWE0Y2MtNGIxNy1iOTMyLTJlNWZmZTU5ZTYwZDoKgwHZtc/bCA==;MapiSequence=21-DA04Jw==;X-BackEndCookie=ea00c3b8-d2a4-40f9-897b-c59318ed25a0=u56Lnp2ejJqBzpnGzJ6emZrSnZ6ZnNLLnMjI0p2ax53SnMqamc3IyMaazsudgYHNz83M0s7O0s7Iq8/HxcvOxc7K\" set-cookie=\"MapiRouting=UlVNOjZhOThhYjI0LWE0Y2MtNGIxNy1iOTMyLTJlNWZmZTU5ZTYwZDoKgwHZtc/bCA==; path=/mapi/; secure; HttpOnly, MapiSequence=22-xtBYAg==; path=/mapi/emsmdb; secure; HttpOnly, MapiContext=MAPIAAAAAPaz4bfyp/XD+tnr2+na98fw3e/f/8/4wvLK8ML6oIOyhLaEs4W0jb6GeOMFAAAAAAA=; path=/mapi/emsmdb; secure; HttpOnly, X-BackEndCookie=ea00c3b8-d2",
"event": {
"category": [
"network"
],
"kind": "event",
"type": [
"info"
]
},
"destination": {
"address": "test.server.fr",
"domain": "test.server.fr",
"port": 443,
"registered_domain": "server.fr",
"subdomain": "test",
"top_level_domain": "fr"
},
"host": {
"ip": "1.2.3.4"
},
"http": {
"request": {
"method": "POST"
},
"response": {
"status_code": 200
}
},
"related": {
"hosts": [
"test.server.fr"
],
"ip": [
"1.2.3.4",
"192.168.1.5"
]
},
"source": {
"address": "1.2.3.4",
"bytes": 112,
"ip": "1.2.3.4",
"nat": {
"ip": "192.168.1.5"
}
},
"url": {
"original": "/mapi/emsmdb/",
"path": "/mapi/emsmdb/",
"query": "[email protected]"
}
}
```


=== "test_rule.json"

```json
Expand Down Expand Up @@ -505,6 +566,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.module` | `keyword` | Name of the module this data is coming from. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`host.ip` | `ip` | Host ip addresses. |
|`http.request.method` | `keyword` | HTTP request method. |
|`http.request.referrer` | `keyword` | Referrer for this HTTP request. |
|`http.response.status_code` | `long` | HTTP response status code. |
Expand Down
Loading

0 comments on commit 21675b1

Please sign in to comment.