diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md
index c2b49c27c2..505427eb85 100644
--- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md
+++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md
@@ -145,6 +145,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"action": {
"target": "network-traffic"
},
+ "cisco": {
+ "ac": {
+ "rule_action": "Allow"
+ },
+ "device_id": "b2433c5c-a6a1-11eb-a6e7-be0b9833091f"
+ },
"destination": {
"address": "172.16.20.10",
"bytes": 0,
@@ -205,6 +211,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"action": {
"target": "network-traffic"
},
+ "cisco": {
+ "ac": {
+ "rule_action": "
Block with reset"
+ },
+ "device_id": "e8566508-eaa9-11e5-860f-de3e305d8269"
+ },
"destination": {
"address": "10.1.9.9",
"bytes": 0,
@@ -1943,6 +1955,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"action": {
"target": "network-traffic"
},
+ "cisco": {
+ "ac": {
+ "rule_action": "Allow"
+ },
+ "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa"
+ },
"destination": {
"address": "5.6.7.8",
"bytes": 66,
@@ -2004,6 +2022,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"target": "network-traffic"
},
"cisco": {
+ "ac": {
+ "rule_action": "Allow"
+ },
+ "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa",
"dns": {
"record_type": "a host address",
"ttl": "150"
@@ -2089,6 +2111,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"action": {
"target": "network-traffic"
},
+ "cisco": {
+ "ac": {
+ "rule_action": "Allow"
+ },
+ "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa",
+ "url_category": "Computer Security",
+ "web_application": "Trend Micro"
+ },
"destination": {
"address": "5.6.7.8",
"bytes": 5018,
@@ -2144,6 +2174,101 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "test_FTD_430003_3.json"
+
+ ```json
+
+ {
+ "message": "%FTD-1-430003: EventPriority: Low, DeviceUUID: deyyyyy-844d-11e7-b104-8d1450667052, InstanceID: 1, FirstPacketSecond: 2023-08-23T12:59:00Z, ConnectionID: 55087, AccessControlRuleAction: Allow, SrcIP: 10.55.21.168, DstIP: 142.55.179.67, SrcPort: 77777, DstPort: 80, Protocol: tcp, IngressInterface: LAN, EgressInterface: WAN, IngressZone: LAN, EgressZone: OUT, IngressVRF: Global, EgressVRF: Global, ACPolicy: ACPolicy, AccessControlRuleName: SORTIE_INTERNET_ALL, Prefilter Policy: LALALAND L3-L4 Policy, User: Not Found, UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36, Client: Chrome, ClientVersion: 60.0.3112.32, ApplicationProtocol: HTTP, WebApplication: Google, ConnectionDuration: 0, InitiatorPackets: 5, ResponderPackets: 5, InitiatorBytes: 565, ResponderBytes: 484, NAPPolicy: Balanced Security and Connectivity, ReferencedHost: connectivitycheck.gstatic.com, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Favorable, URL: http://connectivitycheck.gstatic.com/generate_204, NAT_InitiatorPort: 77777, NAT_ResponderPort: 80, NAT_InitiatorIP: 194.55.57.195, NAT_ResponderIP: 142.55.179.67",
+ "event": {
+ "action": "connection-finished",
+ "category": [
+ "network"
+ ],
+ "code": "430003",
+ "kind": "event",
+ "type": [
+ "connection",
+ "end"
+ ]
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "cisco": {
+ "ac": {
+ "rule_action": "Allow"
+ },
+ "device_id": "deyyyyy-844d-11e7-b104-8d1450667052",
+ "url_category": "Infrastructure and Content Delivery Networks",
+ "web_application": "Google"
+ },
+ "destination": {
+ "address": "142.55.179.67",
+ "bytes": 484,
+ "ip": "142.55.179.67",
+ "packets": 5,
+ "port": 80
+ },
+ "log": {
+ "level": "Low"
+ },
+ "network": {
+ "protocol": "HTTP",
+ "transport": "tcp"
+ },
+ "observer": {
+ "product": "Firepower Threat Defense",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "10.55.21.168",
+ "142.55.179.67"
+ ],
+ "user": [
+ "Not Found"
+ ]
+ },
+ "rule": {
+ "name": "SORTIE_INTERNET_ALL",
+ "ruleset": "ACPolicy"
+ },
+ "source": {
+ "address": "10.55.21.168",
+ "bytes": 565,
+ "ip": "10.55.21.168",
+ "packets": 5,
+ "port": 77777
+ },
+ "url": {
+ "domain": "connectivitycheck.gstatic.com",
+ "original": "http://connectivitycheck.gstatic.com/generate_204",
+ "path": "/generate_204",
+ "port": 80,
+ "registered_domain": "gstatic.com",
+ "scheme": "http",
+ "subdomain": "connectivitycheck",
+ "top_level_domain": "com"
+ },
+ "user": {
+ "name": "Not Found"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML",
+ "os": {
+ "name": "Linux"
+ }
+ }
+ }
+
+ ```
+
+
=== "test_group_1.json"
```json
@@ -2154,7 +2279,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "kind": "event"
+ "kind": "event",
+ "reason": "AnyConnect session lost connection. Waiting to resume."
},
"action": {
"name": "anyconnect session lost connection",
@@ -2184,6 +2310,132 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "test_group_10.json"
+
+ ```json
+
+ {
+ "message": "Task ran for 100 msec, Process = aaa_shim_thread, PC = abb111cc, Call stack = 0x000000aaab89d6a0 0x000000aaab88cdec 0x000000aaab88cd68",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "Task ran for 100 msec"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "cisco": {
+ "ftd": {
+ "event": {
+ "duration": "100"
+ }
+ },
+ "process": {
+ "call_stack": "0x000000aaab89d6a0 0x000000aaab88cdec 0x000000aaab88cd68",
+ "instruction_pointer": "abb111cc"
+ }
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "process": {
+ "name": "aaa_shim_thread"
+ }
+ }
+
+ ```
+
+
+=== "test_group_1_2.json"
+
+ ```json
+
+ {
+ "message": "Group User IP <4.3.2.1> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4",
+ "4.3.2.1"
+ ],
+ "user": [
+ "MyUser"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4",
+ "nat": {
+ "ip": "4.3.2.1"
+ }
+ },
+ "user": {
+ "domain": "MyGroup",
+ "name": "MyUser"
+ }
+ }
+
+ ```
+
+
+=== "test_group_1_3.json"
+
+ ```json
+
+ {
+ "message": "Group User IP <4.3.2.1> IPv4 Address <> IPv6 address <3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6> assigned to session",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "IPv4 Address <> IPv6 address <3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6> assigned to session"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6",
+ "4.3.2.1"
+ ],
+ "user": [
+ "MyUser"
+ ]
+ },
+ "source": {
+ "address": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6",
+ "ip": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6",
+ "nat": {
+ "ip": "4.3.2.1"
+ }
+ },
+ "user": {
+ "domain": "MyGroup",
+ "name": "MyUser"
+ }
+ }
+
+ ```
+
+
=== "test_group_2.json"
```json
@@ -2224,6 +2476,48 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "test_group_2_2.json"
+
+ ```json
+
+ {
+ "message": "Group User IP <1.2.3.4> Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.07061",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "cisco": {
+ "client_type": "Cisco AnyConnect VPN Agent for Windows 4.10.07061"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4"
+ ],
+ "user": [
+ "MyUsser"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4"
+ },
+ "user": {
+ "domain": "MyGroup",
+ "name": "MyUsser"
+ }
+ }
+
+ ```
+
+
=== "test_group_3.json"
```json
@@ -2274,7 +2568,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "kind": "event"
+ "kind": "event",
+ "reason": "Task ran for 109 msec"
},
"action": {
"target": "network-traffic"
@@ -2284,13 +2579,17 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"event": {
"duration": "109"
}
+ },
+ "process": {
+ "call_stack": "0x000000aaabb34820 0x000000aaabb2429c 0x000000aaabb24218",
+ "instruction_pointer": "ade9333c"
}
},
- "host": {
- "name": "ade9333c"
- },
"observer": {
"vendor": "Cisco"
+ },
+ "process": {
+ "name": "aaa_shim_thread"
}
}
@@ -2307,7 +2606,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
- "kind": "event"
+ "kind": "event",
+ "reason": "No IPv6 address available for SVC connection"
},
"action": {
"target": "network-traffic"
@@ -2323,6 +2623,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"JD34242243"
]
},
+ "rule": {
+ "name": "MYGROUP"
+ },
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
@@ -2336,6 +2639,135 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```
+=== "test_group_6_2.json"
+
+ ```json
+
+ {
+ "message": "Group User IP <1.2.3.4> AnyConnect session lost connection. Waiting to resume.",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "AnyConnect session lost connection. Waiting to resume."
+ },
+ "action": {
+ "name": "anyconnect session lost connection",
+ "target": "network-traffic"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "1.2.3.4"
+ ],
+ "user": [
+ "MyUser"
+ ]
+ },
+ "source": {
+ "address": "1.2.3.4",
+ "ip": "1.2.3.4"
+ },
+ "user": {
+ "domain": "AnyConnect-EXAMPLE",
+ "name": "MyUser"
+ }
+ }
+
+ ```
+
+
+=== "test_group_7.json"
+
+ ```json
+
+ {
+ "message": "TunnelGroup GroupPolicy User IP <4.3.2.1> No IPv6 address available for SVC connection",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "No IPv6 address available for SVC connection"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "4.3.2.1"
+ ],
+ "user": [
+ "MyUser"
+ ]
+ },
+ "rule": {
+ "name": "MyGroup"
+ },
+ "source": {
+ "address": "4.3.2.1",
+ "ip": "4.3.2.1"
+ },
+ "user": {
+ "domain": "AnyConnect-EX",
+ "name": "MyUser"
+ }
+ }
+
+ ```
+
+
+=== "test_group_9.json"
+
+ ```json
+
+ {
+ "message": "Tunnel group search using certificate maps failed for peer certificate: serial number: 111111111111111111111111, subject name: UID=U11111111,CN=JOHN DOE,OU=Unit,O=URAAA,C=US, issuer_name: CN=Admin,OU=Unit,O=Example,C=US.",
+ "event": {
+ "category": [
+ "network"
+ ],
+ "kind": "event",
+ "reason": "Tunnel group search using certificate maps failed for peer certificate"
+ },
+ "action": {
+ "target": "network-traffic"
+ },
+ "observer": {
+ "vendor": "Cisco"
+ },
+ "related": {
+ "user": [
+ "JOHN DOE"
+ ]
+ },
+ "tls": {
+ "client": {
+ "x509": {
+ "issuer": {
+ "distinguished_name": "CN=Admin,OU=Unit,O=Example,C=US"
+ },
+ "serial_number": "111111111111111111111111",
+ "subject": {
+ "distinguished_name": "UID=U11111111,CN=JOHN DOE,OU=Unit,O=URAAA,C=US"
+ }
+ }
+ }
+ },
+ "user": {
+ "name": "JOHN DOE"
+ }
+ }
+
+ ```
+
+
@@ -2347,6 +2779,9 @@ The following table lists the fields that are extracted, normalized under the EC
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`action.target` | `keyword` | The target of the action. This field is mandatory for STIX2 compliance |
+|`cisco.ac.rule_action` | `keyword` | Access controle rule action |
+|`cisco.client_type` | `keyword` | Client type |
+|`cisco.device_id` | `keyword` | Device ID |
|`cisco.dns.record_type` | `keyword` | Cisco record type returned for the DNS query |
|`cisco.dns.ttl` | `keyword` | Cisco ttl returned for the DNS query |
|`cisco.ftd.event.duration` | `keyword` | Cisco FTD event duration |
@@ -2355,7 +2790,11 @@ The following table lists the fields that are extracted, normalized under the EC
|`cisco.ftd.icmp_code` | `keyword` | The ICMP code used by the session responder. |
|`cisco.ftd.icmp_type` | `keyword` | The ICMP type used by the session initiator. |
|`cisco.ftd.sha_disposition` | `keyword` | Sha disposition |
-|`cisco.ftd.spero_disposition` | `keyword` | The descriptive name for the filelog spero status. |
+|`cisco.ftd.spero_disposition` | `keyword` | The descriptive name for the filelog spero status. |
+|`cisco.process.call_stack` | `keyword` | Stack trace of the CPU hogging process |
+|`cisco.process.instruction_pointer` | `keyword` | Instruction pointer of the CPU hogging process |
+|`cisco.url_category` | `keyword` | URL category |
+|`cisco.web_application` | `keyword` | Web application |
|`destination.bytes` | `long` | Bytes sent from the destination to the source. |
|`destination.domain` | `keyword` | The domain name of the destination. |
|`destination.ip` | `ip` | IP address of the destination. |
@@ -2405,6 +2844,9 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.packets` | `long` | Packets sent from the source to the destination. |
|`source.port` | `long` | Port of the source. |
|`threat.software.name` | `keyword` | Name of the software. |
+|`tls.client.x509.issuer.distinguished_name` | `keyword` | Distinguished name (DN) of issuing certificate authority. |
+|`tls.client.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. |
+|`tls.client.x509.subject.distinguished_name` | `keyword` | Distinguished name (DN) of the certificate subject entity. |
|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`url.scheme` | `keyword` | Scheme of the url. |
diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md
index 4b2883cda0..ef170cc856 100644
--- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md
+++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md
@@ -180,7 +180,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"provider": "Bot Mitigation",
"type": [
"indicator"
- ]
+ ],
+ "action": "block",
+ "severity": 5
+ },
+ "observer": {
+ "name": "waf01.example.org",
+ "product": "Ubika WAAP",
+ "vendor": "Ubika"
},
"@timestamp": "2023-06-29T04:19:05.678000Z",
"destination": {
@@ -196,11 +203,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "GET"
}
},
- "observer": {
- "name": "waf01.example.org",
- "product": "Ubika WAAP",
- "vendor": "Ubika"
- },
"related": {
"hosts": [
"monespacetest.com"
@@ -230,6 +232,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"workflow": {
"name": "Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter",
"uuid": "f00058d7c75c34e123456789987654"
+ },
+ "tokens": {
+ "risk": {
+ "level": "27"
+ }
}
}
},
@@ -274,7 +281,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"provider": "Bot Mitigation",
"type": [
"indicator"
- ]
+ ],
+ "action": "block",
+ "severity": 5
+ },
+ "observer": {
+ "name": "waf01.example.org",
+ "product": "Ubika WAAP",
+ "vendor": "Ubika"
},
"@timestamp": "2019-10-04T08:03:19.762000Z",
"destination": {
@@ -290,11 +304,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "GET"
}
},
- "observer": {
- "name": "waf01.example.org",
- "product": "Ubika WAAP",
- "vendor": "Ubika"
- },
"related": {
"hosts": [
"example.org"
@@ -325,6 +334,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"workflow": {
"name": "WF - Bot Mitigation",
"uuid": "8c73e669cea1a99016ccacb21eccfa69"
+ },
+ "tokens": {
+ "risk": {
+ "level": "27"
+ }
}
}
},
@@ -368,7 +382,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"provider": "ICX Engine",
"type": [
"indicator"
- ]
+ ],
+ "action": "block",
+ "severity": 5
+ },
+ "observer": {
+ "product": "Ubika WAAP",
+ "vendor": "Ubika"
},
"@timestamp": "2018-05-25T09:43:30.891000Z",
"destination": {
@@ -384,10 +404,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "GET"
}
},
- "observer": {
- "product": "Ubika WAAP",
- "vendor": "Ubika"
- },
"related": {
"hosts": [
"example.org"
@@ -420,6 +436,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"workflow": {
"name": "WF - All logs",
"uuid": "x256f94d50d6d66f9732e0ab8532d154"
+ },
+ "tokens": {
+ "risk": {
+ "level": "80"
+ }
}
}
},
@@ -464,7 +485,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"provider": "ICX Engine",
"type": [
"indicator"
- ]
+ ],
+ "action": "block",
+ "severity": 5
+ },
+ "observer": {
+ "product": "Ubika WAAP",
+ "vendor": "Ubika"
},
"@timestamp": "2018-05-25T09:43:30.891000Z",
"destination": {
@@ -480,10 +507,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"method": "GET"
}
},
- "observer": {
- "product": "Ubika WAAP",
- "vendor": "Ubika"
- },
"related": {
"hosts": [
"example.org"
@@ -516,6 +539,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"workflow": {
"name": "WF - All logs",
"uuid": "x256f94d50d6d66f9732e0ab8532d154"
+ },
+ "tokens": {
+ "risk": {
+ "level": "80"
+ }
}
}
},
@@ -559,7 +587,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"module": "ubika.waf",
"type": [
"indicator"
- ]
+ ],
+ "action": "block"
+ },
+ "observer": {
+ "vendor": "Ubika",
+ "name": "waf01.example.org",
+ "product": "Ubika WAAP"
},
"@timestamp": "2019-10-04T08:58:21.178000Z",
"host": {
@@ -571,11 +605,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"referrer": "http://example.org/auth/login"
}
},
- "observer": {
- "name": "waf01.example.org",
- "product": "Ubika WAAP",
- "vendor": "Ubika"
- },
"related": {
"hosts": [
"example.org"
@@ -635,11 +664,13 @@ The following table lists the fields that are extracted, normalized under the EC
|`@timestamp` | `date` | Date/time when the event originated. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
+|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.dataset` | `keyword` | Name of the dataset. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.module` | `keyword` | Name of the module this data is coming from. |
|`event.provider` | `keyword` | Source of the event. |
+|`event.severity` | `long` | Numeric severity of the event. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.name` | `keyword` | Name of the host. |
|`http.request.method` | `keyword` | HTTP request method. |
@@ -654,6 +685,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`rule.name` | `keyword` | Rule name |
|`source.ip` | `ip` | IP address of the source. |
|`threat.indicator.type` | `keyword` | Type of indicator |
+|`ubika.waap.tokens.risk.level` | `keyword` | Risk score |
|`ubika.waap.tunnel.name` | `keyword` | Tunnel name |
|`ubika.waap.tunnel.uuid` | `keyword` | Tunnel UID |
|`ubika.waap.workflow.name` | `keyword` | Workflow name |