From 2cb11ca40e741905771ab6f18eb9f7cb0a3a0515 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Thu, 4 Jul 2024 13:45:13 +0000 Subject: [PATCH] Refresh intakes documentation --- .../23813540-b658-48dd-b030-e9b92168bbf4.md | 48 +-- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 21 + .../40deb162-6bb1-4635-9c99-5c2de7e1d340.md | 126 ++++++ .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 27 ++ .../57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md | 359 ++++++++++++++++++ .../60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md | 146 ++++++- .../90179796-f949-490c-8729-8cbc9c65be55.md | 16 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 29 +- .../caa13404-9243-493b-943e-9848cadb1f99.md | 291 +++++++++++++- .../d382947e-4493-4e0b-90f1-870fe6e6ef1e.md | 291 ++++++++++++++ .../d719e8b5-85a1-4dad-bf71-46155af56570.md | 51 +++ 11 files changed, 1366 insertions(+), 39 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md create mode 100644 _shared_content/operations_center/integrations/generated/d382947e-4493-4e0b-90f1-870fe6e6ef1e.md diff --git a/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md b/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md index 25a5724f39..e47cf197ae 100644 --- a/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md +++ b/_shared_content/operations_center/integrations/generated/23813540-b658-48dd-b030-e9b92168bbf4.md @@ -28,10 +28,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2024-05-13T13:02:17.862473900Z\",\"message\":\"File opened\",\"level\":\"INFO\",\"env_id\":\"df643ab3-64ab-4347-b50f-0e07d28c46fb\",\"parad_version\":\"0.7.0\",\"os\":\"Windows 10 Pro\",\"machine_name\":\"DESKTOP-88BEQS0\",\"executable\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"pid\":1632,\"hash\":\"53eb83666795ebe099558a0572423cbbc5a72d3ea863cb22617ca35560751a03\",\"ppid\":0,\"signed\":true,\"executable_basename\":\"svchost.exe\",\"executable_category\":\"System\",\"created_length\":0,\"fullpath\":\"C:\\\\Users\\\\PC\\\\AppData\\\\Local\\\\Temp\",\"basename\":\"Temp\",\"fullpath_category\":\"AppData\"}", - "@timestamp": "2024-05-13T13:02:17.862473Z", "event": { "action": "File opened" }, + "@timestamp": "2024-05-13T13:02:17.862473Z", "agent": { "id": "df643ab3-64ab-4347-b50f-0e07d28c46fb", "version": "0.7.0" @@ -43,6 +43,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "file": { + "name": "Temp", + "path": "C:\\Users\\PC\\AppData\\Local\\Temp" + }, "host": { "hostname": "DESKTOP-88BEQS0", "name": "DESKTOP-88BEQS0", @@ -50,11 +54,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Windows 10 Pro" } }, - "related": { - "hosts": [ - "DESKTOP-88BEQS0" - ] - }, "observer": { "product": "Parad", "type": "dlp-solution", @@ -64,16 +63,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code_signature": { "exists": true }, - "pid": 1632, - "name": "svchost.exe", "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", "parent": { "pid": 0 - } + }, + "pid": 1632 }, - "file": { - "name": "Temp", - "path": "C:\\Users\\PC\\AppData\\Local\\Temp" + "related": { + "hosts": [ + "DESKTOP-88BEQS0" + ] } } @@ -86,10 +86,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2024-03-07T15:56:49Z\",\"message\":\"A process had a malicious behaviour and was killed.\",\"level\":\"INFO\",\"env_id\":\"7ba0a633-f8a3-410b-ba6f-5974705ced3a\",\"parad_version\":\"0.6.1\",\"os\":\"Windows 10 Pro\",\"machine_name\":\"bloquant\",\"executable\":\"C:\\\\Users\\\\Testeur\\\\Desktop\\\\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe\",\"pid\":6148,\"hash\":\"e6f84e5080f3cdbf69f92f703d59f8b6e0f5e64f8a87f5b4a108cf913219b37c\",\"ppid\":0,\"signed\":false,\"executable_basename\":\"c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe\",\"executable_category\":\"User\",\"offset\":262144,\"written_length\":131072,\"fullpath\":\"C:\\\\Users\\\\Testeur\\\\Desktop\\\\mom_files\\\\armorials\\\\1T9dlo1.ddbPFTiN9\",\"basename\":\"1T9dlo1.ddbPFTiN9\",\"fullpath_category\":\"User\"}", - "@timestamp": "2024-03-07T15:56:49Z", "event": { "action": "A process had a malicious behaviour and was killed." }, + "@timestamp": "2024-03-07T15:56:49Z", "agent": { "id": "7ba0a633-f8a3-410b-ba6f-5974705ced3a", "version": "0.6.1" @@ -101,6 +101,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "file": { + "name": "1T9dlo1.ddbPFTiN9", + "path": "C:\\Users\\Testeur\\Desktop\\mom_files\\armorials\\1T9dlo1.ddbPFTiN9" + }, "host": { "hostname": "bloquant", "name": "bloquant", @@ -108,11 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Windows 10 Pro" } }, - "related": { - "hosts": [ - "bloquant" - ] - }, "observer": { "product": "Parad", "type": "dlp-solution", @@ -122,16 +121,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code_signature": { "exists": false }, - "pid": 6148, - "name": "c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe", "executable": "C:\\Users\\Testeur\\Desktop\\c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe", + "name": "c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2.exe", "parent": { "pid": 0 - } + }, + "pid": 6148 }, - "file": { - "name": "1T9dlo1.ddbPFTiN9", - "path": "C:\\Users\\Testeur\\Desktop\\mom_files\\armorials\\1T9dlo1.ddbPFTiN9" + "related": { + "hosts": [ + "bloquant" + ] } } diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 3cffd17068..7c89e1c276 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -1847,6 +1847,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "hosts": [ "sfreort" + ], + "ip": [ + "1.2.3.4" ] }, "sekoiaio": { @@ -1871,6 +1874,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "server": { "domain": "EXAMPLE" }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, "user": { "id": "S-1-0-0", "roles": "Group1,Group2", @@ -2002,6 +2009,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "related": { "hosts": [ "REDACTED" + ], + "ip": [ + "166.88.151.58" ] }, "sekoiaio": { @@ -2026,6 +2036,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "server": { "domain": "WORKGROUP" }, + "source": { + "address": "166.88.151.58", + "ip": "166.88.151.58" + }, "user": { "id": "S-1-0-0", "target": { @@ -2179,10 +2193,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "hosts": [ "REDACTED" ], + "ip": [ + "10.84.128.186" + ], "user": [ "ANONYMOUS LOGON" ] }, + "source": { + "address": "10.84.128.186", + "ip": "10.84.128.186" + }, "user": { "domain": "AUTORITE NT", "name": "ANONYMOUS LOGON" diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index a870810865..a38881880e 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -339,6 +339,132 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "dns_macos.json" + + ```json + + { + "message": "{\n \"src.process.image.path\": \"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper\",\n \"src.process.subsystem\": \"SUBSYSTEM_UNKNOWN\",\n \"src.process.parent.isStorylineRoot\": true,\n \"event.category\": \"dns\",\n \"src.process.parent.integrityLevel\": \"INTEGRITY_LEVEL_UNKNOWN\",\n \"src.process.parent.image.sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"src.process.parent.storyline.id\": \"0A62D926-DFE7-4968-AA28-F0024BAC804D\",\n \"src.process.isRedirectCmdProcessor\": false,\n \"src.process.parent.publisher\": \"\",\n \"src.process.parent.startTime\": 1713167784335,\n \"endpoint.type\": \"laptop\",\n \"endpoint.os\": \"osx\",\n \"src.process.integrityLevel\": \"INTEGRITY_LEVEL_UNKNOWN\",\n \"src.process.parent.displayName\": \"Google Chrome\",\n \"src.process.name\": \"Google Chrome Helper\",\n \"src.process.startTime\": 1713167795818,\n \"agent.uuid\": \"75084C59-0F8A-479D-A9C4-2232C37D9D51\",\n \"event.dns.response\": \"type: 5 edge-web-gew4.dual-gslb.spotify.com;2600:1901:1:4be::;\",\n \"src.process.image.sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"src.process.user\": \"jdoe\",\n \"timestamp\": \"2024-06-26T08:44:30.000Z\",\n \"src.process.displayName\": \"Google Chrome Helper\",\n \"endpoint.name\": \"MXY2XC6J7VJ\",\n \"src.process.image.sha1\": \"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\n \"event.dns.request\": \"type: 28 gew4-spclient.spotify.com\",\n \"src.process.isStorylineRoot\": false,\n \"src.process.parent.image.path\": \"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\",\n \"src.process.isNative64Bit\": false,\n \"src.process.parent.sessionId\": 0,\n \"src.process.uid\": \"CF37475F-BCA9-4F89-8A31-7B6C88CC6F1E\",\n \"src.process.parent.image.md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"src.process.parent.user\": \"psinha\",\n \"src.process.pid\": 1063,\n \"src.process.parent.name\": \"Google Chrome\",\n \"src.process.cmdline\": \"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25\",\n \"src.process.publisher\": \"\",\n \"src.process.parent.isNative64Bit\": false,\n \"src.process.parent.isRedirectCmdProcessor\": false,\n \"src.process.image.md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"src.process.storyline.id\": \"0A62D926-DFE7-4968-AA28-F0024BAC804D\",\n \"event.type\": \"DNS Resolved\",\n \"agent.version\": \"24.1.2.7444\",\n \"src.process.signedStatus\": \"signed\",\n \"src.process.parent.image.sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"src.process.parent.cmdline\": \"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\",\n \"src.process.sessionId\": 0,\n \"src.process.parent.pid\": 790\n}\n", + "event": { + "action": "DNS Resolved", + "category": [ + "network" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-26T08:44:30Z", + "agent": { + "version": "24.1.2.7444" + }, + "deepvisibility": { + "agent": { + "uuid": "75084C59-0F8A-479D-A9C4-2232C37D9D51" + }, + "event": { + "category": "dns", + "type": "DNS Resolved" + }, + "process": { + "parent": { + "storyline_id": "0A62D926-DFE7-4968-AA28-F0024BAC804D" + }, + "storyline_id": "0A62D926-DFE7-4968-AA28-F0024BAC804D" + } + }, + "dns": { + "answers": [ + { + "name": "edge-web-gew4.dual-gslb.spotify.com", + "type": "CNAME" + }, + { + "name": "2600:1901:1:4be::", + "type": "AAAA" + } + ], + "question": { + "name": "gew4-spclient.spotify.com", + "registered_domain": "spotify.com", + "subdomain": "gew4-spclient", + "top_level_domain": "com" + }, + "type": "answer" + }, + "host": { + "name": "MXY2XC6J7VJ", + "os": { + "family": "osx" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "code_signature": { + "exists": true, + "subject_name": "" + }, + "command_line": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25", + "executable": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "Google Chrome Helper", + "parent": { + "code_signature": { + "exists": false + }, + "command_line": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "executable": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "Google Chrome", + "pid": 790, + "start": "2024-04-15T07:56:24.335000Z", + "title": "Google Chrome", + "user": { + "name": "psinha" + }, + "working_directory": "/Applications/Google Chrome.app/Contents/MacOS" + }, + "pid": 1063, + "start": "2024-04-15T07:56:35.818000Z", + "title": "Google Chrome Helper", + "user": { + "name": "jdoe" + }, + "working_directory": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS" + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "hosts": [ + "gew4-spclient.spotify.com" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "driver_driverload.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 682ff94ef4..a019190c89 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -398,6 +398,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "agt" } + }, + "user": { + "name": "agt" } } @@ -632,6 +635,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "test" } + }, + "user": { + "name": "test" } } @@ -830,6 +836,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "sip:sipp@127.0.0.1:5060" } + }, + "user": { + "name": "sip:sipp@127.0.0.1:5060" } } @@ -1550,6 +1559,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "url": { "original": "/success.txt", "path": "/success.txt" + }, + "user": { + "name": "alice" } } @@ -1645,6 +1657,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "bob" } + }, + "user": { + "name": "bob" } } @@ -1722,6 +1737,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "testpc1@qa.fortinet.com" } + }, + "user": { + "name": "testpc1@qa.fortinet.com" } } @@ -3488,6 +3506,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "test" } + }, + "user": { + "name": "test" } } @@ -3690,6 +3711,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "CN = foo.bar.baz.com" } + }, + "user": { + "name": "CN = foo.bar.baz.com" } } @@ -3754,6 +3778,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user": { "name": "CN = foo.bar.baz.com" } + }, + "user": { + "name": "CN = foo.bar.baz.com" } } diff --git a/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md new file mode 100644 index 0000000000..3e47b08fb6 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/57eda191-2f93-4fd9-99a2-fd8ffbcdff50.md @@ -0,0 +1,359 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Application logs` | None | +| `Process monitoring` | None | +| `Web logs` | None | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `vulnerability` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_event_1.json" + + ```json + + { + "message": "{\"temporary_id\":\"11111111111111\",\"affects_rating\":true,\"details\":{\"cvss\":{\"base\":[]},\"check_pass\":\"\",\"diligence_annotations\":{\"modal_data\":{\"type\":\"overridden\",\"reason\":\"Software version in extended support\"},\"modal_tags\":{\"Type\":\"MS IIS\",\"Version\":\"7.5\"},\"server\":\"MS IIS\",\"version\":\"7.5\"},\"geo_ip_location\":\"test\",\"country\":\"test country\",\"grade\":\"BAD\",\"observed_ips\":[\"1.2.3.4\"],\"port_list\":[80,81,8443,8880],\"remediations\":[{\"message\":\"Software version in extended support\",\"help_text\":\"The software version is outside mainstream support and is currently in extended support.\",\"remediation_tip\":\"Ensure the latest version of the software is installed. See supported versions.\"}],\"sample_timestamp\":\"2024-06-29T21:02:18Z\",\"dest_port\":80,\"rollup_end_date\":\"2024-06-29\",\"rollup_start_date\":\"2023-10-04\",\"searchable_details\":\"Software version in extended support,MS IIS,7.5\"},\"evidence_key\":\"1.2.3.4\",\"first_seen\":\"2023-10-04\",\"last_seen\":\"2024-06-29\",\"related_findings\":[],\"risk_category\":\"Diligence\",\"risk_vector\":\"server_software\",\"risk_vector_label\":\"Server Software\",\"rolledup_observation_id\":\"11111111111\",\"severity\":8.0,\"severity_category\":\"material\",\"tags\":[],\"remediation_history\":{\"last_requested_refresh_date\":null,\"last_refresh_status_date\":null,\"last_refresh_status_label\":null,\"last_refresh_reason_code\":null},\"asset_overrides\":[],\"duration\":null,\"comments\":\"User from Test, Inc. said: \\\"Test assignments\\\" at 2023-11-28 12:27 UTC\",\"remaining_decay\":57,\"remediated\":null,\"impacts_risk_vector_details\":\"AFFECTS_RATING\",\"company_uuid\":\"111111111111111\",\"asset\":{\"asset\":\"1.2.3.4\",\"identifier\":null,\"category\":\"critical\",\"importance\":0.49,\"is_ip\":true,\"asset_type\":\"IP\"}}", + "event": { + "category": "vulnerability", + "end": "2024-06-29T00:00:00Z", + "start": "2023-10-04T00:00:00Z", + "type": "info" + }, + "@timestamp": "2024-06-29T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "AFFECTS_RATING", + "risk_category": "Diligence", + "risk_vector": "server_software", + "risk_vector_label": "Server Software", + "severity": "8.0", + "severity_category": "material", + "temporary_id": "11111111111111" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ] + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_event_2.json" + + ```json + + { + "message": "{\n \"temporary_id\": \"11111111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Detected service: HTTP\",\n \"CPE\": [\n \"a:amazon:amazon_cloudfront\"\n ],\n \"Tags\": [\n \n ],\n \"Product\": \"CloudFront httpd\",\n \"Title\": \"ERROR: The request could not be satisfied\",\n \"transport\": \"tcp\",\n \"Status\": \"HTTP/1.1 400 Bad Request\",\n \"Server\": \"CloudFront\"\n },\n \"final_location\": \"http://1.2.3.4:12/\",\n \"geo_ip_location\": \"Location\",\n \"country\": \"Country\",\n \"grade\": \"NEUTRAL\",\n \"remediations\": [\n {\n \"message\": \"Detected service: HTTP\",\n \"help_text\": \"This port was observed running HTTP, which used for sending and receiving Internet traffic.\",\n \"remediation_tip\": \"\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T08:37:25Z\",\n \"dest_port\": 443,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2024-02-13\",\n \"searchable_details\": \"Detected service: HTTP,tcp,CloudFront httpd\"\n },\n \"evidence_key\": \"143.204.213.175:443\",\n \"first_seen\": \"2024-02-13\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"open_ports\",\n \"risk_vector_label\": \"Open Ports\",\n \"rolledup_observation_id\": \"1222222222222\",\n \"severity\": 1.0,\n \"severity_category\": \"minor\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"1111111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}", + "event": { + "category": "vulnerability", + "end": "2024-06-29T00:00:00Z", + "start": "2024-02-13T00:00:00Z", + "type": "info" + }, + "@timestamp": "2024-06-29T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "AFFECTS_RATING", + "risk_category": "Diligence", + "risk_vector": "open_ports", + "risk_vector_label": "Open Ports", + "severity": "1.0", + "severity_category": "minor", + "temporary_id": "11111111111111111" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ] + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "1111111111111111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_event_3.json" + + ```json + + { + "message": "{\n \"temporary_id\": \"11111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Allows insecure protocol: TLSv1.0, Allows insecure protocol: TLSv1.1\",\n \"certchain\": [\n {\n \"dnsName\": [\n \"*.test.test\",\n \"test.test\"\n ],\n \"endDate\": \"2025-05-15 23:59:59\",\n \"issuerName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\",\n \"keyAlgorithm\": \"RSA\",\n \"keyLength\": 2048,\n \"serialNumber\": \"111111111111111111111111\",\n \"signatureAlgorithm\": \"SHA384WITHRSA\",\n \"startDate\": \"2024-05-07 00:00:00\",\n \"subjectName\": \"CN=*.test.test\"\n },\n {\n \"dnsName\": [\n \n ],\n \"endDate\": \"2033-08-01 23:59:59\",\n \"issuerName\": \"C=TestC,ST=TestST,L=TestL,O=TestO,CN=TestCN RSA Certification Authority\",\n \"keyAlgorithm\": \"RSA\",\n \"keyLength\": 3072,\n \"serialNumber\": \"1111111111111111111111111111\",\n \"signatureAlgorithm\": \"SHA384WITHRSA\",\n \"startDate\": \"2023-08-02 00:00:00\",\n \"subjectName\": \"C=TestC,O=TestO,CN=TestCN RSA Domain Validation Secure Server CA 3\"\n }\n ]\n },\n \"final_location\": \"https://1.2.3.4/\",\n \"geo_ip_location\": \"Test\",\n \"country\": \"Test country\",\n \"grade\": \"BAD\",\n \"observed_ips\": [\n \"1.2.3.4:443\"\n ],\n \"remediations\": [\n {\n \"message\": \"Allows insecure protocol: TLSv1.0\",\n \"help_text\": \"TLS version 1.0 has been deprecated.\",\n \"remediation_tip\": \"Disable TLS 1.0. See our guide for remediating TLS/SSL Configuration findings.\"\n },\n {\n \"message\": \"Allows insecure protocol: TLSv1.1\",\n \"help_text\": \"TLS version 1.1 has been deprecated.\",\n \"remediation_tip\": \"Disable TLS 1.1. See our guide on verifying TLS is disabled.\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T00:49:11Z\",\n \"dest_port\": 443,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2024-06-20\",\n \"searchable_details\": \"test details\"\n },\n \"evidence_key\": \"18.134.200.62:443\",\n \"first_seen\": \"2024-06-20\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"ssl_configurations\",\n \"risk_vector_label\": \"SSL Configurations\",\n \"rolledup_observation_id\": \"122222222222222222\",\n \"severity\": 10.0,\n \"severity_category\": \"severe\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"11111111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}", + "event": { + "category": "vulnerability", + "end": "2024-06-29T00:00:00Z", + "start": "2024-06-20T00:00:00Z", + "type": "info" + }, + "@timestamp": "2024-06-29T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "AFFECTS_RATING", + "risk_category": "Diligence", + "risk_vector": "ssl_configurations", + "risk_vector_label": "SSL Configurations", + "severity": "10.0", + "severity_category": "severe", + "temporary_id": "11111111111111" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ] + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "11111111111111111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_event_4.json" + + ```json + + { + "message": "{\n \"temporary_id\": \"11111111111111111111111111111111\",\n \"affects_rating\": true,\n \"details\": {\n \"cvss\": {\n \"base\": [\n \n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"message\": \"Detected service: HTTPS\",\n \"CPE\": [\n \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\"\n ],\n \"Tags\": [\n \n ],\n \"Title\": \"Service\",\n \"transport\": \"tcp\",\n \"Status\": \"HTTP/1.1 200 OK\",\n \"Server\": \"Microsoft-HTTPAPI/2.0\"\n },\n \"final_location\": \"https://1.2.3.4:8086/\",\n \"geo_ip_location\": \"Test\",\n \"country\": \"TestCountry\",\n \"grade\": \"GOOD\",\n \"remediations\": [\n {\n \"message\": \"Detected service: HTTPS\",\n \"help_text\": \"This port was observed running Hypertext Transfer Protocol Secure (HTTPS), which is used for sending and receiving secure internet traffic.\",\n \"remediation_tip\": \"\"\n }\n ],\n \"sample_timestamp\": \"2024-06-29T11:52:03Z\",\n \"dest_port\": 8086,\n \"rollup_end_date\": \"2024-06-29\",\n \"rollup_start_date\": \"2023-05-13\",\n \"searchable_details\": \"Detected service: HTTPS,tcp\"\n },\n \"evidence_key\": \"1.2.3.4:8086\",\n \"first_seen\": \"2023-05-13\",\n \"last_seen\": \"2024-06-29\",\n \"related_findings\": [\n \n ],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"open_ports\",\n \"risk_vector_label\": \"Open Ports\",\n \"rolledup_observation_id\": \"1123123123123123123\",\n \"severity\": 1.0,\n \"severity_category\": \"minor\",\n \"tags\": [\n \n ],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [\n \n ],\n \"duration\": null,\n \"comments\": null,\n \"remaining_decay\": 57,\n \"remediated\": null,\n \"impacts_risk_vector_details\": \"AFFECTS_RATING\",\n \"company_uuid\": \"1111111111111111111111111\",\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0.0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n }\n}", + "event": { + "category": "vulnerability", + "end": "2024-06-29T00:00:00Z", + "start": "2023-05-13T00:00:00Z", + "type": "info" + }, + "@timestamp": "2024-06-29T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "AFFECTS_RATING", + "risk_category": "Diligence", + "risk_vector": "open_ports", + "risk_vector_label": "Open Ports", + "severity": "1.0", + "severity_category": "minor", + "temporary_id": "11111111111111111111111111111111" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ] + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "1111111111111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "test_event_domain.json" + + ```json + + { + "message": "{\n \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n \"affects_rating\": false,\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0,\n \"is_ip\": true,\n \"asset_type\": \"Domain\"\n },\n \"vulnerability\": {\n \"name\": \"CVE-2014-3566\",\n \"alias\": \"POODLE\",\n \"display_name\": \"POODLE\",\n \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.\",\n \"confidence\": \"HIGH\",\n \"cvss\": {\n \"base\": 3.4\n },\n \"severity\": \"Minor\"\n },\n \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n \"details\": {\n \"cvss\": {\n \"base\": [\n 3.4\n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"remediation_dates\": [\n {\n \"first\": \"2022-08-14 21:04:42\",\n \"last\": \"2022-08-14 21:04:42\"\n }\n ],\n \"is_remediated\": true\n },\n \"remediations\": [\n {\n \"message\": \"CVE-2014-3566 (POODLE)\",\n \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.\"\n }\n ],\n \"rollup_end_date\": \"2022-08-14\",\n \"rollup_start_date\": \"2022-08-14\",\n \"searchable_details\": \"CVE-2014-3566\"\n },\n \"evidence_key\": \"1.2.3.4:443\",\n \"first_seen\": \"2022-08-14\",\n \"last_seen\": \"2022-08-14\",\n \"related_findings\": [],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"patching_cadence\",\n \"risk_vector_label\": \"Patching Cadence\",\n \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n \"severity\": 4.3,\n \"severity_category\": \"moderate\",\n \"tags\": [],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [],\n \"duration\": \"1 day\",\n \"comments\": null,\n \"remaining_decay\": null,\n \"remediated\": true,\n \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}", + "event": { + "category": "vulnerability", + "end": "2022-08-14T00:00:00Z", + "start": "2022-08-14T00:00:00Z", + "type": "info" + }, + "@timestamp": "2022-08-14T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "LIFETIME_EXPIRED", + "remediated": true, + "risk_category": "Diligence", + "risk_vector": "patching_cadence", + "risk_vector_label": "Patching Cadence", + "severity": "4.3", + "severity_category": "moderate", + "temporary_id": "1111111111111111111111111111111111111111111111111111&", + "vulnerability_confidence": "HIGH" + } + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd" + }, + "related": { + "hosts": [ + "1.2.3.4" + ] + }, + "url": { + "domain": "1.2.3.4" + }, + "vulnerability": { + "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "id": "CVE-2014-3566", + "score": { + "base": 3.4 + }, + "severity": "Minor" + } + } + + ``` + + +=== "test_event_ip.json" + + ```json + + { + "message": "{\n \"temporary_id\": \"1111111111111111111111111111111111111111111111111111&\",\n \"affects_rating\": false,\n \"asset\": {\n \"asset\": \"1.2.3.4\",\n \"identifier\": null,\n \"category\": \"low\",\n \"importance\": 0,\n \"is_ip\": true,\n \"asset_type\": \"IP\"\n },\n \"vulnerability\": {\n \"name\": \"CVE-2014-3566\",\n \"alias\": \"POODLE\",\n \"display_name\": \"POODLE\",\n \"description\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.\",\n \"confidence\": \"HIGH\",\n \"cvss\": {\n \"base\": 3.4\n },\n \"severity\": \"Minor\"\n },\n \"company_uuid\": \"399e55d6-eab2-438d-84cd-fb0d0b967fcd\",\n \"details\": {\n \"cvss\": {\n \"base\": [\n 3.4\n ]\n },\n \"check_pass\": \"\",\n \"diligence_annotations\": {\n \"remediation_dates\": [\n {\n \"first\": \"2022-08-14 21:04:42\",\n \"last\": \"2022-08-14 21:04:42\"\n }\n ],\n \"is_remediated\": true\n },\n \"remediations\": [\n {\n \"message\": \"CVE-2014-3566 (POODLE)\",\n \"help_text\": \"The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).\",\n \"remediation_tip\": \"Ensure all of your TLS/SSL libraries on the affected machines are up-to-date. Disable SSLv3 support on those servers, as described in Disable SSLv3.\"\n }\n ],\n \"rollup_end_date\": \"2022-08-14\",\n \"rollup_start_date\": \"2022-08-14\",\n \"searchable_details\": \"CVE-2014-3566\"\n },\n \"evidence_key\": \"1.2.3.4:443\",\n \"first_seen\": \"2022-08-14\",\n \"last_seen\": \"2022-08-14\",\n \"related_findings\": [],\n \"risk_category\": \"Diligence\",\n \"risk_vector\": \"patching_cadence\",\n \"risk_vector_label\": \"Patching Cadence\",\n \"rolledup_observation_id\": \"ZxFoXXsV3gvZS0t0oTmxcA==\",\n \"severity\": 4.3,\n \"severity_category\": \"moderate\",\n \"tags\": [],\n \"remediation_history\": {\n \"last_requested_refresh_date\": null,\n \"last_refresh_status_date\": null,\n \"last_refresh_status_label\": null,\n \"last_refresh_reason_code\": null\n },\n \"asset_overrides\": [],\n \"duration\": \"1 day\",\n \"comments\": null,\n \"remaining_decay\": null,\n \"remediated\": true,\n \"impacts_risk_vector_details\": \"LIFETIME_EXPIRED\"\n}", + "event": { + "category": "vulnerability", + "end": "2022-08-14T00:00:00Z", + "start": "2022-08-14T00:00:00Z", + "type": "info" + }, + "@timestamp": "2022-08-14T00:00:00Z", + "bitsight": { + "spm": { + "impacts_risk_vector_details": "LIFETIME_EXPIRED", + "remediated": true, + "risk_category": "Diligence", + "risk_vector": "patching_cadence", + "risk_vector_label": "Patching Cadence", + "severity": "4.3", + "severity_category": "moderate", + "temporary_id": "1111111111111111111111111111111111111111111111111111&", + "vulnerability_confidence": "HIGH" + } + }, + "host": { + "ip": [ + "1.2.3.4" + ] + }, + "observer": { + "product": "Security Performance Management", + "vendor": "BitSight" + }, + "organization": { + "id": "399e55d6-eab2-438d-84cd-fb0d0b967fcd" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "vulnerability": { + "description": "The SSLv3 protocol, as used in OpenSSL through 1.0.1i and other products, makes it easier for Man-in-the-middle (MITM) attackers to obtain cleartext data via a padding-oracle attack (a.k.a. POODLE).", + "id": "CVE-2014-3566", + "score": { + "base": 3.4 + }, + "severity": "Minor" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`bitsight.spm.impacts_risk_vector_details` | `keyword` | The details of the risk vector. | +|`bitsight.spm.remediated` | `boolean` | Whether the vulnerability has been remediated. | +|`bitsight.spm.risk_category` | `keyword` | The category of the risk. | +|`bitsight.spm.risk_vector` | `keyword` | The vector of the risk. | +|`bitsight.spm.risk_vector_label` | `keyword` | The vector label of the risk. | +|`bitsight.spm.severity` | `keyword` | The severity of the event. | +|`bitsight.spm.severity_category` | `keyword` | The category of the severity. | +|`bitsight.spm.temporary_id` | `keyword` | A temporary ID. | +|`bitsight.spm.vulnerability_confidence` | `keyword` | The confidence score of the vulnerability. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.ip` | `ip` | Host ip addresses. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`organization.id` | `keyword` | Unique identifier for the organization. | +|`url.domain` | `keyword` | Domain of the url. | +|`vulnerability.description` | `keyword` | Description of the vulnerability. | +|`vulnerability.id` | `keyword` | ID of the vulnerability. | +|`vulnerability.score.base` | `float` | Vulnerability Base score. | +|`vulnerability.severity` | `keyword` | Severity of the vulnerability. | + diff --git a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md index d45ecefa23..fd302fce0f 100644 --- a/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md +++ b/_shared_content/operations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md @@ -144,6 +144,127 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "event_smpt_to_1.json" + + ```json + + { + "message": "time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13KGXMHI007058-13KGXMHK007058\" msg=\"to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay= [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "properties": { + "delay": "00:00:06", + "device_id": "xcvfg", + "dsn_version": "2.0.0", + "log_id": "0003007072", + "mailer": "esmtp", + "priority_level_msg": "165917", + "session_id": "13KGXMHI007058-13KGXMHK007058", + "user_identifier": "mail", + "xdelay": "00:00:06" + } + }, + "destination": { + "address": "188.165.36.237", + "ip": "188.165.36.237" + }, + "email": { + "to": { + "address": [ + "contact@example.com" + ] + } + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "188.165.36.237" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "contact@example.com", + "name": "mail" + } + } + + ``` + + +=== "event_smpt_to_2.json" + + ```json + + { + "message": "time=18:33:35.615 device_id=xcvfg log_id=0003007072 type=event subtype=smtp pri=information user=mail ui=mail action=NONE status=N/A session_id=\"13KGXMHI007058-13KGXMHK007058\" msg=\"to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)\"", + "event": { + "action": "NONE", + "category": "smtp", + "kind": "event", + "message": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "reason": "Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)" + }, + "action": { + "outcome_reason": "to=, delay=00:00:06, xdelay=00:00:06, mailer=esmtp, pri=165917, relay=smtp.example.org [188.165.36.237], dsn=2.0.0, stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)", + "properties": { + "delay": "00:00:06", + "device_id": "xcvfg", + "dsn_version": "2.0.0", + "log_id": "0003007072", + "mailer": "esmtp", + "priority_level_msg": "165917", + "session_id": "13KGXMHI007058-13KGXMHK007058", + "user_identifier": "mail", + "xdelay": "00:00:06" + } + }, + "destination": { + "address": "smtp.example.org", + "domain": "smtp.example.org", + "ip": "188.165.36.237", + "size_in_char": 16 + }, + "email": { + "to": { + "address": [ + "contact@example.com" + ] + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "smtp.example.org" + ], + "ip": [ + "188.165.36.237" + ], + "user": [ + "mail" + ] + }, + "user": { + "email": "contact@example.com", + "name": "mail" + } + } + + ``` + + === "event_smtp_STARTTLS.json" ```json @@ -225,6 +346,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.1.1.1", "size_in_char": 9 }, + "email": { + "to": { + "address": [ + "mh.fr" + ] + } + }, "host": { "name": "1234" }, @@ -244,7 +372,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "user": { - "email": "", + "email": "mh.fr", "name": "mail" } } @@ -285,6 +413,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "1.1.1.1", "size_in_char": 8 }, + "email": { + "to": { + "address": [ + "sjira.eu" + ] + } + }, "host": { "name": "1234" }, @@ -304,7 +439,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "user": { - "email": "", + "email": "sjira.eu", "name": "mail" } } @@ -552,6 +687,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user_identifier": "mail" } }, + "email": { + "to": { + "address": [ + "postmaster" + ] + } + }, "host": { "name": "00000" }, diff --git a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md index 058a08c190..9d90894197 100644 --- a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md +++ b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md @@ -151,7 +151,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "dns": { "question": { - "name": "_ldap._tcp.dc._msdcs.subdomain.corp.intra.", + "name": "_ldap._tcp.dc._msdcs.subdomain.corp.intra", "subdomain": "_ldap._tcp.dc._msdcs.subdomain.corp" }, "response_code": "NXDOMAIN", @@ -160,7 +160,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "hosts": [ - "_ldap._tcp.dc._msdcs.subdomain.corp.intra." + "_ldap._tcp.dc._msdcs.subdomain.corp.intra" ], "ip": [ "1.1.1.1" @@ -203,7 +203,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "dns": { "question": { - "name": "10.1.1.1_1.", + "name": "10.1.1.1_1", "subdomain": "10.1.1", "type": "A" }, @@ -213,7 +213,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "hosts": [ - "10.1.1.1_1." + "10.1.1.1_1" ], "ip": [ "10.1.1.1", @@ -256,7 +256,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "dns": { "question": { - "name": "emea.corp.", + "name": "emea.corp", "subdomain": "emea", "type": "A" }, @@ -266,7 +266,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "hosts": [ - "emea.corp." + "emea.corp" ], "ip": [ "1.1.1.1" @@ -311,7 +311,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "dns": { "question": { - "name": "substrate.office.com.", + "name": "substrate.office.com", "registered_domain": "office.com", "subdomain": "substrate", "top_level_domain": "com", @@ -323,7 +323,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "hosts": [ - "substrate.office.com." + "substrate.office.com" ], "ip": [ "1.1.1.1" diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 9a3e58ed46..976f2bb998 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -2754,6 +2754,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", + "TargetLogonId": "0x3912391a", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", "Task": 12545 @@ -2840,6 +2841,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", "TargetDomainName": "KEY", + "TargetLogonId": "0xfbee0744", "TargetUserName": "SVC_DD_SP-SEARCH", "TargetUserSid": "S-1-5-21-1574594750-1263408776-2012955550-69701", "Task": 12544, @@ -2947,6 +2949,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "PCFOO$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "AUTORITE NT", + "TargetLogonId": "0x7e767bc", "TargetOutboundDomainName": "FOOBAR", "TargetOutboundUserName": "svc_admin_sccm", "TargetUserName": "Syst\u00e8me", @@ -3048,6 +3051,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Severity": "INFO", "SourceName": "Microsoft-Windows-Security-Auditing", "TargetDomainName": "AD", + "TargetLogonId": "0x3912391a", "TargetUserName": "USERFOO", "TargetUserSid": "S-1-5-21-1519513455-2607746426-4144247390-71234", "Task": 12545 @@ -3303,6 +3307,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "adm_FOOBAZ", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-122301", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -3326,6 +3331,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "executable": "C:\\Windows\\System32\\wbem\\WMIC.exe", "id": 11260, "name": "WMIC.exe", + "parent": { + "pid": 4 + }, "pid": 11260, "thread": { "id": 13732 @@ -3507,6 +3515,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "Domain": "NT AUTHORITY", "EventType": "VERBOSE", "Keywords": "0", + "MessageNumber": "1", + "MessageTotal": "1", "OpcodeValue": 15, "ProviderGuid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "ScriptBlockId": "592078b2-e981-40be-a166-10896495067b", @@ -4197,6 +4207,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "REDACTED", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -4225,6 +4236,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Windows\\System32\\svchost.exe", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", + "pid": 4, "working_directory": "C:\\Windows\\System32\\" }, "pid": 3648, @@ -5036,6 +5048,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "HOSTFOOBAR", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -5064,6 +5077,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", + "pid": 4, "working_directory": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" }, "pid": 3920, @@ -5120,6 +5134,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "USERFOO", "SubjectUserSid": "S-1-5-21-1574594750-1263408776-2012955550-78445", "TargetDomainName": "-", + "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", "Task": 13312 @@ -5148,6 +5163,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", + "pid": 4, "working_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\" }, "pid": 5004, @@ -5237,7 +5253,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "registry": { "hive": "HKU", - "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", + "key": "\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\", "path": "HKU\\\\S-1-5-21-375581984-207109644-1491462053-1001\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.MicrosoftOfficeHub_18.2008.12711.0_x64__8wekyb3d8bbwe\\\\LocalBridge.exe", "value": "LocalBridge.exe" }, @@ -5798,7 +5814,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "REG_DWORD" }, "hive": "HKLM", - "key": "System\\CurrentControlSet\\Control\\Lsa\\nolmhash", + "key": "System\\CurrentControlSet\\Control\\Lsa", "path": "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\nolmhash", "value": "nolmhash" }, @@ -5887,7 +5903,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "REG_SZ" }, "hive": "HKLM", - "key": "System\\CurrentControlSet\\services\\NAVENG\\ImagePath", + "key": "System\\CurrentControlSet\\services\\NAVENG", "path": "HKLM\\System\\CurrentControlSet\\services\\NAVENG\\ImagePath", "value": "ImagePath" }, @@ -7201,6 +7217,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "executable": "C:\\Windows\\System32\\qwinsta.exe", "id": 12980, "name": "qwinsta.exe", + "parent": { + "pid": 4 + }, "pid": 12980, "thread": { "id": 92 @@ -7271,6 +7290,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "executable": "C:\\Windows\\System32\\conhost.exe", "id": 4380, "name": "conhost.exe", + "parent": { + "pid": 4 + }, "pid": 4380, "thread": { "id": 88 @@ -7420,6 +7442,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.parent.command_line` | `wildcard` | Full command line that started the process. | |`process.parent.executable` | `keyword` | Absolute path to the process executable. | |`process.parent.name` | `keyword` | Process name. | +|`process.parent.pid` | `long` | Process id. | |`process.parent.working_directory` | `keyword` | The working directory of the process. | |`process.pid` | `long` | Process id. | |`process.ppid` | `integer` | | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 9036296761..7592d748c2 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -587,6 +587,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "clientipadress.json" + + ```json + + { + "message": "{\"CreationTime\":\"2024-06-26T06:29:14\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"MailItemsAccessed\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":50,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":5,\"Version\":1,\"Workload\":\"Exchange\",\"UserId\":\"user@mail.fr\",\"AppId\":\"xxxx-xxx-xxx-xxxx\",\"ClientAppId\":\"clientappidxxxx-xxx-xxx-xxxx\",\"ClientIPAddress\": \"1000:1000:100:007::1\",\"ClientInfoString\":\"Client=Exemple1;Client=Exemple2;;\",\"ExternalAccess\":\"False\",\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-5-21-xxxx-xxx-xxx-xxxx\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-5-21-xxxx-xxx-xxx-xxxx\",\"MailboxOwnerUPN\":\"user@mail.fr\",\"OperationProperties\":[{\"Name\":\"MailAccessType\",\"Value\":\"Bind\"},{\"Name\":\"IsThrottled\",\"Value\":\"False\"}],\"OrganizationName\":\"organization.microsoft.com\",\"OriginatingServer\":\"server (0.0.0000.000)\\r\\n\",\"Folders\":[{\"FolderItems\":[{\"ClientRequestId\":\"xxxx-xxx-xxx-xxxx\",\"Id\":\"aaaaaaaaaaaaa\",\"InternetMessageId\":\"xxxxx@exemple.com\",\"SizeInBytes\":127625},{\"ClientRequestId\":\"xxxx-xxx-xxx-xxxx\",\"Id\":\"aaaaaaaaaaaaaaaaaa\",\"InternetMessageId\":\"xxxx-xxx-xxx-xxxx@enterprise.net\",\"SizeInBytes\":147360}],\"Id\":\"aaaaaaaaaaaaaaaaaaaa\",\"Path\":\"Boite de reception\"}],\"OperationCount\":2}", + "event": { + "action": "MailItemsAccessed", + "code": "50", + "outcome": "success" + }, + "@timestamp": "2024-06-26T06:29:14Z", + "action": { + "id": 50, + "name": "MailItemsAccessed", + "outcome": "success", + "target": "user" + }, + "office365": { + "record_type": 50, + "result_status": "Succeeded", + "user_type": { + "code": 5, + "name": "Application" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1000:1000:100:7::1" + ], + "user": [ + "user@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1000:1000:100:7::1", + "ip": "1000:1000:100:7::1" + }, + "user": { + "email": "user@mail.fr", + "id": "xxxx-xxx-xxx-xxxx", + "name": "user@mail.fr" + } + } + + ``` + + === "compliancemanager-scorechange.json" ```json @@ -628,6 +682,75 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "email_reported.json" + + ```json + + { + "message": "{\"CreationTime\": \"2024-05-24T06:29:22\", \"Id\": \"03604c8d-ed69-466b-a9f4-80467c958739\", \"Operation\": \"AlertUpdated\", \"OrganizationId\": \"4f962933-707f-4441-8d56-bb178a2ed0b9\", \"RecordType\": 40, \"ResultStatus\": \"Succeeded\", \"UserKey\": \"SecurityComplianceAlerts\", \"UserType\": 4, \"Version\": 1, \"Workload\": \"SecurityComplianceCenter\", \"ObjectId\": \"f54a9b97-a432-471b-a84a-ddcba13f5f35\", \"UserId\": \"SecurityComplianceAlerts\", \"AlertId\": \"2c7f6c46-33d7-4101-b2fc-0af27eaf308a\", \"AlertLinks\": [], \"AlertType\": \"System\", \"Category\": \"ThreatManagement\", \"Comments\": \"New alert\", \"Data\": \"{\\\"f3u\\\":\\\"john.doe@example.com\\\",\\\"ts\\\":\\\"2024-05-24T05:44:00Z\\\",\\\"te\\\":\\\"2024-05-24T05:45:00Z\\\",\\\"op\\\":\\\"UserSubmission\\\",\\\"wl\\\":\\\"SecurityComplianceCenter\\\",\\\"tid\\\":\\\"8a1a1157-0272-492d-ab10-3f9853ac8183\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"a04c1571-7271-445e-82e3-c39f848aceb8\\\",\\\"wsrt\\\":\\\"2024-05-24T05:45:22\\\",\\\"mdt\\\":\\\"Audit\\\",\\\"rid\\\":\\\"9a36861c-cc4d-4818-be4a-a20555480a00\\\",\\\"cid\\\":\\\"2b6fda52-8386-4213-b6fb-2fcb078571c4\\\",\\\"ad\\\":\\\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\\\",\\\"lon\\\":\\\"UserSubmission\\\",\\\"an\\\":\\\"Email reported by user as malware or phish\\\",\\\"sev\\\":\\\"Low\\\",\\\"ail\\\":\\\"https://security.microsoft.com/mtp-investigation/urn:SubmissionInvestigation:260a29b9cf8a4358857b82aa9f086c48\\\"}\", \"Name\": \"Email reported by user as malware or phish\", \"PolicyId\": \"5b31bd58-7d6e-4f97-aa6b-5135fb1b1e52\", \"Severity\": \"Low\", \"Source\": \"Office 365 Security & Compliance\", \"Status\": \"Resolved\"}", + "event": { + "action": "AlertUpdated", + "category": [ + "intrusion_detection" + ], + "code": "40", + "kind": "alert", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-24T06:29:22Z", + "action": { + "id": 40, + "name": "AlertUpdated", + "outcome": "success", + "target": "user" + }, + "office365": { + "alert": { + "category": "ThreatManagement", + "display_name": "Email reported by user as malware or phish", + "id": "2c7f6c46-33d7-4101-b2fc-0af27eaf308a", + "severity": "Low", + "source": "Office 365 Security & Compliance", + "status": "Resolved" + }, + "audit": { + "object_id": "f54a9b97-a432-471b-a84a-ddcba13f5f35" + }, + "record_type": 40, + "result_status": "Succeeded", + "user_type": { + "code": 4, + "name": "System" + } + }, + "organization": { + "id": "4f962933-707f-4441-8d56-bb178a2ed0b9" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "5b31bd58-7d6e-4f97-aa6b-5135fb1b1e52" + }, + "service": { + "name": "SecurityComplianceCenter" + }, + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "id": "SecurityComplianceAlerts", + "name": "john.doe" + } + } + + ``` + + === "exchange_event1.json" ```json @@ -733,6 +856,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "id": "80494e66-e53a-48eb-8e52-c6ba3b1ddd2c" }, "related": { + "ip": [ + "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7" + ], "user": [ "NestorW@example.onmicrosoft.com" ] @@ -740,6 +866,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "service": { "name": "Exchange" }, + "source": { + "address": "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7", + "ip": "2a01:e0a:4ed:f6d0:49b6:317d:859f:edd7" + }, "user": { "email": "NestorW@example.onmicrosoft.com", "id": "100320029D9C5179", @@ -1710,7 +1840,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "user": [ - "SecurityComplianceAlerts" + "anakin.skywalker" ] }, "rule": { @@ -1725,8 +1855,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "user": { + "domain": "gondor.com", + "email": "anakin.skywalker@gondor.com", "id": "SecurityComplianceAlerts", - "name": "SecurityComplianceAlerts" + "name": "anakin.skywalker" } } @@ -2696,6 +2828,159 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "teams_with_foreign_tenant_users.json" + + ```json + + { + "message": "{\n \"AppAccessContext\": {\n \"IssuedAtTime\": \"2024-06-10T06:51:28\",\n \"UniqueTokenId\": \"mYyWp_-UrEa4Z_pZM7FlAA\"\n },\n \"CreationTime\": \"2024-06-10T11:50:24\",\n \"Id\": \"4e3612b5-9cf5-4c6d-8213-2ba12af15334\",\n \"Operation\": \"ChatCreated\",\n \"OrganizationId\": \"a84a7a26-d1f0-4d45-a875-481355e2d96c\",\n \"RecordType\": 25,\n \"UserKey\": \"c5a134b1-6eb3-4558-95e5-7f3f04219cf2\",\n \"UserType\": 0,\n \"Version\": 1,\n \"Workload\": \"MicrosoftTeams\",\n \"ClientIP\": \"dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b\",\n \"UserId\": \"c5a134b1-6eb3-4558-95e5-7f3f04219cf2\",\n \"ChatThreadId\": \"19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces\",\n \"CommunicationType\": \"OneOnOne\",\n \"ExtraProperties\": [\n {\n \"Key\": \"TimeZone\",\n \"Value\": \"Europe/Paris\"\n },\n {\n \"Key\": \"OsName\",\n \"Value\": \"windows\"\n },\n {\n \"Key\": \"OsVersion\",\n \"Value\": \"10\"\n },\n {\n \"Key\": \"Country\",\n \"Value\": \"fr\"\n },\n {\n \"Key\": \"ClientName\",\n \"Value\": \"skypeteams\"\n },\n {\n \"Key\": \"ClientVersion\",\n \"Value\": \"27/1.0.0.2024052206\"\n },\n {\n \"Key\": \"ClientUtcOffsetSeconds\",\n \"Value\": \"7200\"\n }\n ],\n \"Members\": [\n {\n \"OrganizationId\": \"6d869a66-371f-4b76-a1f6-3c115469a99d\",\n \"DisplayName\": \"John Doe\",\n \"UPN\": \"john.doe@example.org\"\n },\n {\n \"OrganizationId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\",\n \"DisplayName\": \"Jane Doe\",\n \"UPN\": \"jane.doe@example.com\"\n }\n ],\n \"ParticipantInfo\": {\n \"HasForeignTenantUsers\": true,\n \"HasGuestUsers\": false,\n \"HasOtherGuestUsers\": false,\n \"HasUnauthenticatedUsers\": false,\n \"ParticipatingDomains\": [\n \"example.org\",\n \"example.com\"\n ],\n \"ParticipatingSIPDomains\": [\n {\n \"DomainName\": \"example.org\",\n \"TenantId\": \"6d869a66-371f-4b76-a1f6-3c115469a99d\"\n },\n {\n \"DomainName\": \"example.com\",\n \"TenantId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\"\n }\n ],\n \"ParticipatingTenantIds\": [\n \"6d869a66-371f-4b76-a1f6-3c115469a99d\",\n \"6db03b45-27a2-4662-9121-fa5773a8e043\"\n ]\n },\n \"ResourceTenantId\": \"6db03b45-27a2-4662-9121-fa5773a8e043\",\n \"ItemName\": \"19:2546ebff-72fd-4fda-b537-bc31bf5e1d4c_ba359007-06c1-497f-bc4a-41ea45df4cbd@unq.gbl.spaces\"\n}\n", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-10T11:50:24Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": true, + "team": { + "members": [ + { + "id": "john.doe@example.org", + "role": "None" + }, + { + "id": "jane.doe@example.com", + "role": "None" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "a84a7a26-d1f0-4d45-a875-481355e2d96c" + }, + "related": { + "ip": [ + "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b" + ], + "user": [ + "c5a134b1-6eb3-4558-95e5-7f3f04219cf2" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b", + "ip": "dc73:8fb1:6e9:c37a:334b:8bb7:313a:766b" + }, + "user": { + "id": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2", + "name": "c5a134b1-6eb3-4558-95e5-7f3f04219cf2" + } + } + + ``` + + +=== "teams_without_foreign_tenant_users.json" + + ```json + + { + "message": "{\n \"CreationTime\": \"2024-06-10T12:14:57\",\n \"Id\": \"f47118c3-edcf-43a9-b505-c7c904231ac2\",\n \"Operation\": \"ChatCreated\",\n \"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\",\n \"RecordType\": 25,\n \"UserKey\": \"70de41a7-73c7-4532-8257-25ec88456e99\",\n \"UserType\": 0,\n \"Version\": 1,\n \"Workload\": \"MicrosoftTeams\",\n \"ClientIP\": \"194.169.176.18\",\n \"UserId\": \"jdoe_example.org#EXT#@example.onmicrosoft.com\",\n \"ChatThreadId\": \"19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces\",\n \"CommunicationType\": \"OneOnOne\",\n \"ExtraProperties\": [\n {\n \"Key\": \"TimeZone\",\n \"Value\": \"Europe/Paris\"\n },\n {\n \"Key\": \"OsName\",\n \"Value\": \"windows\"\n },\n {\n \"Key\": \"OsVersion\",\n \"Value\": \"NT 10.0\"\n },\n {\n \"Key\": \"Country\",\n \"Value\": \"fr\"\n },\n {\n \"Key\": \"ClientName\",\n \"Value\": \"skypeteams\"\n },\n {\n \"Key\": \"ClientVersion\",\n \"Value\": \"49/24051622207\"\n },\n {\n \"Key\": \"ClientUtcOffsetSeconds\",\n \"Value\": \"7200\"\n }\n ],\n \"Members\": [\n {\n \"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\",\n \"DisplayName\": \"John Doe\",\n \"UPN\": \"jdoe_example.org#EXT#@example.onmicrosoft.com\"\n },\n {\n \"OrganizationId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\",\n \"DisplayName\": \"Jane Doe\",\n \"UPN\": \"jane.doe@example.org\"\n }\n ],\n \"ParticipantInfo\": {\n \"HasForeignTenantUsers\": false,\n \"HasGuestUsers\": true,\n \"HasOtherGuestUsers\": false,\n \"HasUnauthenticatedUsers\": false,\n \"ParticipatingDomains\": [],\n \"ParticipatingSIPDomains\": [],\n \"ParticipatingTenantIds\": [\n \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\"\n ]\n },\n \"ResourceTenantId\": \"e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1\",\n \"ItemName\": \"19:0f738a46-74e0-45cf-a5e7-ff31eb2d9cdb_e574a199-c965-4fe2-8c02-0a98a1e8f597@unq.gbl.spaces\"\n}\n", + "event": { + "action": "ChatCreated", + "category": [ + "network" + ], + "code": "25", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-06-10T12:14:57Z", + "action": { + "id": 25, + "name": "ChatCreated", + "outcome": "success", + "target": "network-traffic" + }, + "office365": { + "record_type": 25, + "teams": { + "communication": { + "type": "OneOnOne" + }, + "has_foreign_tenant_users": false, + "team": { + "members": [ + { + "id": "jdoe_example.org#EXT#@example.onmicrosoft.com", + "role": "None" + }, + { + "id": "jane.doe@example.org", + "role": "None" + } + ] + } + }, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "e7dc5731-9cc4-4c17-8dbb-a695b9cd69f1" + }, + "related": { + "ip": [ + "194.169.176.18" + ], + "user": [ + "jdoe_example.org#EXT#@example.onmicrosoft.com" + ] + }, + "service": { + "name": "MicrosoftTeams" + }, + "source": { + "address": "194.169.176.18", + "ip": "194.169.176.18" + }, + "user": { + "email": "jdoe_example.org#EXT#@example.onmicrosoft.com", + "id": "70de41a7-73c7-4532-8257-25ec88456e99", + "name": "jdoe_example.org#EXT#@example.onmicrosoft.com" + } + } + + ``` + + === "threat_intel.json" ```json @@ -3348,6 +3633,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.teams.channel.name` | `keyword` | The name of the channel | |`office365.teams.channel.type` | `keyword` | The type of the channel | |`office365.teams.communication.type` | `keyword` | The type of communication | +|`office365.teams.has_foreign_tenant_users` | `boolean` | | |`office365.teams.invitee` | `keyword` | The identifier of an invitee | |`office365.teams.message.id` | `keyword` | The identifier of the message | |`office365.teams.message.size` | `long` | The size of the message in bytes with UTF-16 encoding | @@ -3370,6 +3656,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.user.email` | `keyword` | User email address. | |`url.full` | `wildcard` | Full unparsed URL. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/d382947e-4493-4e0b-90f1-870fe6e6ef1e.md b/_shared_content/operations_center/integrations/generated/d382947e-4493-4e0b-90f1-870fe6e6ef1e.md new file mode 100644 index 0000000000..cfe11712fe --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/d382947e-4493-4e0b-90f1-870fe6e6ef1e.md @@ -0,0 +1,291 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network intrusion detection system` | Jizo identify suspicious behaviors by providing alerts logs | +| `Network device logs` | The logs provided by jizo give a good overview of the network activity | +| `Network protocol analysis` | The logs offered by jizo provide traffic analysis | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `network` | +| Type | `connection` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "event.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-06-27T12:56:49.920281+0000\",\"flow_id\":1017644745558273,\"in_iface\":\"icc1\",\"event_type\":\"alert\",\"src_ip\":\"1.2.3.4\",\"src_port\":8000,\"dest_ip\":\"10.0.4.4\",\"dest_port\":4000,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221014,\"rev\":1,\"signature\":\"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)\",\"category\":\"A Network Trojan was detected\",\"severity\":3,\"metadata\":{\"affected_product\":[\"machine1\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]}},\"app_proto\":\"smb\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":265,\"bytes_toclient\":701,\"start\":\"2024-01-07T19:54:41.492407+0000\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "kind": "alert", + "severity": 3, + "start": "2024-01-07T19:54:41.492407Z", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-06-27T12:56:49.920281Z", + "action": { + "properties": { + "category": "A Network Trojan was detected", + "severity": "Major", + "signature": "ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", + "signature_id": "2221014" + } + }, + "destination": { + "address": "10.0.4.4", + "bytes": 701, + "ip": "10.0.4.4", + "packets": 4, + "port": 4000 + }, + "host": { + "ip": "1.2.3.4" + }, + "jizo": { + "flow": { + "id": "1017644745558273" + } + }, + "network": { + "protocol": "smb", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "icc1" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "bytes": 265, + "ip": "1.2.3.4", + "packets": 4, + "port": 8000 + } + } + + ``` + + +=== "http_event.json" + + ```json + + { + "message": "{\"timestamp\":\"2024-06-27T13:25:18.431133+0000\",\"flow_id\":1017644745558273,\"in_iface\":\"icc1\",\"event_type\":\"alert\",\"src_ip\":\"10.20.30.101\",\"src_port\":49778,\"dest_ip\":\"203.176.135.102\",\"dest_port\":8082,\"proto\":\"TCP\",\"http\":{\"http_port\":8082,\"url\":\"/libhtp::request_uri_not_seen\",\"http_server_agent\":\"KSKJJGJ\",\"http_content_type\":\"text/plain\",\"status\":200,\"response_length\":3,\"request_length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":7,\"bytes_toserver\":5427,\"bytes_toclient\":502,\"start\":\"2024-06-27T13:11:21.595110+0000\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100494,\"rev\":12,\"signature\":\"GPL ATTACK_RESPONSE command completed\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"updated_at\":[\"2010_09_23\"],\"created_at\":[\"2010_09_23\"]}}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "kind": "alert", + "severity": 2, + "start": "2024-06-27T13:11:21.595110Z", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-06-27T13:25:18.431133Z", + "action": { + "properties": { + "category": "Potentially Bad Traffic", + "signature": "GPL ATTACK_RESPONSE command completed", + "signature_id": "2100494" + } + }, + "destination": { + "address": "203.176.135.102", + "bytes": 502, + "ip": "203.176.135.102", + "packets": 7, + "port": 8082 + }, + "host": { + "ip": "10.20.30.101" + }, + "http": { + "response": { + "bytes": 3, + "status_code": 200 + } + }, + "jizo": { + "flow": { + "id": "1017644745558273" + } + }, + "network": { + "protocol": "http", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "icc1" + } + } + }, + "related": { + "ip": [ + "10.20.30.101", + "203.176.135.102" + ] + }, + "source": { + "address": "10.20.30.101", + "bytes": 5427, + "ip": "10.20.30.101", + "packets": 8, + "port": 49778 + }, + "url": { + "original": "/libhtp::request_uri_not_seen", + "path": "/libhtp::request_uri_not_seen" + } + } + + ``` + + +=== "rule.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-06-27T12:56:49.920281+0000\",\"flow_id\":1017644745558273,\"in_iface\":\"icc1\",\"event_type\":\"alert\",\"src_ip\":\"1.2.3.4\",\"src_port\":8000,\"dest_ip\":\"10.0.4.4\",\"dest_port\":4000,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221014,\"rev\":1,\"signature\":\"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)\",\"category\":\"A Network Trojan was detected\",\"severity\":3,\"metadata\":{\"affected_product\":[\"machine1\"],\"attack_target\":[\"Client_Endpoint\"],\"signature_severity\":[\"Major\"]}},\"app_proto\":\"smb\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":265,\"bytes_toclient\":701,\"start\":\"2024-01-07T19:54:41.492407+0000\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "kind": "alert", + "severity": 3, + "start": "2024-01-07T19:54:41.492407Z", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-06-27T12:56:49.920281Z", + "action": { + "properties": { + "category": "A Network Trojan was detected", + "severity": "Major", + "signature": "ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", + "signature_id": "2221014" + } + }, + "destination": { + "address": "10.0.4.4", + "bytes": 701, + "ip": "10.0.4.4", + "packets": 4, + "port": 4000 + }, + "host": { + "ip": "1.2.3.4" + }, + "jizo": { + "flow": { + "id": "1017644745558273" + } + }, + "network": { + "protocol": "smb", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "icc1" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "bytes": 265, + "ip": "1.2.3.4", + "packets": 4, + "port": 8000 + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties.category` | `keyword` | | +|`action.properties.severity` | `keyword` | | +|`action.properties.signature` | `keyword` | | +|`action.properties.signature_id` | `keyword` | | +|`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.packets` | `long` | Packets sent from the destination to the source. | +|`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.ip` | `ip` | Host ip addresses. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.status_code` | `long` | HTTP response status code. | +|`jizo.flow.id` | `keyword` | | +|`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.ingress.interface.name` | `keyword` | Interface name | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.packets` | `long` | Packets sent from the source to the destination. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | + diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index dc08acb125..0df623c8fb 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -1249,6 +1249,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "user_login.json" + + ```json + + { + "message": "1.0|WatchGuard|XTM|12.10.3.B694994|3E000002|host_name=Member2#011serial=AAAAAAAAAAAAA#011msg=SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged in assigned virtual IP is 4.3.2.1", + "event": { + "category": [ + "session" + ], + "code": "3E000002", + "reason": "SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged in assigned virtual IP is 4.3.2.1", + "type": [ + "start" + ] + }, + "observer": { + "product": "XTM", + "serial_number": "AAAAAAAAAAAAA", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.10.3.B694994" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" + }, + "watchguard": { + "firebox": { + "dhcp": { + "operation": "none" + }, + "virtual_ip": "4.3.2.1" + } + } + } + + ``` + + === "user_login_rejected.json" ```json