diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 6c75f6aff4..028edddeec 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -443,6 +443,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": [ "1.2.3.4", "5.6.7.8" + ], + "user": [ + "vpn17590" ] }, "rule": { @@ -451,6 +454,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "source": { "address": "1.2.3.4", "ip": "1.2.3.4" + }, + "user": { + "name": "vpn17590" } } @@ -518,6 +524,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_sslvpn_log_3.json" + + ```json + + { + "message": "\"12/07/2023:10:58:42 GMT CXA-GAT 0-PPE-0 : default SSLVPN Message 1521206 0 : \"SSO ns_sslvpn_process_sso_conn: user john.doe@example.com clientip 1.2.3.7 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0\"\"", + "event": { + "category": [ + "network" + ], + "code": "Message", + "dataset": "audit_sslvpn", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2023-12-07T10:58:42Z", + "citrix": { + "adc": { + "message": "SSO ns_sslvpn_process_sso_conn: user john.doe@example.com clientip 1.2.3.7 request: /Citrix/CITRIXCGDWeb/clients/HTML5Client/resources/images/icon_clipboard.png sso_flags-0 p_flags-0 x_flags-200000 author_hdr_removed-0" + } + }, + "client": { + "address": "1.2.3.7", + "ip": "1.2.3.7" + }, + "observer": { + "name": "CXA-GAT" + }, + "related": { + "ip": [ + "1.2.3.7" + ], + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "example.com", + "name": "john.doe" + } + } + + ``` + + @@ -534,6 +587,7 @@ The following table lists the fields that are extracted, normalized under the EC |`citrix.adc.message` | `keyword` | | |`citrix.adc.virtual_server.ip` | `keyword` | | |`citrix.adc.virtual_server.port` | `keyword` | | +|`client.ip` | `ip` | IP address of the client. | |`destination.ip` | `ip` | IP address of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | @@ -554,5 +608,6 @@ The following table lists the fields that are extracted, normalized under the EC |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | |`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md index 0870957656..2f1642512b 100644 --- a/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md +++ b/_shared_content/operations_center/integrations/generated/19cd2ed6-f90c-47f7-a46b-974354a107bb.md @@ -490,6 +490,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operationVersion": "1.0", "properties": { "appDisplayName": "Office 365 Exchange Online", + "appId": "00000002-0000-0ff1-ce00-000000000000", "authenticationProtocol": "ropc", "correlationId": "7ee10819-f631-4ab1-8edb-4efb7286baba", "id": "b2fdcc8f-954d-4d88-a035-58daefab4f00", @@ -626,6 +627,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operationVersion": "1.0", "properties": { "appDisplayName": "Office365 Shell WCSS-Client", + "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", "authenticationProtocol": "none", "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", "id": "22253f56-6fc4-45f2-b148-d7fe15504900", @@ -721,6 +723,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "operationVersion": "1.0", "properties": { "appDisplayName": "Microsoft App Access Panel", + "appId": "0000000c-0000-0000-c000-000000000000", "authenticationProtocol": "none", "correlationId": "467c1340-0762-40d2-b6fb-339235633ebb", "id": "8795994f-0bb8-46d7-8797-8c9c385d5900", @@ -802,53 +805,37 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-08-16T15:32:05.577260Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Sign-in activity" }, "azuread": { - "resourceId": "/tenants/93f63260-ad9a-4087-b7e0-d9010cb919dd/providers/Microsoft.aadiam", - "operationName": "Sign-in activity", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "1.2.3.4", "category": "SignInLogs", - "tenantId": "93f63260-ad9a-4087-b7e0-d9010cb919dd", - "durationMs": 0, "correlationId": "93f63260-ad9a-4087-b7e0-d9010cb919dd", + "durationMs": 0, "identity": "John DOE", - "Level": 4, - "callerIpAddress": "1.2.3.4", + "operationName": "Sign-in activity", + "operationVersion": "1.0", "properties": { - "id": "93f63260-ad9a-4087-b7e0-d9010cb919dd", + "appDisplayName": "Microsoft Authentication Broker", + "appId": "93f63260-ad9a-4087-b7e0-d9010cb919dd", + "authenticationProtocol": "none", "correlationId": "93f63260-ad9a-4087-b7e0-d9010cb919dd", - "riskState": "none", + "id": "93f63260-ad9a-4087-b7e0-d9010cb919dd", "riskDetail": "none", - "riskLevelAggregated": "none", - "riskLevelDuringSignIn": "none", "riskEventTypes": [], "riskEventTypes_v2": [], + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", "status": { - "errorCode": "0", - "additionalDetails": "MFA completed in Azure AD" - }, - "authenticationProtocol": "none", - "appDisplayName": "Microsoft Authentication Broker" - } - }, - "source": { - "ip": "1.2.3.4", - "geo": { - "city_name": "Paris", - "region_name": "Paris", - "country_iso_code": "FR", - "location": { - "lon": 2.351828, - "lat": 48.856578 + "additionalDetails": "MFA completed in Azure AD", + "errorCode": "0" } }, - "address": "1.2.3.4" + "resourceId": "/tenants/93f63260-ad9a-4087-b7e0-d9010cb919dd/providers/Microsoft.aadiam", + "tenantId": "93f63260-ad9a-4087-b7e0-d9010cb919dd" }, "error": { "code": "0", @@ -859,25 +846,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "Ios" } }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.856578, + "lon": 2.351828 + }, + "region_name": "Paris" + }, + "ip": "1.2.3.4" + }, "user": { - "full_name": "John DOE", - "email": "john.doe@example.org" + "email": "john.doe@example.org", + "full_name": "John DOE" }, "user_agent": { - "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148", "device": { "name": "iPhone" }, "name": "Mobile Safari UI/WKWebView", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148", "os": { "name": "iOS", "version": "16.6" } - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -896,92 +900,93 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "@timestamp": "2023-10-04T13:09:02.679994Z", - "service": { - "type": "ldap", - "name": "Azure Active Directory" - }, "action": { "name": "Sign-in activity" }, "azuread": { - "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", - "operationName": "Sign-in activity", - "operationVersion": "1.0", + "Level": 4, + "callerIpAddress": "11.11.11.11", "category": "SignInLogs", - "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b", - "durationMs": 0, "correlationId": "e68960e2-8996-448c-ba7a-e54eeb8ff2ed", + "durationMs": 0, "identity": "DOE Jane", - "Level": 4, - "callerIpAddress": "11.11.11.11", + "operationName": "Sign-in activity", + "operationVersion": "1.0", "properties": { - "id": "e14254f4-4288-4c00-8689-80823c4f4cb5", + "appDisplayName": "Microsoft Authentication Broker", + "appId": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7", + "authenticationProtocol": "deviceCode", "correlationId": "11d70870-823f-4450-828a-aba3cf69af8d", - "riskState": "none", + "deviceDetail": { + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "id": "e14254f4-4288-4c00-8689-80823c4f4cb5", "riskDetail": "none", - "riskLevelAggregated": "none", - "riskLevelDuringSignIn": "none", "riskEventTypes": [], "riskEventTypes_v2": [], + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", "status": { "errorCode": "0" - }, - "authenticationProtocol": "deviceCode", - "appDisplayName": "Microsoft Authentication Broker", - "deviceDetail": { - "isCompliant": true, - "isManaged": true, - "trustType": "Azure AD joined" - } - } - }, - "source": { - "ip": "11.11.11.11", - "geo": { - "city_name": "Bordeaux", - "region_name": "Gironde", - "country_iso_code": "FR", - "location": { - "lon": -0.5805000066757202, - "lat": 44.84040069580078 } }, - "address": "11.11.11.11" + "resourceId": "/tenants/34314e6e-4023-4e4b-a15e-143f63244e2b/providers/Microsoft.aadiam", + "tenantId": "34314e6e-4023-4e4b-a15e-143f63244e2b" }, "error": { "code": "0" }, "host": { - "id": "e14254f4-4288-4c00-8689-80823c4f4cb5", "hostname": "LPTC-PC1M4VZQ", + "id": "e14254f4-4288-4c00-8689-80823c4f4cb5", + "name": "LPTC-PC1M4VZQ", "os": { "type": "Ios" + } + }, + "related": { + "hosts": [ + "LPTC-PC1M4VZQ" + ], + "ip": [ + "11.11.11.11" + ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "11.11.11.11", + "geo": { + "city_name": "Bordeaux", + "country_iso_code": "FR", + "location": { + "lat": 44.84040069580078, + "lon": -0.5805000066757202 + }, + "region_name": "Gironde" }, - "name": "LPTC-PC1M4VZQ" + "ip": "11.11.11.11" }, "user": { - "full_name": "Jane DOE", - "email": "jane.doe@example.org" + "email": "jane.doe@example.org", + "full_name": "Jane DOE" }, "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.98", "device": { "name": "Other" }, "name": "Edge", - "version": "116.0.1938", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.98", "os": { "name": "Windows", "version": "10" - } - }, - "related": { - "hosts": [ - "LPTC-PC1M4VZQ" - ], - "ip": [ - "11.11.11.11" - ] + }, + "version": "116.0.1938" } } @@ -1157,6 +1162,7 @@ The following table lists the fields that are extracted, normalized under the EC |`azuread.privateLinkDetails` | `list` | | |`azuread.properties.activity` | `keyword` | | |`azuread.properties.appDisplayName` | `keyword` | appDisplayName | +|`azuread.properties.appId` | `keyword` | appId | |`azuread.properties.authenticationProtocol` | `keyword` | authenticationProtocol | |`azuread.properties.correlationId` | `keyword` | | |`azuread.properties.detectionTimingType` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index 6036c5342d..d6f6665e60 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -17,7 +17,912 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `network` | +| Type | `connection`, `info` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "alert.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-07T19:54:41.712927+0000\",\"flow_id\":520221496542071,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"1.2.3.4\",\"src_port\":44244,\"dest_ip\":\"10.0.4.4\",\"dest_port\":2375,\"proto\":\"TCP\",\"metadata\":{\"flowints\":{\"http.anomaly.count\":1}},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221014,\"rev\":1,\"signature\":\"SURICATA HTTP missing Host header\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"url\":\"/version\",\"http_content_type\":\"application/json\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":404,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":265,\"bytes_toclient\":701,\"start\":\"2024-01-07T19:54:41.492407+0000\"}}", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "severity": 3, + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-07T19:54:41.712927Z", + "action": { + "name": "allowed", + "properties": { + "category": "Generic Protocol Command Decode", + "signature": "SURICATA HTTP missing Host header", + "signature_id": "2221014" + }, + "type": "alert" + }, + "destination": { + "address": "10.0.4.4", + "ip": "10.0.4.4", + "port": 2375 + }, + "host": { + "ip": "1.2.3.4" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 0, + "mime_type": "application/json", + "status_code": 404 + }, + "version": "1.1" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "bytes": 265, + "ip": "1.2.3.4", + "port": 44244 + }, + "url": { + "original": "/version", + "path": "/version" + } + } + + ``` + + +=== "alert_community_id.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-16T15:31:05.676280+0000\",\"flow_id\":2027746959634226,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"10.0.4.4\",\"src_port\":57584,\"dest_ip\":\"169.254.169.254\",\"dest_port\":80,\"proto\":\"TCP\",\"community_id\":\"1:aymnqZT++/Mb1TKCNw5wagfU4lo=\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":1,\"rev\":0,\"signature\":\"Agent\",\"category\":\"\",\"severity\":3},\"http\":{\"hostname\":\"169.254.169.254\",\"url\":\"/metadata/instance?api-version=2018-02-01\",\"http_user_agent\":\"WALinuxAgent/2.2.47+health\",\"http_content_type\":\"application/json\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":658},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":2,\"bytes_toserver\":455,\"bytes_toclient\":971,\"bypassed\":{\"pkts_toserver\":0,\"pkts_toclient\":0,\"bytes_toserver\":0,\"bytes_toclient\":0},\"start\":\"2024-01-16T15:31:05.667442+0000\"}}", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "severity": 3, + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-16T15:31:05.676280Z", + "action": { + "name": "allowed", + "properties": { + "signature": "Agent", + "signature_id": "1" + }, + "type": "alert" + }, + "destination": { + "address": "169.254.169.254", + "ip": "169.254.169.254", + "port": 80 + }, + "host": { + "ip": "10.0.4.4" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 658, + "mime_type": "application/json", + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "community_id": "1:aymnqZT++/Mb1TKCNw5wagfU4lo=", + "protocol": "TCP" + }, + "related": { + "hosts": [ + "169.254.169.254" + ], + "ip": [ + "10.0.4.4", + "169.254.169.254" + ] + }, + "source": { + "address": "10.0.4.4", + "bytes": 455, + "ip": "10.0.4.4", + "port": 57584 + }, + "url": { + "domain": "169.254.169.254", + "original": "/metadata/instance?api-version=2018-02-01", + "path": "/metadata/instance", + "query": "api-version=2018-02-01" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "WALinuxAgent/2.2.47+health", + "os": { + "name": "Linux" + } + } + } + + ``` + + +=== "anomaly.json" + + ```json + + { + "message": "{\"timestamp\":\"2024-01-03T10:59:59.869444+0100\",\"flow_id\":1341218162162105,\"in_iface\":\"ens192\",\"event_type\":\"anomaly\",\"src_ip\":\"10.200.52.1\",\"src_port\":80,\"dest_ip\":\"10.200.61.2\",\"dest_port\":59730,\"proto\":\"TCP\",\"tx_id\":0,\"anomaly\":{\"app_proto\":\"http\",\"type\":\"applayer\",\"event\":\"REQUEST_AUTH_UNRECOGNIZED\",\"layer\":\"proto_parser\"}}", + "event": { + "action": "REQUEST_AUTH_UNRECOGNIZED", + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-03T09:59:59.869444Z", + "action": { + "type": "anomaly" + }, + "destination": { + "address": "10.200.61.2", + "ip": "10.200.61.2", + "port": 59730 + }, + "host": { + "ip": "10.200.52.1" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "10.200.52.1", + "10.200.61.2" + ] + }, + "source": { + "address": "10.200.52.1", + "ip": "10.200.52.1", + "port": 80 + } + } + + ``` + + +=== "beats.json" + + ```json + + { + "message": "{\"host\":\"probe\",\"system\":{\"memory\":{\"page_stats\":{\"pgsteal_direct\":{\"pages\":94402103},\"kswapd_efficiency\":{\"pct\":0.9952},\"direct_efficiency\":{\"pct\":0.9978},\"pgfree\":{\"pages\":44400483918},\"pgscan_kswapd\":{\"pages\":534123009},\"pgscan_direct\":{\"pages\":94613971},\"pgsteal_kswapd\":{\"pages\":531564648}},\"cached\":6572060672,\"used\":{\"pct\":0.3987,\"bytes\":13438373888},\"total\":33706483712,\"hugepages\":{\"used\":{\"pct\":0,\"bytes\":0},\"surplus\":0,\"total\":0,\"reserved\":0,\"swap\":{\"out\":{\"pages\":0,\"fallback\":55}},\"default_size\":2097152,\"free\":0},\"swap\":{\"readahead\":{\"cached\":7349,\"pages\":11798},\"used\":{\"pct\":0.0191,\"bytes\":306184192},\"out\":{\"pages\":869821},\"total\":15997071360,\"in\":{\"pages\":31105},\"free\":15690887168},\"free\":20268109824,\"actual\":{\"free\":26929573888,\"used\":{\"pct\":0.2011,\"bytes\":6776909824}}}},\"agent\":{\"version\":\"7.17.10\",\"type\":\"metricbeat\",\"name\":\"probe\",\"id\":\"8c2941ae-caf1-4b35-bead-caae1d21aa96\",\"hostname\":\"probe\",\"ephemeral_id\":\"09850e5a-6478-4e6e-92c3-cf10e3a3a89d\"},\"@version\":\"1\",\"type\":\"json-log\",\"tenant\":\"0\",\"metricset\":{\"period\":30000,\"name\":\"memory\"},\"tags\":[\"beats_input_raw_event\"],\"service\":{\"type\":\"system\"},\"@timestamp\":\"2023-12-08T15:06:47.131Z\",\"logger\":\"logstash-manager\",\"event\":{\"dataset\":\"system.memory\",\"module\":\"system\",\"duration\":2640456}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "action": { + "type": "beats_input_raw_event" + }, + "host": { + "name": "probe" + } + } + + ``` + + +=== "dns_answer.json" + + ```json + + { + "message": "{\"timestamp\":\"2019-12-17T14:09:39.935301+0000\",\"flow_id\":1335601175718181,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.2\",\"src_port\":53,\"dest_ip\":\"172.31.0.204\",\"dest_port\":46414,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":38236,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"AAAA\",\"rcode\":\"NOERROR\",\"authorities\":[{\"rrname\":\"sekoia.io\",\"rrtype\":\"SOA\",\"ttl\":60}]}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2019-12-17T14:09:39.935301Z", + "action": { + "type": "dns" + }, + "destination": { + "address": "172.31.0.204", + "ip": "172.31.0.204", + "port": 46414 + }, + "dns": { + "answers": [ + { + "name": "rp1.sekoia.io", + "type": "AAAA" + } + ], + "id": "38236", + "response_code": "NOERROR", + "size_in_char": 13, + "type": "answer" + }, + "host": { + "ip": "172.31.0.2" + }, + "network": { + "protocol": "UDP" + }, + "related": { + "ip": [ + "172.31.0.2", + "172.31.0.204" + ] + }, + "source": { + "address": "172.31.0.2", + "ip": "172.31.0.2", + "port": 53 + } + } + + ``` + + +=== "dns_answer2.json" + + ```json + + { + "message": "{\"src_ip\":\"10.107.208.11\",\"flow_id\":1531972173335705,\"in_iface\":\"eth0\",\"proto\":\"UDP\",\"hostname_info\":{\"tld\":\"cc\",\"subdomain\":\"org.repo.release.build\",\"url\":\"org.repo.release.build.test.com\",\"domain\":\"test.com\",\"host\":\"org.repo.release.build.test.com\",\"domain_without_tld\":\"one\"},\"alerted\":true,\"input\":{\"type\":\"log\"},\"logger\":\"logstash-manager\",\"type\":\"json-log\",\"dns\":{\"grouped\":{\"A\":[\"1.2.3.62\",\"1.2.3.92\",\"1.2.3.3\",\"1.2.3.57\"]},\"rrtype\":\"A\",\"flags\":\"8180\",\"rrname\":\"org.repo.release.build.test.com\",\"type\":\"answer\",\"ra\":true,\"rcode\":\"NOERROR\",\"id\":62415,\"version\":2,\"rd\":true,\"qr\":true},\"see_id\":\"00505689aa0a\",\"@version\":\"1\",\"ether\":{\"src_mac\":\"00:50:56:89:fb:d6\",\"dest_mac\":\"00:50:56:89:f3:ed\"},\"app_proto\":\"dns\",\"dest_port\":53,\"target\":{\"dest\":{\"sequence_total\":2.0,\"fqdn\":\"dc.corp.com\",\"id\":\"dc\",\"hardware_cpu\":8.0,\"egress_networks\":[\"dc_int\"],\"name\":\"DC\",\"visibility\":\"public\",\"vm_name\":\"xs23_dc.corp.com\",\"description\":\"DC Primary Domain Controller\",\"addr\":\"10.107.201.100\",\"hardware_ram\":8.0,\"capabilities\":[],\"id_full\":\"dc-dc_01_t02\",\"services\":[],\"spec_name\":\"dc-dc\",\"hardware_primary_disk_size\":60.0,\"sequence_tag\":\"dc\",\"owner\":\"Allar Viik\",\"tags\":[\"int\",\"os_windows\",\"os_windows_server\",\"os_windows_server_2022\",\"bt\",\"team_blue\",\"dc\",\"custom_bt_domain_controller\",\"dc\"],\"role\":\"dc\",\"connection_network\":\"dc_int\",\"id\":\"dc-dc\",\"customization_context\":\"host\"},\"src\":{\"sequence_total\":null,\"fqdn\":\"first.dc.02.corp.com\",\"id\":\"dc\",\"hardware_cpu\":2.0,\"egress_networks\":[\"dc_5g_core\"],\"name\":\"DC\",\"visibility\":\"public\",\"vm_name\":\"dc-vm.corp.com\",\"description\":null,\"addr\":\"10.107.208.11\",\"hardware_ram\":4.0,\"capabilities\":[],\"id_full\":\"first_t02\",\"services\":[],\"spec_name\":\"first\",\"hardware_primary_disk_size\":25.0,\"sequence_tag\":null,\"owner\":\"Julian Sturm\",\"tags\":[\"5g_core\",\"os_linux\",\"os_ubuntu\",\"os_ubuntu_22_04\",\"bt\",\"team_blue\",\"dc\",\"fiveg_db\"],\"role\":\"first\",\"connection_network\":\"dc_5g_core\",\"id\":\"first\",\"customization_context\":\"host\"}},\"@timestamp\":\"2023-12-07T10:51:01.819Z\",\"event_type\":\"dns\",\"timestamp\":\"2023-12-07T10:51:01.819001+0000\",\"agent\":{\"type\":\"filebeat\",\"hostname\":\"probe\",\"id\":\"9f305fa4-6db1-485c-81f9-598dce1469e3\",\"version\":\"7.17.10\",\"name\":\"probe\",\"ephemeral_id\":\"b1db2027-720f-41e4-9798-dc8a0ea21017\"},\"tags\":[\"beats_input_codec_json_applied\"],\"log\":{\"offset\":146571591,\"file\":{\"path\":\"/var/log/suricata/eve-1.json\"}},\"tenant\":2,\"src_port\":38141,\"host\":\"probe\",\"see_name\":\"server\",\"net_info\":{\"src_agg\":\"dc\",\"src\":[\"dc\",\"bt\"],\"dest_agg\":\"dc.bt\",\"dest\":[\"dc\",\"bt\"]},\"dest_ip\":\"10.107.201.100\"}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2023-12-07T10:51:01.819001Z", + "action": { + "type": "dns" + }, + "destination": { + "address": "10.107.201.100", + "ip": "10.107.201.100", + "port": 53 + }, + "dns": { + "answers": [ + { + "name": "1.2.3.62", + "type": "A" + }, + { + "name": "1.2.3.92", + "type": "A" + }, + { + "name": "1.2.3.3", + "type": "A" + }, + { + "name": "1.2.3.57", + "type": "A" + } + ], + "id": "62415", + "question": { + "name": "org.repo.release.build.test.com", + "registered_domain": "test.com", + "subdomain": "org.repo.release.build", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "size_in_char": 31, + "type": "answer" + }, + "host": { + "ip": "10.107.208.11" + }, + "network": { + "protocol": "UDP" + }, + "related": { + "hosts": [ + "org.repo.release.build.test.com" + ], + "ip": [ + "10.107.201.100", + "10.107.208.11" + ] + }, + "source": { + "address": "10.107.208.11", + "ip": "10.107.208.11", + "port": 38141 + } + } + + ``` + + +=== "dns_answers.json" + + ```json + + { + "message": "{\"timestamp\":\"2019-12-17T14:09:39.935301+0000\",\"flow_id\":1335601175718181,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.2\",\"src_port\":53,\"dest_ip\":\"172.31.0.204\",\"dest_port\":46414,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":38236,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"answers\":[{\"rrname\":\"sekoia.io\",\"rrtype\":\"SOA\",\"ttl\":60},{\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"A\",\"ttl\":10,\"rdata\":\"192.1.10.34\"}]}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2019-12-17T14:09:39.935301Z", + "action": { + "type": "dns" + }, + "destination": { + "address": "172.31.0.204", + "ip": "172.31.0.204", + "port": 46414 + }, + "dns": { + "answers": [ + { + "name": "sekoia.io", + "type": "SOA" + }, + { + "name": "rp1.sekoia.io", + "type": "A" + } + ], + "id": "38236", + "response_code": "NOERROR", + "type": "answer" + }, + "host": { + "ip": "172.31.0.2" + }, + "network": { + "protocol": "UDP" + }, + "related": { + "ip": [ + "172.31.0.2", + "172.31.0.204" + ] + }, + "source": { + "address": "172.31.0.2", + "ip": "172.31.0.2", + "port": 53 + } + } + + ``` + + +=== "dns_query.json" + + ```json + + { + "message": "{\"timestamp\":\"2019-12-17T14:10:39.885554+0000\",\"flow_id\":2012569629852466,\"in_iface\":\"eth0\",\"event_type\":\"dns\",\"src_ip\":\"172.31.0.204\",\"src_port\":58107,\"dest_ip\":\"172.31.0.2\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":42259,\"rrname\":\"rp1.sekoia.io\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2019-12-17T14:10:39.885554Z", + "action": { + "type": "dns" + }, + "destination": { + "address": "172.31.0.2", + "ip": "172.31.0.2", + "port": 53 + }, + "dns": { + "id": "42259", + "question": { + "name": "rp1.sekoia.io", + "registered_domain": "sekoia.io", + "subdomain": "rp1", + "top_level_domain": "io", + "type": "A" + }, + "size_in_char": 13, + "type": "query" + }, + "host": { + "ip": "172.31.0.204" + }, + "network": { + "protocol": "UDP" + }, + "related": { + "hosts": [ + "rp1.sekoia.io" + ], + "ip": [ + "172.31.0.2", + "172.31.0.204" + ] + }, + "source": { + "address": "172.31.0.204", + "ip": "172.31.0.204", + "port": 58107 + } + } + + ``` + + +=== "flow.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-09T15:12:24.540473+0000\",\"flow_id\":1820734905123445,\"in_iface\":\"eth0\",\"event_type\":\"flow\",\"src_ip\":\"10.0.4.4\",\"src_port\":49250,\"dest_ip\":\"1.2.3.4\",\"dest_port\":443,\"proto\":\"TCP\",\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":12,\"bytes_toserver\":1842,\"bytes_toclient\":11086,\"start\":\"2024-01-09T15:07:44.721525+0000\",\"end\":\"2024-01-09T15:07:44.740950+0000\",\"age\":0,\"state\":\"closed\",\"reason\":\"timeout\",\"alerted\":false},\"tcp\":{\"tcp_flags\":\"1b\",\"tcp_flags_ts\":\"1b\",\"tcp_flags_tc\":\"1b\",\"syn\":true,\"fin\":true,\"psh\":true,\"ack\":true,\"state\":\"closed\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-09T15:12:24.540473Z", + "action": { + "type": "flow" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 443 + }, + "host": { + "ip": "10.0.4.4" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "10.0.4.4", + "bytes": 1842, + "ip": "10.0.4.4", + "port": 49250 + } + } + + ``` + + +=== "ftp.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-08T15:01:19.875607+0000\",\"flow_id\":320394061813648,\"in_iface\":\"eth0\",\"event_type\":\"ftp\",\"src_ip\":\"1.2.3.4\",\"src_port\":58265,\"dest_ip\":\"10.0.4.4\",\"dest_port\":22,\"proto\":\"TCP\",\"tx_id\":0,\"ftp\":{\"command\":\"USER\",\"command_data\":\"anonymous\",\"reply\":[\"SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3\"],\"reply_received\":\"yes\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-08T15:01:19.875607Z", + "action": { + "type": "ftp" + }, + "destination": { + "address": "10.0.4.4", + "ip": "10.0.4.4", + "port": 22 + }, + "host": { + "ip": "1.2.3.4" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 58265 + } + } + + ``` + + +=== "http.json" + + ```json + + { + "message": "{\"timestamp\":\"2020-01-27T21:11:18.578947+0000\",\"flow_id\":792581754900635,\"pcap_cnt\":3444,\"event_type\":\"alert\",\"src_ip\":\"10.20.30.101\",\"src_port\":49778,\"dest_ip\":\"203.176.135.102\",\"dest_port\":8082,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.BotccIP\"]},\"http\":{\"hostname\":\"203.176.135.102\",\"http_port\":8082,\"url\":\"/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90\",\"http_user_agent\":\"KSKJJGJ\",\"http_content_type\":\"text/plain\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":3},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":7,\"bytes_toserver\":5427,\"bytes_toclient\":502,\"start\":\"2020-01-27T21:11:16.708763+0000\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100494,\"rev\":12,\"signature\":\"GPL ATTACK_RESPONSE command completed\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"updated_at\":[\"2010_09_23\"],\"created_at\":[\"2010_09_23\"]}}}", + "event": { + "category": [ + "network" + ], + "kind": "alert", + "severity": 2, + "type": [ + "connection" + ] + }, + "@timestamp": "2020-01-27T21:11:18.578947Z", + "action": { + "name": "allowed", + "properties": { + "category": "Potentially Bad Traffic", + "signature": "GPL ATTACK_RESPONSE command completed", + "signature_id": "2100494" + }, + "type": "alert" + }, + "destination": { + "address": "203.176.135.102", + "ip": "203.176.135.102", + "port": 8082 + }, + "host": { + "ip": "10.20.30.101" + }, + "http": { + "request": { + "method": "POST" + }, + "response": { + "bytes": 3, + "mime_type": "text/plain", + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "hosts": [ + "203.176.135.102" + ], + "ip": [ + "10.20.30.101", + "203.176.135.102" + ] + }, + "source": { + "address": "10.20.30.101", + "bytes": 5427, + "ip": "10.20.30.101", + "port": 49778 + }, + "url": { + "domain": "203.176.135.102", + "original": "/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90", + "path": "/mor84/DESKTOP-83TKHSQ_W10018363.572D588D45894026346E8F90E07B31E6/90" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "KSKJJGJ", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "smb.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-07T20:05:01.422020+0000\",\"flow_id\":293887458056333,\"in_iface\":\"eth0\",\"event_type\":\"smb\",\"src_ip\":\"1.2.3.4\",\"src_port\":49492,\"dest_ip\":\"10.0.4.4\",\"dest_port\":2375,\"proto\":\"TCP\",\"smb\":{\"id\":1,\"dialect\":\"unknown\",\"command\":\"SMB1_COMMAND_NEGOTIATE_PROTOCOL\",\"session_id\":0,\"tree_id\":0,\"client_dialects\":[\"PC NETWORK PROGRAM 1.0\",\"MICROSOFT NETWORKS 1.03\",\"MICROSOFT NETWORKS 3.0\",\"LANMAN1.0\",\"LM1.2X002\",\"Samba\",\"NT LANMAN 1.0\",\"NT LM 0.12\"],\"server_guid\":\"\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-07T20:05:01.422020Z", + "action": { + "type": "smb" + }, + "destination": { + "address": "10.0.4.4", + "ip": "10.0.4.4", + "port": 2375 + }, + "host": { + "ip": "1.2.3.4" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 49492 + } + } + + ``` + + +=== "ssh.json" + + ```json + + { + "message": " {\"timestamp\":\"2024-01-09T15:11:44.835699+0000\",\"flow_id\":694519333924807,\"in_iface\":\"eth0\",\"event_type\":\"ssh\",\"src_ip\":\"1.2.3.4\",\"src_port\":35730,\"dest_ip\":\"10.0.4.4\",\"dest_port\":22,\"proto\":\"TCP\",\"tx_id\":0,\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.9.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_8.4p1\"}}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-09T15:11:44.835699Z", + "action": { + "type": "ssh" + }, + "destination": { + "address": "10.0.4.4", + "ip": "10.0.4.4", + "port": 22 + }, + "host": { + "ip": "1.2.3.4" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "10.0.4.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 35730 + } + } + + ``` + + +=== "stats.json" + + ```json + + { + "message": " {\"timestamp\": \"2024-01-09T15:13:00.667785+0000\", \"event_type\": \"stats\", \"stats\": {\"uptime\": 450501, \"capture\": {\"kernel_packets\": 7349877, \"kernel_drops\": 2158, \"errors\": 0}, \"decoder\": {\"pkts\": 7347719, \"bytes\": 4645180192, \"invalid\": 0, \"ipv4\": 7343837, \"ipv6\": 3882, \"ethernet\": 7347719, \"chdlc\": 0, \"raw\": 0, \"null\": 0, \"sll\": 0, \"tcp\": 7343737, \"udp\": 3859, \"sctp\": 0, \"icmpv4\": 0, \"icmpv6\": 123, \"ppp\": 0, \"pppoe\": 0, \"geneve\": 0, \"gre\": 0, \"vlan\": 0, \"vlan_qinq\": 0, \"vxlan\": 0, \"ieee8021ah\": 0, \"teredo\": 0, \"ipv4_in_ipv6\": 0, \"ipv6_in_ipv6\": 0, \"mpls\": 0, \"avg_pkt_size\": 632, \"max_pkt_size\": 1514, \"max_mac_addrs_src\": 0, \"max_mac_addrs_dst\": 0, \"erspan\": 0, \"event\": {\"ipv4\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"iplen_smaller_than_hlen\": 0, \"trunc_pkt\": 0, \"opt_invalid\": 0, \"opt_invalid_len\": 0, \"opt_malformed\": 0, \"opt_pad_required\": 0, \"opt_eol_required\": 0, \"opt_duplicate\": 0, \"opt_unknown\": 0, \"wrong_ip_version\": 0, \"icmpv6\": 0, \"frag_pkt_too_large\": 0, \"frag_overlap\": 0, \"frag_ignored\": 0}, \"icmpv4\": {\"pkt_too_small\": 0, \"unknown_type\": 0, \"unknown_code\": 0, \"ipv4_trunc_pkt\": 0, \"ipv4_unknown_ver\": 0}, \"icmpv6\": {\"unknown_type\": 0, \"unknown_code\": 0, \"pkt_too_small\": 0, \"ipv6_unknown_version\": 0, \"ipv6_trunc_pkt\": 0, \"mld_message_with_invalid_hl\": 0, \"unassigned_type\": 0, \"experimentation_type\": 0}, \"ipv6\": {\"pkt_too_small\": 0, \"trunc_pkt\": 0, \"trunc_exthdr\": 0, \"exthdr_dupl_fh\": 0, \"exthdr_useless_fh\": 0, \"exthdr_dupl_rh\": 0, \"exthdr_dupl_hh\": 0, \"exthdr_dupl_dh\": 0, \"exthdr_dupl_ah\": 0, \"exthdr_dupl_eh\": 0, \"exthdr_invalid_optlen\": 0, \"wrong_ip_version\": 0, \"exthdr_ah_res_not_null\": 0, \"hopopts_unknown_opt\": 0, \"hopopts_only_padding\": 0, \"dstopts_unknown_opt\": 0, \"dstopts_only_padding\": 0, \"rh_type_0\": 0, \"zero_len_padn\": 0, \"fh_non_zero_reserved_field\": 0, \"data_after_none_header\": 0, \"unknown_next_header\": 0, \"icmpv4\": 0, \"frag_pkt_too_large\": 0, \"frag_overlap\": 0, \"frag_ignored\": 0, \"ipv4_in_ipv6_too_small\": 0, \"ipv4_in_ipv6_wrong_version\": 0, \"ipv6_in_ipv6_too_small\": 0, \"ipv6_in_ipv6_wrong_version\": 0}, \"tcp\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"invalid_optlen\": 0, \"opt_invalid_len\": 0, \"opt_duplicate\": 0}, \"udp\": {\"pkt_too_small\": 0, \"hlen_too_small\": 0, \"hlen_invalid\": 0}, \"sll\": {\"pkt_too_small\": 0}, \"ethernet\": {\"pkt_too_small\": 0}, \"ppp\": {\"pkt_too_small\": 0, \"vju_pkt_too_small\": 0, \"ip4_pkt_too_small\": 0, \"ip6_pkt_too_small\": 0, \"wrong_type\": 0, \"unsup_proto\": 0}, \"pppoe\": {\"pkt_too_small\": 0, \"wrong_code\": 0, \"malformed_tags\": 0}, \"gre\": {\"pkt_too_small\": 0, \"wrong_version\": 0, \"version0_recur\": 0, \"version0_flags\": 0, \"version0_hdr_too_big\": 0, \"version0_malformed_sre_hdr\": 0, \"version1_chksum\": 0, \"version1_route\": 0, \"version1_ssr\": 0, \"version1_recur\": 0, \"version1_flags\": 0, \"version1_no_key\": 0, \"version1_wrong_protocol\": 0, \"version1_malformed_sre_hdr\": 0, \"version1_hdr_too_big\": 0}, \"vlan\": {\"header_too_small\": 0, \"unknown_type\": 0, \"too_many_layers\": 0}, \"ieee8021ah\": {\"header_too_small\": 0}, \"ipraw\": {\"invalid_ip_version\": 0}, \"ltnull\": {\"pkt_too_small\": 0, \"unsupported_type\": 0}, \"sctp\": {\"pkt_too_small\": 0}, \"mpls\": {\"header_too_small\": 0, \"pkt_too_small\": 0, \"bad_label_router_alert\": 0, \"bad_label_implicit_null\": 0, \"bad_label_reserved\": 0, \"unknown_payload_type\": 0}, \"vxlan\": {\"unknown_payload_type\": 0}, \"geneve\": {\"unknown_payload_type\": 0}, \"erspan\": {\"header_too_small\": 0, \"unsupported_version\": 0, \"too_many_vlan_layers\": 0}, \"dce\": {\"pkt_too_small\": 0}}}, \"flow\": {\"memcap\": 0, \"tcp\": 181930, \"udp\": 3809, \"icmpv4\": 0, \"icmpv6\": 123, \"tcp_reuse\": 212, \"get_used\": 0, \"get_used_eval\": 0, \"get_used_eval_reject\": 0, \"get_used_eval_busy\": 0, \"get_used_failed\": 0, \"wrk\": {\"spare_sync_avg\": 100, \"spare_sync\": 181, \"spare_sync_incomplete\": 0, \"spare_sync_empty\": 0, \"flows_evicted_needs_work\": 165396, \"flows_evicted_pkt_inject\": 182621, \"flows_evicted\": 2891, \"flows_injected\": 164908}, \"mgr\": {\"full_hash_pass\": 1878, \"closed_pruned\": 0, \"new_pruned\": 0, \"est_pruned\": 0, \"bypassed_pruned\": 0, \"rows_maxlen\": 2, \"flows_checked\": 233704, \"flows_notimeout\": 50882, \"flows_timeout\": 182822, \"flows_timeout_inuse\": 0, \"flows_evicted\": 182893, \"flows_evicted_needs_work\": 164908}, \"spare\": 9885, \"emerg_mode_entered\": 0, \"emerg_mode_over\": 0, \"memuse\": 7474304}, \"defrag\": {\"ipv4\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"ipv6\": {\"fragments\": 0, \"reassembled\": 0, \"timeouts\": 0}, \"max_frag_hits\": 0}, \"flow_bypassed\": {\"local_pkts\": 14998, \"local_bytes\": 989868, \"local_capture_pkts\": 0, \"local_capture_bytes\": 0, \"closed\": 0, \"pkts\": 0, \"bytes\": 0}, \"tcp\": {\"sessions\": 174905, \"ssn_memcap_drop\": 0, \"pseudo\": 0, \"pseudo_failed\": 0, \"invalid_checksum\": 1111, \"no_flow\": 0, \"syn\": 175192, \"synack\": 183305, \"rst\": 10555, \"midstream_pickups\": 0, \"pkt_on_wrong_thread\": 0, \"segment_memcap_drop\": 0, \"stream_depth_reached\": 83, \"reassembly_gap\": 6, \"overlap\": 2270, \"overlap_diff_data\": 0, \"insert_data_normal_fail\": 0, \"insert_data_overlap_fail\": 0, \"insert_list_fail\": 0, \"memuse\": 1146920, \"reassembly_memuse\": 731180}, \"detect\": {\"engines\": [{\"id\": 0, \"last_reload\": \"2024-01-04T10:04:39.457663+0000\", \"rules_loaded\": 57, \"rules_failed\": 2}], \"alert\": 7500}, \"app_layer\": {\"flow\": {\"http\": 8109, \"ftp\": 1, \"smtp\": 0, \"tls\": 148529, \"ssh\": 16650, \"imap\": 0, \"smb\": 0, \"dcerpc_tcp\": 0, \"dns_tcp\": 0, \"nfs_tcp\": 0, \"ntp\": 0, \"ftp-data\": 0, \"tftp\": 0, \"ikev2\": 0, \"krb5_tcp\": 0, \"dhcp\": 0, \"snmp\": 0, \"sip\": 0, \"rfb\": 0, \"mqtt\": 0, \"rdp\": 0, \"failed_tcp\": 16, \"dcerpc_udp\": 0, \"dns_udp\": 50, \"nfs_udp\": 0, \"krb5_udp\": 0, \"failed_udp\": 3759}, \"tx\": {\"http\": 8145, \"ftp\": 1, \"smtp\": 0, \"tls\": 0, \"ssh\": 0, \"imap\": 0, \"smb\": 1, \"dcerpc_tcp\": 0, \"dns_tcp\": 0, \"nfs_tcp\": 0, \"ntp\": 0, \"ftp-data\": 0, \"tftp\": 0, \"ikev2\": 0, \"krb5_tcp\": 0, \"dhcp\": 0, \"snmp\": 0, \"sip\": 0, \"rfb\": 0, \"mqtt\": 0, \"rdp\": 0, \"dcerpc_udp\": 0, \"dns_udp\": 100, \"nfs_udp\": 0, \"krb5_udp\": 0}, \"expectations\": 0}, \"http\": {\"memuse\": 160825, \"memcap\": 0}, \"ftp\": {\"memuse\": 0, \"memcap\": 0}}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-09T15:13:00.667785Z", + "action": { + "type": "stats" + } + } + + ``` + + +=== "tls.json" + + ```json + + { + "message": "{\"timestamp\":\"2020-01-27T21:27:10.693784+0000\",\"flow_id\":1303642123387833,\"pcap_cnt\":4623,\"src_ip\":\"190.214.13.2\",\"src_port\":449,\"dest_ip\":\"10.20.30.101\",\"dest_port\":49791,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.BotccIP\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2011540,\"rev\":6,\"signature\":\"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\",\"category\":\"Not Suspicious Traffic\",\"severity\":3,\"metadata\":{\"updated_at\":[\"2017_11_27\"],\"created_at\":[\"2010_09_27\"],\"former_category\":[\"POLICY\"]}},\"tls\":{\"subject\":\"C=AU, ST=Some-State, O=Internet Widgits Pty Ltd\",\"issuerdn\":\"C=AU, ST=Some-State, O=InternetWidgitsPtyLtd\",\"serial\":\"00:A8:B9:FF:C1:BD:D5:7E:02\",\"fingerprint\":\"0b:92:69:6e:6e:9e:54:22:8b:fa:61:d3:be:be:5b:0e:d6:b6:1c:80\",\"version\":\"TLSv1\",\"notbefore\":\"2019-12-12T13:14:43\",\"notafter\":\"2020-12-11T13:14:43\",\"ja3\":{}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":675,\"bytes_toclient\":1500,\"start\":\"2020-01-27T21:27:09.705465+0000\"}}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 3, + "type": [ + "connection" + ] + }, + "@timestamp": "2020-01-27T21:27:10.693784Z", + "action": { + "name": "allowed", + "properties": { + "category": "Not Suspicious Traffic", + "signature": "ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)", + "signature_id": "2011540" + } + }, + "destination": { + "address": "10.20.30.101", + "ip": "10.20.30.101", + "port": 49791 + }, + "host": { + "ip": "190.214.13.2" + }, + "network": { + "protocol": "TCP" + }, + "related": { + "ip": [ + "10.20.30.101", + "190.214.13.2" + ] + }, + "source": { + "address": "190.214.13.2", + "bytes": 675, + "ip": "190.214.13.2", + "port": 449 + }, + "tls": { + "client": { + "issuer": "C=AU, ST=Some-State, O=InternetWidgitsPtyLtd", + "ja3": "{}", + "not_after": "2020-12-11T13:14:43Z", + "not_before": "2019-12-12T13:14:43Z", + "subject": "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd" + }, + "version": "TLSv1" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`action.name` | `keyword` | | +|`action.properties.category` | `keyword` | | +|`action.properties.severity` | `keyword` | | +|`action.properties.signature` | `keyword` | | +|`action.properties.signature_id` | `keyword` | | +|`action.type` | `keyword` | | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.answers` | `object` | Array of DNS answers. | +|`dns.id` | `keyword` | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | +|`dns.response_code` | `keyword` | The DNS response code. | +|`dns.size_in_char` | `number` | | +|`dns.type` | `keyword` | The type of DNS event captured, query or answer. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.severity` | `long` | Numeric severity of the event. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.name` | `keyword` | Name of the host. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.mime_type` | `keyword` | Mime type of the body of the response. | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`network.community_id` | `keyword` | A hash of source and destination IPs and ports. | +|`network.protocol` | `keyword` | Application protocol name. | +|`source.bytes` | `long` | Bytes sent from the source to the destination. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`tls.client.issuer` | `keyword` | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | +|`tls.client.ja3` | `keyword` | A hash that identifies clients based on how they perform an SSL/TLS handshake. | +|`tls.client.not_after` | `date` | Date/Time indicating when client certificate is no longer considered valid. | +|`tls.client.not_before` | `date` | Date/Time indicating when client certificate is first considered valid. | +|`tls.client.server_name` | `keyword` | Hostname the client is trying to connect to. Also called the SNI. | +|`tls.client.subject` | `keyword` | Distinguished name of subject of the x.509 certificate presented by the client. | +|`tls.version` | `keyword` | Numeric part of the version parsed from the original string. | +|`url.domain` | `keyword` | Domain of the url. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 303e8b5803..4d9ed0211a 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -941,6 +941,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "192.168.120.41", "port": 2525 }, + "network": { + "direction": "outbound" + }, "host": { "domain": "EXAMPLE", "hostname": "EXCHANGE", @@ -1007,6 +1010,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "172.31.9.222", "port": 3389 }, + "network": { + "direction": "inbound" + }, "host": { "domain": "WORKGROUP", "hostname": "REDACTED", diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index da4c307763..85edaae24a 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -2429,42 +2429,42 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code_signature": { "exists": false }, - "command_line": " /bin/sh -c ip -6 -a -o address", - "executable": "/usr/bin/dash", + "command_line": " ip -6 -a -o address", + "executable": "/usr/bin/ip", "hash": { - "sha1": "827265afe07691a445674eb09e0eb4fd025dbd43" + "sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f" }, - "name": "dash", + "name": "ip", "parent": { "code_signature": { "exists": false }, - "command_line": " python3 -u /usr/sbin/waagent -run-exthandlers", - "executable": "/usr/bin/python3.9", + "command_line": " /bin/sh -c ip -6 -a -o address", + "executable": "/usr/bin/dash", "hash": { - "sha1": "50e2a658cfe2243cfe3e6f722f049b0ba377b7e4" + "sha1": "827265afe07691a445674eb09e0eb4fd025dbd43" }, - "name": "python3.9", - "pid": 911, + "name": "dash", + "pid": 1517, "real_user": { "id": "0", "name": "root" }, "start": "2023-04-12T14:05:32.200000Z", - "title": "python3.9", + "title": "dash", "user": { "id": "0", "name": "root" }, "working_directory": "/usr/bin" }, - "pid": 1517, + "pid": 1518, "real_user": { "id": "0", "name": "root" }, "start": "2023-04-12T14:24:34.590000Z", - "title": "dash", + "title": "ip", "user": { "id": "0", "name": "root" @@ -2473,7 +2473,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "related": { "hash": [ - "50e2a658cfe2243cfe3e6f722f049b0ba377b7e4", + "3c954614f2c9af7181e4d00e00ab4485e4a9c33f", "827265afe07691a445674eb09e0eb4fd025dbd43" ], "user": [ @@ -3102,50 +3102,54 @@ Find below few samples of events and how they are normalized by Sekoia.io. "exists": true, "subject_name": "MICROSOFT WINDOWS" }, - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", - "executable": "C:\\Windows\\System32\\svchost.exe", + "command_line": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding", + "executable": "C:\\Windows\\System32\\RuntimeBroker.exe", "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + "md5": "ba4cfe6461afa1004c52f19c8f2169dc", + "sha1": "ab8539ef6b2a93ff9589dec4b34a0257b6296c92", + "sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628" }, - "name": "svchost.exe", + "name": "RuntimeBroker.exe", "parent": { "code_signature": { "exists": true, "subject_name": "MICROSOFT WINDOWS" }, - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", - "executable": "C:\\Windows\\System32\\svchost.exe", + "command_line": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider", + "executable": "C:\\Windows\\System32\\backgroundTaskHost.exe", "hash": { - "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", - "sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88" + "md5": "da7063b17dbb8bbb3015351016868006", + "sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09", + "sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50" }, - "name": "svchost.exe", + "name": "backgroundTaskHost.exe", + "pid": 2096, "process": { "pid": "852" }, "start": "2023-03-21T10:33:49.780000Z", - "title": "Host Process for Windows Services", + "title": "Background Task Host", "user": { - "name": "NT AUTHORITY\\SYSTEM" + "name": "desktop-jdoe\\john.doe" }, "working_directory": "C:\\Windows\\System32" }, - "pid": 852, - "start": "2023-03-21T10:33:49.780000Z", - "title": "Host Process for Windows Services", + "pid": 3212, + "start": "2023-03-21T13:39:25.867000Z", + "title": "Runtime Broker", "user": { - "name": "NT AUTHORITY\\SYSTEM" + "name": "desktop-jdoe\\john.doe" }, "working_directory": "C:\\Windows\\System32" }, "related": { "hash": [ - "1bc5066ddf693fc034d6514618854e26a84fd0d1", - "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", - "b7f884c1b74a263f746ee12a5f7c9f6a" + "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50", + "ab8539ef6b2a93ff9589dec4b34a0257b6296c92", + "ba4cfe6461afa1004c52f19c8f2169dc", + "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09", + "da7063b17dbb8bbb3015351016868006", + "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628" ], "user": [ "SYSTEM" diff --git a/_shared_content/operations_center/integrations/generated/428035c0-a251-4664-8e58-fed15f4e442c.md b/_shared_content/operations_center/integrations/generated/428035c0-a251-4664-8e58-fed15f4e442c.md deleted file mode 100644 index 7aac5bacfa..0000000000 --- a/_shared_content/operations_center/integrations/generated/428035c0-a251-4664-8e58-fed15f4e442c.md +++ /dev/null @@ -1,21 +0,0 @@ - -## Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Network intrusion detection system` | Zeek signature framework provides this capability | -| `Network protocol analysis` | packet analysis capabilities are available by default | -| `DNS records` | DNS queries intercepted by Zeek | -| `Web logs` | Zeek captures the HTTP traffic | - - - - - - - - - diff --git a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md index 666522b91c..9503891b4c 100644 --- a/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md +++ b/_shared_content/operations_center/integrations/generated/7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5.md @@ -499,6 +499,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_event_sys31437.json" + + ```json + + { + "message": "id=firewall time=\"2024-01-12 23:00:22\" pri=6 fw=8.8.8.8 vpn=EX023-V6 user=System realm=\"\" roles=\"\" type=mgmt proto= src=1.2.3.4 dst= dstname= sent= rcvd= msg=\"SYS31437: Successful syslog connection to peer: '3.4.5.6'\"", + "event": { + "category": [ + "network" + ], + "code": "SYS31437", + "reason": " Successful syslog connection to peer: '3.4.5.6'", + "type": [ + "info" + ] + }, + "action": { + "name": "SYS31437" + }, + "network": { + "forwarded_ip": "8.8.8.8" + }, + "observer": { + "ip": [ + "8.8.8.8" + ] + }, + "related": { + "ip": [ + "3.4.5.6", + "8.8.8.8" + ], + "user": [ + "System" + ] + }, + "service": { + "name": "EX023-V6", + "type": "mgmt" + }, + "source": { + "address": "3.4.5.6", + "ip": "3.4.5.6" + }, + "user": { + "name": "System" + } + } + + ``` + + === "test_event_sys32083.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index efd2bd222c..2d3fe13ae4 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -771,26 +771,28 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "1,2023/06/28 14:40:42,015451000032715,GLOBALPROTECT,0,2562,2023/06/28 14:40:42,vsys1,gateway-config-release,configuration,,,example.org\\\\test,EN,2021-02707,88.120.236.74,0.0.0.0,10.0.0.232,0.0.0.0,8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3,DFN3535D,6.0.4,Windows,\\\"Microsoft Windows 10 Enterprise , 64-bit\\\",1,,,,success,,0,,0,VPN_GATEWAY,5555555555555555555,0x8000000000000000,2023-06-28T14:40:43.134+02:00,,,,,,0,0,0,0,,VPN-DOM-01,1\n", + "message": "1,2023/06/28 14:40:42,015451000032715,GLOBALPROTECT,0,2562,2023/06/28 14:40:42,vsys1,gateway-config-release,configuration,,,example.org\\\\test,EN,2021-02707,88.120.236.74,0.0.0.0,10.0.0.232,0.0.0.0,8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3,DFN3535D,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,VPN_GATEWAY,5555555555555555555,0x8000000000000000,2023-06-28T14:40:43.134+02:00,,,,,,0,0,0,0,,VPN-DOM-01,1\n", "event": { "category": [ "session" ], "dataset": "globalprotect", "kind": "event", + "outcome": "success", "type": [ "info" ] }, - "@timestamp": "2023-06-28T14:40:42Z", + "@timestamp": "2023-06-28T12:40:43.134000Z", "action": { "name": "gateway-config-release", + "outcome": "success", "type": "0" }, "host": { "name": "2021-02707", "os": { - "version": "\\\"Microsoft Windows 10 Enterprise " + "version": "Microsoft Windows 10 Enterprise , 64-bit" } }, "log": { @@ -832,7 +834,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user_agent": { "os": { "name": "Windows", - "version": "\\\"Microsoft Windows 10 Enterprise " + "version": "Microsoft Windows 10 Enterprise , 64-bit" } } } @@ -1459,6 +1461,85 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_globalprotect.json" + + ```json + + { + "message": "1,2024/01/12 11:41:42,015451000023232323,GLOBALPROTECT,0,2562,2024/01/12 11:41:42,vsys1,gateway-switch-to-ssl,tunnel,,SSLVPN,test.fr\\JDOE,FR,2023-01724,1.2.3.4,0.0.0.0,1.2.3.4,0.0.0.0,662f0b44-e024-4a70,PF000000,6.0.4,Windows,\"Microsoft Windows 10 Enterprise , 64-bit\",1,,,,success,,0,,0,CD78_VPN_GP_GATEWAY,5555555555555555555,0x8000000000000000,2024-01-12T11:41:43.895+02:00,,,,,,0,0,0,0,,test-01-01,1", + "event": { + "category": [ + "session" + ], + "dataset": "globalprotect", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-12T09:41:43.895000Z", + "action": { + "name": "gateway-switch-to-ssl", + "outcome": "success", + "type": "0" + }, + "host": { + "name": "2023-01724", + "os": { + "version": "Microsoft Windows 10 Enterprise , 64-bit" + } + }, + "log": { + "logger": "globalprotect" + }, + "network": { + "type": "SSLVPN" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "PF000000" + }, + "paloalto": { + "EventID": "gateway-switch-to-ssl", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "connection": { + "stage": "tunnel" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "test.fr\\JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "FR" + }, + "ip": "1.2.3.4", + "user": { + "name": "test.fr\\JDOE" + } + }, + "user": { + "name": "test.fr\\JDOE" + }, + "user_agent": { + "os": { + "name": "Windows", + "version": "Microsoft Windows 10 Enterprise , 64-bit" + } + } + } + + ``` + + === "test_installed_package_json.json" ```json @@ -1657,6 +1738,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_system.json" + + ```json + + { + "message": "1,2024/01/12 22:47:26,016201000000,SYSTEM,vpn,2222,2024/01/12 22:47:27,,test-event,,0,0,general,informational,\"unknown test peer\",55555555555555555,0x0,0,0,0,0,,test-1,0,0,2024-01-12T22:47:27.652+11:00", + "event": { + "category": [ + "network" + ], + "dataset": "system", + "kind": "event", + "reason": "unknown test peer", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-12T11:47:27.652000Z", + "action": { + "name": "test-event", + "type": "vpn" + }, + "host": { + "name": "test-1" + }, + "log": { + "hostname": "test-1", + "level": "informational", + "logger": "system" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "016201000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "test-event", + "Threat_ContentType": "vpn" + } + } + + ``` + + === "test_system_event_10_json.json" ```json @@ -2235,33 +2363,123 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_threat.json" + + ```json + + { + "message": "1,2024/01/12 11:21:15,016201000000,THREAT,url,2562,2024/01/12 11:21:15,1.2.3.4,5.6.7.8,9.10.11.12,0.0.0.0,SAAS vers log,,,ssl,vsys1,Outside,test-Externe,a11.30,a11.25,Panorama,2024/01/12 11:21:15,200000,1,58444,2222,58444,2222,0x50b444,tcp,alert,\"test.fr:9999/\",(9999),test,informational,client-to-server,55555555555555555555,0x8000000000000000,US,France,,,0,,,0,,,,,,,,0,0,0,0,0,,TEST-01,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,\"test,low-risk\",96eeeef8-bd9c-4145,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-01-12T11:21:15.190+01:00,,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,", + "event": { + "category": [ + "network" + ], + "dataset": "threat", + "kind": "event", + "outcome": "success", + "reason": "(9999)", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-12T10:21:15.190000Z", + "action": { + "name": "alert", + "outcome": "success", + "type": "url" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "0.0.0.0", + "port": 2222 + }, + "port": 2222 + }, + "file": { + "name": "test.fr:9999/", + "path": "test.fr:9999/" + }, + "host": { + "name": "TEST-01" + }, + "log": { + "hostname": "TEST-01", + "level": "informational", + "logger": "threat" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "016201000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "url", + "VirtualLocation": "vsys1" + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "5.6.7.8", + "9.10.11.12" + ] + }, + "rule": { + "name": "SAAS vers log", + "uuid": "96eeeef8-bd9c-4145" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "US" + }, + "ip": "1.2.3.4", + "nat": { + "ip": "9.10.11.12", + "port": 58444 + }, + "port": 58444 + } + } + + ``` + + === "test_timestamp_palo.json" ```json { - "message": ": 1,2023/08/01 04:03:24,026701002348,SYSTEM,general,2816,2023/08/01 04:03:24,,general,,0,0,general,informational,\"Request made to server \"\"app-registry-service.apps.paloaltonetworks.com\"\" is successful . \",7261972653022396272,0x8000000000000000,0,0,0,0,,fwwan-hdr,0,0,2023-08-01T04:03:24.705+02:00", + "message": ": 1,2023/08/01 04:03:24,026701002348,SYSTEM,general,2816,2023/08/01 04:03:24,,general,,0,0,general,informational,\"Request made to server \"\"server_test.com\"\" is successful . \",7261972653022396272,0x8000000000000000,0,0,0,0,,test-01,0,0,2023-08-01T04:03:24.705+02:00", "event": { "category": [ "host" ], "dataset": "system", "kind": "event", - "reason": "Request made to server \"app-registry-service.apps.paloaltonetworks.com\" is successful . ", + "reason": "Request made to server \"server_test.com\" is successful . ", "type": [ "info" ] }, - "@timestamp": "2023-08-01T04:03:24Z", + "@timestamp": "2023-08-01T02:03:24.705000Z", "action": { "name": "general", "type": "general" }, "host": { - "name": "fwwan-hdr" + "name": "test-01" }, "log": { - "hostname": "fwwan-hdr", + "hostname": "test-01", "level": "informational", "logger": "system" }, @@ -2626,6 +2844,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_userid.json" + + ```json + + { + "message": "1,2024/01/12 11:23:33,01545100000000,USERID,login,2222,2024/01/12 11:23:33,vsys1,1.2.3.4,test.fr\\JDOE,,0,1,10888,0,0,vpn-client,globalprotect,555555555555555555555555,0x8000000000000000,0,0,0,0,,test-01,1,,2024/01/12 11:23:33,1,0x80000000,dtest,,2024-01-12T11:23:33.907+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "userid", + "kind": "event", + "type": [ + "start" + ] + }, + "@timestamp": "2024-01-12T10:23:33.907000Z", + "action": { + "type": "login" + }, + "destination": { + "port": 0 + }, + "host": { + "name": "test-01" + }, + "log": { + "hostname": "test-01", + "logger": "userid" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "01545100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "0", + "Threat_ContentType": "login", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "test.fr\\JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 0 + }, + "user": { + "name": "test.fr\\JDOE" + } + } + + ``` + + === "test_web_authentication_json.json" ```json diff --git a/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md new file mode 100644 index 0000000000..83790d56f9 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/916c13a8-c109-49f0-94db-d6a2300f5580.md @@ -0,0 +1,125 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Web application firewall logs` | Fastly WAF protects web application with its web application firewall | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert` | +| Category | `network` | +| Type | `` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_sample.json" + + ```json + + { + "message": "{\"id\": \"54de69dcba53b02fbf000018\", \"timestamp\": \"2015-02-13T21:17:16Z\", \"source\": \"162.245.23.109\", \"remoteCountryCode\": \"AU\", \"remoteHostname\": \"\", \"userAgents\": [\"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)\"], \"action\": \"flagged\", \"type\": \"attack\", \"reasons\": {\"SQLI\": 99}, \"requestCount\": 1, \"tagCount\": 1, \"window\": 60, \"expires\": \"2015-02-14T21:17:16Z\", \"expiredBy\": \"\"}", + "event": { + "action": "flagged", + "category": [ + "network" + ], + "kind": "alert", + "module": "fastly.waf", + "type": [ + "denied" + ] + }, + "@timestamp": "2015-02-13T21:17:16Z", + "fastly": { + "waf": { + "expires": "2015-02-14T21:17:16Z", + "reasons": { + "SQLI": 99 + }, + "request_count": 1, + "tag_count": 1, + "user_agents": [ + "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" + ], + "window": 60 + } + }, + "host": { + "geo": { + "country_iso_code": "AU" + } + }, + "observer": { + "product": "Fastly Next-Gen WAF", + "vendor": "Fastly" + }, + "related": { + "ip": [ + "162.245.23.109" + ] + }, + "source": { + "address": "162.245.23.109", + "ip": "162.245.23.109" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "IE", + "original": "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", + "os": { + "name": "Windows", + "version": "2000" + }, + "version": "5.5" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.module` | `keyword` | Name of the module this data is coming from. | +|`fastly.waf.expired_by` | `keyword` | Email of the user if the event is expired manually | +|`fastly.waf.expires` | `keyword` | Expires RFC3339 date time | +|`fastly.waf.reasons` | `object` | Key attack type - value number of | +|`fastly.waf.request_count` | `long` | Total number of requests | +|`fastly.waf.tag_count` | `long` | Total number of tags | +|`fastly.waf.user_agents` | `keyword` | | +|`fastly.waf.window` | `long` | Time window in seconds where the items were detected | +|`host.geo.country_iso_code` | `keyword` | Country ISO code. | +|`host.name` | `keyword` | Name of the host. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`source.ip` | `ip` | IP address of the source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md new file mode 100644 index 0000000000..818d32f8aa --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md @@ -0,0 +1,258 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Anti-virus` | Trellix EDR firewall can be configured to perform malware analysis. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `` | +| Type | `["info"]` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "affectedhost_event.json" + + ```json + + { + "message": "{\"id\":\"649889\",\"type\":\"affected-hosts\",\"threatId\":\"182612\",\"attributes\":{\"detectionsCount\":0,\"severity\":\"s0\",\"rank\":270,\"firstDetected\":\"2023-09-25T15:00:20.994Z\",\"host\":{\"aGuid\":\"6D0A37A8-B5B7-4414-9444-A2B17721642B\",\"hostname\":\"hostname\",\"epoTags\":[\"string\"],\"os\":{\"major\":0,\"minor\":0,\"build\":0,\"sp\":\"string\",\"desc\":\"string\"},\"netInterfaces\":[{\"name\":\"string\",\"macAddress\":\"mac1\",\"ip\":\"1.2.3.4\",\"type\":0},{\"name\":\"string\",\"macAddress\":\"mac2\",\"ip\":\"1.2.3.5\",\"type\":0},{\"name\":\"string\",\"macAddress\":\"mac3\",\"type\":0},{\"name\":\"string\",\"ip\":\"1.2.3.6\",\"type\":0}],\"lastBootTime\":\"2023-09-25T15:00:20.994Z\",\"traceExtendedVisibility\":0,\"hostOs\":\"string\"}}}", + "event": { + "category": [ + "host" + ], + "kind": "event", + "start": "2023-09-25T15:00:20.994000Z", + "type": [ + "info" + ] + }, + "host": { + "id": "6D0A37A8-B5B7-4414-9444-A2B17721642B", + "ip": [ + "1.2.3.4", + "1.2.3.5", + "1.2.3.6" + ], + "mac": [ + "mac1", + "mac2", + "mac3" + ], + "name": "hostname", + "os": { + "full": "string", + "version": "0.0.0" + } + }, + "observer": { + "product": "EDR", + "vendor": "Trellix" + }, + "related": { + "ip": [ + "1.2.3.4", + "1.2.3.5", + "1.2.3.6" + ] + }, + "trellix": { + "edr": { + "threat": { + "id": "182612" + } + } + } + } + + ``` + + +=== "alert_event.json" + + ```json + + { + "message": "{\"type\":\"alert\",\"attributes\":{\"traceId\":\"trace_id_test\",\"parentTraceId\":\"parent_trace_id_1\",\"rootTraceId\":\"trace_id_1\",\"aGuid\":\"guid-1\",\"detectionDate\":\"2022-01-01\",\"eventDate\":\"2022-01-01\",\"eventType\":\"event_type_1\",\"severity\":\"s0\",\"score\":333,\"detectionTags\":[\"tag1\",\"tag2\"],\"relatedTraceIds\":[\"relatedTraceId1\",\"relatedTraceId2\"],\"ruleId\":\"rule_id_1\",\"rank\":321,\"pid\":123,\"version\":\"v1.0.0\",\"parentsTraceId\":[\"traceId1\",\"traceId2\"],\"processName\":\"sysprocess\",\"user\":\"user1\",\"cmdLine\":\"testcommandline\",\"hashId\":\"hashId_value\",\"h_os\":\"hostOS\",\"hostName\":\"host_value\",\"domain\":\"domain.test\"}}", + "event": { + "category": [ + "malware" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2022-01-01T00:00:00Z", + "host": { + "name": "host_value", + "os": { + "full": "hostOS" + } + }, + "observer": { + "product": "EDR", + "vendor": "Trellix" + }, + "process": { + "command_line": "testcommandline", + "name": "sysprocess", + "pid": 123 + }, + "related": { + "user": [ + "user1" + ] + }, + "rule": { + "id": "rule_id_1" + }, + "user": { + "name": "user1" + } + } + + ``` + + +=== "detection_event.json" + + ```json + + { + "message": "{\"type\":\"detections\",\"id\":\"652404\",\"threatId\":\"182612\",\"attributes\":{\"traceId\":\"9a718cc6-d8f6-46da-b3cc-fc4dbbd60151\",\"firstDetected\":\"2023-08-27T05:34:29Z\",\"severity\":\"s4\",\"rank\":270,\"tags\":[\"@ATA.PrivilegeEscalation\",\"@ATA.Persistence\",\"@ATE.T1546.012\",\"@MSI._reg_ep0130_imageexecution_high\",\"@ATA.DefenseEvasion\",\"@ATE.T1112\"],\"host\":{\"os\":{},\"netInterfaces\":[],\"traceExtendedVisibility\":0,\"hostOs\":\"\",\"aGuid\":\"6D0A37A8-B5B7-4414-9444-A2B17721642B\"},\"sha256\":\"6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17\"}}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "event", + "start": "2023-08-27T05:34:29Z", + "type": [ + "info" + ] + }, + "host": { + "id": "6D0A37A8-B5B7-4414-9444-A2B17721642B" + }, + "observer": { + "product": "EDR", + "vendor": "Trellix" + }, + "trellix": { + "edr": { + "detection": { + "sha256": "6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17" + }, + "threat": { + "id": "182612" + } + } + } + } + + ``` + + +=== "threat_event.json" + + ```json + + { + "message": "{\"type\":\"threats\",\"id\":\"182612\",\"attributes\":{\"aggregationKey\":\"P_6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17\",\"severity\":\"s4\",\"rank\":270,\"score\":70,\"name\":\"POWERSHELL_56039776.EXE\",\"type\":\"pe\",\"status\":\"new\",\"firstDetected\":\"2023-08-27T05:34:29Z\",\"lastDetected\":\"2023-08-27T05:34:29Z\",\"hashes\":{\"sha256\":\"6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17\",\"sha1\":\"D9FBB3BD6269FE3D5F349A7569964DCD1AA229B5\",\"md5\":\"6FEE39009EA5B1110C5DA6DF2B7BDC43\"}}}", + "event": { + "category": [ + "intrusion_detection" + ], + "end": "2023-08-27T05:34:29Z", + "kind": "event", + "start": "2023-08-27T05:34:29Z", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "6FEE39009EA5B1110C5DA6DF2B7BDC43", + "sha1": "D9FBB3BD6269FE3D5F349A7569964DCD1AA229B5", + "sha256": "6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17" + } + }, + "observer": { + "product": "EDR", + "vendor": "Trellix" + }, + "related": { + "hash": [ + "6E2918727CBB836F4D8E3404BDE9AEAF5D4DED5DD1F6916AAD3F3B956E6D8A17", + "6FEE39009EA5B1110C5DA6DF2B7BDC43", + "D9FBB3BD6269FE3D5F349A7569964DCD1AA229B5" + ] + }, + "trellix": { + "edr": { + "name": "POWERSHELL_56039776.EXE", + "status": "new", + "threat": { + "id": "182612" + }, + "type": "pe" + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha1` | `keyword` | SHA1 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`host.id` | `keyword` | Unique host id. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.mac` | `keyword` | Host MAC addresses. | +|`host.name` | `keyword` | Name of the host. | +|`host.os.full` | `keyword` | Operating system name, including the version or code name. | +|`host.os.version` | `keyword` | Operating system version as a raw string. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.name` | `keyword` | Process name. | +|`process.pid` | `long` | Process id. | +|`rule.id` | `keyword` | Rule ID | +|`trellix.edr.detection.sha256` | `keyword` | Sha256 of detection. | +|`trellix.edr.name` | `keyword` | Name of the Trellix EDR event. | +|`trellix.edr.status` | `keyword` | Status of the Trellix EDR event. | +|`trellix.edr.threat.id` | `keyword` | Threat ID of the Trellix EDR event. | +|`trellix.edr.type` | `keyword` | Type of the Trellix EDR event. | +|`user.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md new file mode 100644 index 0000000000..7aac8403d7 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md @@ -0,0 +1,517 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network device logs` | Palo Alto can record traffic events flowing through their firewall | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `alert`, `event` | +| Category | `file`, `host`, `intrusion_detection`, `network`, `process`, `registry` | +| Type | `change`, `connection`, `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "alerts_1.json" + + ```json + + { + "message": "{\"external_id\":\"c2c51d03-65db\",\"severity\":\"low\",\"matching_status\":\"MATCHED\",\"end_match_attempt_ts\":null,\"local_insert_ts\":170619,\"last_modified_ts\":null,\"bioc_indicator\":null,\"matching_service_rule_id\":\"03bb2cd4-a667-11ea-9d88-820e27035801\",\"attempt_counter\":0,\"bioc_category_enum_key\":null,\"case_id\":9991,\"is_whitelisted\":false,\"starred\":false,\"deduplicate_tokens\":null,\"filter_rule_id\":null,\"mitre_technique_id_and_name\":[\"T1111 - Ex Protocol\"],\"mitre_tactic_id_and_name\":[\"TA1111 - Exfiltration\"],\"agent_version\":null,\"agent_ip_addresses_v6\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_os_type\":\"NO_HOST\",\"agent_os_sub_type\":null,\"agent_data_collection_status\":null,\"mac\":null,\"is_pcap\":false,\"alert_type\":\"Unclassified\",\"resolution_status\":\"STATUS_010_NEW\",\"resolution_comment\":null,\"dynamic_fields\":null,\"tags\":[\"AB:AB_test\",\"CD:CD_test\",\"EF:EF_test\"],\"malicious_urls\":null,\"alert_id\":\"555555555\",\"detection_timestamp\":1706191461294,\"name\":\"Large Upload (Generic)\",\"category\":\"Exfiltration\",\"endpoint_id\":\"70c7fce471074\",\"description\":\"great decription for this event\",\"host_ip\":[\"1.2.3.4\"],\"host_name\":\"2023-2024\",\"mac_addresses\":null,\"source\":\"XDR Analytics\",\"action\":\"DETECTED\",\"action_pretty\":\"Detected\",\"original_tags\":[\"AB:AB_test\",\"CD:CD_test\",\"EF:EF_test\"]}", + "event": { + "action": "DETECTED", + "category": [ + "intrusion_detection" + ], + "dataset": "alert", + "kind": "alert", + "outcome": "MATCHED", + "reason": "great decription for this event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-25T14:04:21.294000Z", + "host": { + "id": "70c7fce471074", + "ip": [ + "1.2.3.4" + ], + "name": "2023-2024", + "os": { + "name": "NO_HOST" + } + }, + "observer": { + "product": "Palo Alto Cortex XDR", + "vendor": "Palo Alto" + }, + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "category": "Exfiltration", + "externalID": "c2c51d03-65db", + "id": "555555555", + "name": "Large Upload (Generic)", + "ruleID": { + "matching_service": "03bb2cd4-a667-11ea-9d88-820e27035801" + }, + "severity": "low" + } + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + +=== "file_event.json" + + ```json + + { + "message": "{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":1705666417130,\"event_sub_type\":6,\"module_id\":null,\"association_strength\":50,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABjURO4G7\",\"event_type\":\"File Event\",\"event_timestamp\":1706248036508,\"actor_process_instance_id\":\"HkgJADgfvcM\",\"actor_process_image_path\":\"/sbin/ttest_path\",\"actor_process_image_name\":\"ttest_path\",\"actor_process_command_line\":\"/bin/sh /sbin/ttest_path quicktest 5.15.0-00-generic\",\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":\"a1c3a3d3522ff153a4\",\"actor_process_image_md5\":\"a05c639f4dcadbccca\",\"actor_process_causality_id\":\"WS8JAHldrcqM\",\"actor_causality_id\":\"WS8JAHldrcqM\",\"actor_process_os_pid\":600000,\"actor_thread_thread_id\":600000,\"causality_actor_process_image_name\":\"apt.systemd.daily\",\"causality_actor_process_command_line\":\"/bin/sh /usr/lib/apt/apt.systemd.daily install\",\"causality_actor_process_image_path\":\"/usr/lib/apt/apt.systemd.daily\",\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":\"WS8JAHldrcqM\",\"causality_actor_process_execution_time\":1706247959464,\"causality_actor_process_image_md5\":\"21aa2d5f5e7c2047dd\",\"causality_actor_process_image_sha256\":\"366f4cca90841c6ebef199c24ed3e\",\"action_file_path\":\"/test/60-test.rules\",\"action_file_name\":\"60-test.rules\",\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":\"UNKNOWN\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"HkgJADgfvcMVdnc\",\"os_actor_process_image_path\":\"/sbin/ttest_path\",\"os_actor_process_image_name\":\"image_name\",\"os_actor_process_command_line\":\"/bin/sh /sbin/ttest_path quicktest 5.15.0-00-generic\",\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":\"a1c3a3d3522ff153a457684b49c\",\"os_actor_process_causality_id\":\"WS8JAHldrcqM\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":608286,\"os_actor_thread_thread_id\":608286,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "file" + ], + "dataset": "File Event", + "kind": "event", + "type": [ + "change" + ] + }, + "@timestamp": "2024-01-26T05:47:16.508000Z", + "file": { + "name": "60-test.rules", + "path": "/test/60-test.rules" + }, + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + } + } + } + }, + "process": { + "command_line": "/bin/sh /sbin/ttest_path quicktest 5.15.0-00-generic", + "executable": "/sbin/ttest_path", + "hash": { + "md5": "a05c639f4dcadbccca", + "sha256": "a1c3a3d3522ff153a4" + }, + "name": "ttest_path", + "pid": 600000, + "thread": { + "id": 600000 + } + }, + "related": { + "hash": [ + "a05c639f4dcadbccca", + "a1c3a3d3522ff153a4" + ], + "user": [ + "JDOE" + ] + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "network_event.json" + + ```json + + { + "message": "{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":null,\"event_sub_type\":null,\"module_id\":null,\"association_strength\":40,\"dst_association_strength\":40,\"story_id\":\"MzAyOTQzMzI3\",\"event_id\":\"MzAyOTQzMzI3\",\"event_type\":\"Network Connections\",\"event_timestamp\":1706177317000,\"actor_process_instance_id\":null,\"actor_process_image_path\":null,\"actor_process_image_name\":null,\"actor_process_command_line\":null,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":null,\"actor_process_image_md5\":null,\"actor_process_causality_id\":null,\"actor_causality_id\":null,\"actor_process_os_pid\":null,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":null,\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":\"1.2.3.4\",\"action_local_ip_v6\":null,\"action_local_port\":55555,\"action_remote_ip\":\"1.2.3.4\",\"action_remote_ip_v6\":null,\"action_remote_port\":444,\"action_external_hostname\":null,\"action_country\":\"UNKNOWN\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":\"app-id-555\",\"fw_interface_from\":\"vpn\",\"fw_interface_to\":\"outside\",\"fw_rule\":\"VPN-TEST-RULE\",\"fw_rule_id\":\"f4a0e637-b6bf-4894\",\"fw_device_name\":\"VPN-TEST-0000\",\"fw_serial_number\":\"01545100\",\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":\"storage-backup\",\"fw_app_category\":\"business-systems\",\"fw_app_technology\":\"client-server\",\"fw_vsys\":\"vsys1\",\"fw_xff\":null,\"fw_misc\":\"2024\",\"fw_is_phishing\":\"No\",\"dst_agent_id\":\"431983ee6afd4892b\",\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":\"-\",\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "network" + ], + "dataset": "Network Connections", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-25T10:08:37Z", + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 444 + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "ingress": { + "interface": { + "name": "vpn" + } + }, + "name": "VPN-TEST-0000", + "serial_number": "01545100" + }, + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + }, + "event": { + "firewall": { + "app": { + "category": "business-systems", + "subcategory": "storage-backup", + "technology": "client-server" + } + } + } + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "f4a0e637-b6bf-4894", + "name": "VPN-TEST-RULE" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 55555 + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "process_event.json" + + ```json + + { + "message": "{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":1706175924115,\"event_sub_type\":1,\"module_id\":null,\"association_strength\":50,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABjUARS\",\"event_type\":\"Process Execution\",\"event_timestamp\":1706176891325,\"actor_process_instance_id\":\"AdpPdXhxnqQ\",\"actor_process_image_path\":\"C:\\\\test\\\\cmd.exe\",\"actor_process_image_name\":\"cmd.exe\",\"actor_process_command_line\":\"C:\\\\WINDOWS\\\\test\\\\cmd.exe /c ipconfig /all >> \\\"C:\\\\test\\\\Desktop\\\\DisplayLink Support Files\\\\test_Logs_110048\\\"\\\\Network.txt\",\"actor_process_signature_status\":\"Signed\",\"actor_process_signature_vendor\":\"Microsoft Corporation\",\"actor_process_image_sha256\":\"e9ef013238495bffce\",\"actor_process_image_md5\":\"d3348ac2130c7e75\",\"actor_process_causality_id\":\"AdpPdVLYEm4AA\",\"actor_causality_id\":\"AdpPdVLYEm4AA\",\"actor_process_os_pid\":11111,\"actor_thread_thread_id\":5555,\"causality_actor_process_image_name\":\"Windows_test.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\Users\\\\JDOE\\\\Desktop\\\\Windows_test.exe\\\" \",\"causality_actor_process_image_path\":\"\\\"C:\\\\Users\\\\JDOE\\\\Desktop\\\\Windows_test.exe\\\"\",\"causality_actor_process_signature_vendor\":\"TEST(UK) LIMITED\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdpPdVLYEm\",\"causality_actor_process_execution_time\":1706176828371,\"causality_actor_process_image_md5\":\"9d1513d5dda226e51a69\",\"causality_actor_process_image_sha256\":\"c1498056c06206beaef8b7d1fd749\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":\"UNKNOWN\",\"action_process_instance_id\":\"AdpPdXiC3NMAA\",\"action_process_causality_id\":\"AdpPdVLYEm4AA\",\"action_process_image_name\":\"ipconfig.exe\",\"action_process_image_sha256\":\"87b036c720fbd5e63355b9920a2864f\",\"action_process_image_command_line\":\"ipconfig /all \",\"action_process_signature_status\":\"Signed\",\"action_process_signature_vendor\":\"Microsoft Corporation\",\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"AdpPdXhxnqQA\",\"os_actor_process_image_path\":\"C:\\\\Windows\\\\TEST\\\\cmd.exe\",\"os_actor_process_image_name\":\"cmd.exe\",\"os_actor_process_command_line\":\"C:\\\\WINDOWS\\\\TEST\\\\system32\\\\cmd.exe /c ipconfig /all >> \\\"C:\\\\Users\\\\JDOE\\\\Desktop\\\\Network_Statistics.txt\",\"os_actor_process_signature_status\":\"Signed\",\"os_actor_process_signature_vendor\":\"Microsoft Corporation\",\"os_actor_process_image_sha256\":\"e9ef013238495bffce7459\",\"os_actor_process_causality_id\":\"AdpPdVLYEm\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":11111,\"os_actor_thread_thread_id\":5555,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "process" + ], + "dataset": "Process Execution", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-25T10:01:31.325000Z", + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + } + } + } + }, + "process": { + "command_line": "C:\\WINDOWS\\test\\cmd.exe /c ipconfig /all >> \"C:\\test\\Desktop\\DisplayLink Support Files\\test_Logs_110048\"\\Network.txt", + "executable": "C:\\test\\cmd.exe", + "hash": { + "md5": "d3348ac2130c7e75", + "sha256": "e9ef013238495bffce" + }, + "name": "cmd.exe", + "pid": 11111, + "thread": { + "id": 5555 + } + }, + "related": { + "hash": [ + "d3348ac2130c7e75", + "e9ef013238495bffce" + ], + "user": [ + "JDOE" + ] + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "registry_events.json" + + ```json + + { + "message": "{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":1706175420000,\"event_sub_type\":4,\"module_id\":null,\"association_strength\":50,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABjUAMJJz95I1\",\"event_type\":\"Registry Event\",\"event_timestamp\":1706176550000,\"actor_process_instance_id\":\"AdpPdK0F6GEAABu\",\"actor_process_image_path\":\"C:\\\\Windows\\\\test\\\\testexec.exe\",\"actor_process_image_name\":\"msiexec.exe\",\"actor_process_command_line\":\"C:\\\\WINDOWS\\\\test\\\\testexec.exe /V\",\"actor_process_signature_status\":\"Signed\",\"actor_process_signature_vendor\":\"Microsoft Corporation\",\"actor_process_image_sha256\":\"8ca4b8b7a2f8e6e7d1df1ae46437fc\",\"actor_process_image_md5\":\"3a8464f2cecdf1d894\",\"actor_process_causality_id\":\"AdpPdK0F6GEAAB\",\"actor_causality_id\":\"AdpPdK0F6GEAAB\",\"actor_process_os_pid\":7000,\"actor_thread_thread_id\":10000,\"causality_actor_process_image_name\":\"testexec.exe\",\"causality_actor_process_command_line\":\"C:\\\\WINDOWS\\\\test\\\\testexec.exe /V\",\"causality_actor_process_image_path\":\"C:\\\\Windows\\\\test\\\\testexec.exe\",\"causality_actor_process_signature_vendor\":\"Microsoft Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdpPdK0F6GEAABu\",\"causality_actor_process_execution_time\":1706176540000,\"causality_actor_process_image_md5\":\"3a8464f2cecdf1d89430c\",\"causality_actor_process_image_sha256\":\"8ca4b8b7a2f8e6e7d1df1ae46437fc\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":\"C:\\\\Program Files (x86)\\\\TEST\\\\TESTCNA.exe\",\"action_registry_key_name\":\"HKEY_LOCAL_MACHINE\\\\TEST\\\\CurrentVersion\\\\Run\",\"action_registry_value_name\":\"SrvTEST\",\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":\"UNKNOWN\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"AdpPdK0F6GEAAB\",\"os_actor_process_image_path\":\"C:\\\\Windows\\\\test\\\\testexec.exe\",\"os_actor_process_image_name\":\"msiexec.exe\",\"os_actor_process_command_line\":\"C:\\\\WINDOWS\\\\test\\\\testexec.exe /V\",\"os_actor_process_signature_status\":\"Signed\",\"os_actor_process_signature_vendor\":\"Microsoft Corporation\",\"os_actor_process_image_sha256\":\"8ca4b8b7a2f8e6e7d1df1ae46437fc\",\"os_actor_process_causality_id\":\"AdpPdK0F6GEAA\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":7000,\"os_actor_thread_thread_id\":10000,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "registry" + ], + "dataset": "Registry Event", + "kind": "event", + "type": [ + "change" + ] + }, + "@timestamp": "2024-01-25T09:55:50Z", + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + } + } + } + }, + "process": { + "command_line": "C:\\WINDOWS\\test\\testexec.exe /V", + "executable": "C:\\Windows\\test\\testexec.exe", + "hash": { + "md5": "3a8464f2cecdf1d894", + "sha256": "8ca4b8b7a2f8e6e7d1df1ae46437fc" + }, + "name": "msiexec.exe", + "pid": 7000, + "thread": { + "id": 10000 + } + }, + "registry": { + "value": "SrvTEST" + }, + "related": { + "hash": [ + "3a8464f2cecdf1d894", + "8ca4b8b7a2f8e6e7d1df1ae46437fc" + ], + "user": [ + "JDOE" + ] + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "rpc_call_event.json" + + ```json + + { + "message": "{\"agent_install_type\":\"STANDARD\",\"agent_host_boot_time\":1706168000000,\"event_sub_type\":2,\"module_id\":null,\"association_strength\":50,\"dst_association_strength\":null,\"story_id\":null,\"event_id\":\"AAABjUAlDCOX3\",\"event_type\":\"RPC Call\",\"event_timestamp\":1706178186400,\"actor_process_instance_id\":\"AdpPeHj9O58AAD\",\"actor_process_image_path\":\"C:\\\\Users\\\\JDOE\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\"actor_process_image_name\":\"firefox.exe\",\"actor_process_command_line\":\"\\\"C:\\\\Users\\\\JDOE\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\\\" --backgroundtask defaultagent register-task 814FC20000000\",\"actor_process_signature_status\":\"Signed\",\"actor_process_signature_vendor\":\"Mozilla Corporation\",\"actor_process_image_sha256\":\"b1db5b7c78315f35da07a4d26f86\",\"actor_process_image_md5\":\"b835293fa5848e7a7bd19\",\"actor_process_causality_id\":\"AdpPeHj9O58\",\"actor_causality_id\":\"AdpPeHj9O58\",\"actor_process_os_pid\":15000,\"actor_thread_thread_id\":16000,\"causality_actor_process_image_name\":\"firefox.exe\",\"causality_actor_process_command_line\":\"\\\"C:\\\\Users\\\\JDOE\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\\\" --backgroundtask defaultagent register-task 814FC20F31C36B2\",\"causality_actor_process_image_path\":\"C:\\\\Users\\\\JDOE\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\"causality_actor_process_signature_vendor\":\"Mozilla Corporation\",\"causality_actor_process_signature_status\":\"Signed\",\"causality_actor_causality_id\":\"AdpPeHj9O58A\",\"causality_actor_process_execution_time\":1706178180534,\"causality_actor_process_image_md5\":\"b835293fa5848e7a7\",\"causality_actor_process_image_sha256\":\"b1db5b7c78315f35da07a4d26f86adccc8\",\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":null,\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":\"UNKNOWN\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":\"AdpPYPT27pIAAA\",\"os_actor_process_image_path\":\"C:\\\\Windows\\\\TEST\\\\test.exe\",\"os_actor_process_image_name\":\"svchost.exe\",\"os_actor_process_command_line\":\"C:\\\\WINDOWS\\\\TEST\\\\test.exe -k run -p -s Schedule\",\"os_actor_process_signature_status\":\"Signed\",\"os_actor_process_signature_vendor\":\"Microsoft Corporation\",\"os_actor_process_image_sha256\":\"f13de58416730d210dab465b242e9c94\",\"os_actor_process_causality_id\":\"AdpPYPT27pIA\",\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":1777,\"os_actor_thread_thread_id\":14444,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":null,\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":null,\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "process" + ], + "dataset": "RPC Call", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-25T10:23:06.400000Z", + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + } + } + } + }, + "process": { + "command_line": "\"C:\\Users\\JDOE\\AppData\\Local\\Mozilla Firefox\\firefox.exe\" --backgroundtask defaultagent register-task 814FC20000000", + "executable": "C:\\Users\\JDOE\\AppData\\Local\\Mozilla Firefox\\firefox.exe", + "hash": { + "md5": "b835293fa5848e7a7bd19", + "sha256": "b1db5b7c78315f35da07a4d26f86" + }, + "name": "firefox.exe", + "pid": 15000, + "thread": { + "id": 16000 + } + }, + "related": { + "hash": [ + "b1db5b7c78315f35da07a4d26f86", + "b835293fa5848e7a7bd19" + ], + "user": [ + "JDOE" + ] + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "vpn_event.json" + + ```json + + { + "message": "{\"agent_install_type\":\"NA\",\"agent_host_boot_time\":null,\"event_sub_type\":1,\"module_id\":null,\"association_strength\":32,\"dst_association_strength\":32,\"story_id\":\"MzY1MjMyMjkyMT\",\"event_id\":\"MzY1MjMyMjkyMT\",\"event_type\":\"VPN\",\"event_timestamp\":1706183000000,\"actor_process_instance_id\":null,\"actor_process_image_path\":null,\"actor_process_image_name\":null,\"actor_process_command_line\":null,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_process_image_sha256\":null,\"actor_process_image_md5\":null,\"actor_process_causality_id\":null,\"actor_causality_id\":null,\"actor_process_os_pid\":null,\"actor_thread_thread_id\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_signature_vendor\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_causality_id\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_sha256\":null,\"action_file_path\":null,\"action_file_name\":null,\"action_file_md5\":null,\"action_file_sha256\":null,\"action_file_macro_sha256\":null,\"action_registry_data\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_registry_full_key\":null,\"action_local_ip\":\"1.2.3.4\",\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"action_external_hostname\":null,\"action_country\":\"FR\",\"action_process_instance_id\":null,\"action_process_causality_id\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_image_command_line\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"os_actor_effective_username\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_name\":null,\"os_actor_process_command_line\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_causality_id\":null,\"os_actor_causality_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_thread_thread_id\":null,\"fw_app_id\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_device_name\":null,\"fw_serial_number\":\"015451000000000\",\"fw_url_domain\":null,\"fw_email_subject\":null,\"fw_email_sender\":null,\"fw_email_recipient\":null,\"fw_app_subcategory\":null,\"fw_app_category\":null,\"fw_app_technology\":null,\"fw_vsys\":null,\"fw_xff\":null,\"fw_misc\":null,\"fw_is_phishing\":\"N/A\",\"dst_agent_id\":\"32ec5200-e206-4ef0\",\"dst_causality_actor_process_execution_time\":null,\"dns_query_name\":null,\"dst_action_external_hostname\":null,\"dst_action_country\":\"-\",\"dst_action_external_port\":null,\"contains_featured_host\":\"NO\",\"contains_featured_user\":\"NO\",\"contains_featured_ip\":\"NO\",\"image_name\":null,\"image_id\":null,\"container_id\":null,\"container_name\":null,\"namespace\":null,\"cluster_name\":null,\"referenced_resource\":null,\"operation_name\":null,\"identity_sub_type\":null,\"identity_type\":null,\"project\":null,\"cloud_provider\":null,\"resource_type\":null,\"resource_sub_type\":null,\"user_agent\":null,\"user_name\":\"JDOE\", \"alert_id\":\"1\"}", + "event": { + "category": [ + "network" + ], + "dataset": "VPN", + "kind": "event", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-01-25T11:43:20Z", + "observer": { + "serial_number": "015451000000000" + }, + "paloalto": { + "cortex": { + "xdr": { + "alert": { + "id": "1" + } + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JDOE" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "JDOE" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`agent.name` | `keyword` | Custom name of the agent. | +|`agent.version` | `keyword` | Version of the agent. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`dns.question.name` | `keyword` | The name being queried. | +|`email.sender.address` | `keyword` | Address of the message sender. | +|`email.subject` | `keyword` | The subject of the email message. | +|`email.to.address` | `keyword` | Email address of recipient | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`event.provider` | `keyword` | Source of the event. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.hash.md5` | `keyword` | MD5 hash. | +|`file.hash.sha256` | `keyword` | SHA256 hash. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`host.id` | `keyword` | Unique host id. | +|`host.ip` | `ip` | Host ip addresses. | +|`host.mac` | `keyword` | Host MAC addresses. | +|`host.name` | `keyword` | Name of the host. | +|`host.os.name` | `keyword` | Operating system name, without the version. | +|`observer.egress.interface.name` | `keyword` | Interface name | +|`observer.ingress.interface.name` | `keyword` | Interface name | +|`observer.name` | `keyword` | Custom name of the observer. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.serial_number` | `keyword` | Observer serial number. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`paloalto.cortex.xdr.alert.category` | `keyword` | Cortex alert category | +|`paloalto.cortex.xdr.alert.externalID` | `keyword` | Cortex alert external ID | +|`paloalto.cortex.xdr.alert.id` | `keyword` | Cortex alert ID | +|`paloalto.cortex.xdr.alert.name` | `keyword` | Cortex alert name | +|`paloalto.cortex.xdr.alert.ruleID.filter` | `keyword` | Cortex alert filter rule id | +|`paloalto.cortex.xdr.alert.ruleID.matching_service` | `keyword` | Cortex alert matching service rule id | +|`paloalto.cortex.xdr.alert.severity` | `keyword` | Cortex alert severity | +|`paloalto.cortex.xdr.event.firewall.app.category` | `keyword` | Cortex firewall app category | +|`paloalto.cortex.xdr.event.firewall.app.subcategory` | `keyword` | Cortex firewall app subcategory | +|`paloalto.cortex.xdr.event.firewall.app.technology` | `keyword` | Cortex firewall app technology | +|`process.command_line` | `wildcard` | Full command line that started the process. | +|`process.executable` | `keyword` | Absolute path to the process executable. | +|`process.hash.md5` | `keyword` | MD5 hash. | +|`process.hash.sha256` | `keyword` | SHA256 hash. | +|`process.name` | `keyword` | Process name. | +|`process.pid` | `long` | Process id. | +|`process.thread.id` | `long` | Thread ID. | +|`registry.key` | `keyword` | Hive-relative path of keys. | +|`registry.path` | `keyword` | Full path, including hive, key and value | +|`registry.value` | `keyword` | Name of the value written. | +|`rule.id` | `keyword` | Rule ID | +|`rule.name` | `keyword` | Rule name | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.domain` | `keyword` | Domain of the url. | +|`user.name` | `keyword` | Short name or login of the user. | + diff --git a/_shared_content/operations_center/integrations/generated/ad8c93b0-3f41-4f6f-bde3-7a55cc30cee8.md b/_shared_content/operations_center/integrations/generated/ad8c93b0-3f41-4f6f-bde3-7a55cc30cee8.md deleted file mode 100644 index f3be30d6b3..0000000000 --- a/_shared_content/operations_center/integrations/generated/ad8c93b0-3f41-4f6f-bde3-7a55cc30cee8.md +++ /dev/null @@ -1,18 +0,0 @@ - -## Event Categories - - -The following table lists the data source offered by this integration. - -| Data Source | Description | -| ----------- | ------------------------------------ | -| `Network protocol analysis` | Acklio provides network activities | - - - - - - - - - diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 27ceb3013c..f6a65cc348 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -65,6 +65,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user_authentication_method": 1 }, "context": { + "client": { + "id": "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" + }, "correlation": { "id": "d23dd5d2-ccc8-4928-b7a0-f446a2ca4a90" } @@ -155,6 +158,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "context": { "aad_session_id": "8e2cdebf", + "client": { + "id": "1b3c667f" + }, "correlation": { "id": "d8254b84" } @@ -653,6 +659,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outcome": "success", "target": "user" }, + "email": { + "message_id": "PR3PR03MB6601D07B33E82733537EF049DEE49@PR3PR03MB6601.eurprd03.prod.outlook.com", + "subject": "Email subject" + }, "office365": { "context": { "aad_session_id": "8ad3822b-1cfd-40e7-aeaa-6d0708691ad8" @@ -977,6 +987,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "outcome": "success", "target": "user" }, + "email": { + "message_id": "44444444444444444444444444444444444444@MYSERVER.USA2345.PROD.OUTLOOK.COM", + "subject": "HI" + }, "office365": { "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507", @@ -2495,6 +2509,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "user_authentication_method": 1 }, "context": { + "client": { + "id": "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7" + }, "correlation": { "id": "794c9504-66fe-441c-831a-5fc2badfcdc8" } @@ -2588,6 +2605,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "context": { "aad_session_id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", + "client": { + "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" + }, "correlation": { "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770" } @@ -2688,6 +2708,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "context": { "aad_session_id": "b3a9b2b4-57c9-406b-9a2d-106b7f612248", + "client": { + "id": "00000003-0000-0ff1-ce00-000000000000" + }, "correlation": { "id": "d48e6ea0-40c1-5000-5eba-0ee33d13b1ca" } diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md index 144d42902c..0ab6433bd8 100644 --- a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -183,6 +183,304 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "elff_event_1.json" + + ```json + + { + "message": " {\n\"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(User-Agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }", + "event": { + "action": "Allow", + "category": [ + "web" + ], + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2024-01-17T12:34:56Z", + "broadcom": { + "data_leak_detected": "False", + "file_reputation_score": "95", + "forwarded_for": "192.168.0.1", + "threat_risk": { + "certificate_hostname": "Low", + "dns_lvl": "High", + "lvl": "High" + }, + "virus_id": "VirusID1" + }, + "client": { + "address": "192.168.1.1", + "bytes": 1024, + "ip": "192.168.1.1", + "user": { + "name": "user@example.com" + } + }, + "dns": { + "answers": [ + { + "data": "1.2.3.4", + "type": "A" + }, + { + "data": "5.6.7.8", + "type": "A" + }, + { + "data": "cname1.example.com", + "type": "CNAME" + }, + { + "data": "cname2.example.com", + "type": "CNAME" + }, + { + "data": "ptr1.example.com", + "type": "PTR" + }, + { + "data": "ptr2.example.com", + "type": "PTR" + }, + { + "data": "NoError", + "type": "RCODE" + }, + { + "data": "NoError1", + "type": "RCODE" + } + ], + "op_code": "DNSOpcode1", + "question": { + "class": "DNSQClass1", + "name": "DNSName1", + "type": "DNSQType1" + } + }, + "host": { + "os": { + "full": "OS1" + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "application": "App1" + }, + "observer": { + "name": "Computer1", + "product": "Cloud Secure Web Gateway", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "DNSName1", + "example.com" + ], + "ip": [ + "192.168.1.1", + "192.168.2.1" + ], + "user": [ + "user@example.com" + ] + }, + "server": { + "bytes": 2048, + "ip": "192.168.2.1" + }, + "tls": { + "server": { + "x509": { + "alternative_names": [ + "RSHostname1" + ] + } + } + }, + "url": { + "domain": "example.com", + "path": "/path/to/resource", + "port": 80, + "query": "param=value", + "registered_domain": "example.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + +=== "elff_event_2.json" + + ```json + + { + "message": " {\n\"time-taken\": \"random word\", \"application-name\": \"App1\",\n \"c-ip-subnet\": \"192.168.1.0/24\",\n \"cs(referer)\": \"http://example.com\",\n \"cs(User-Agent)\": \"Mozilla/5.0\",\n \"cs(x-requested-with)\": \"XMLHttpRequest\",\n \"cs-auth-group\": \"Group1\",\n \"cs-auth-groups\": [\"Group1\", \"Group2\"],\n \"cs-bytes\": 1024,\n \"cs-categories\": [\"Category1\", \"Category2\"],\n \"cs-host\": \"example.com\",\n \"cs-icap-error-details\": \"ErrorDetails\",\n \"cs-icap-service\": \"ICAPService1\",\n \"cs-icap-status\": \"ICAPStatus1\",\n \"c-ip\": \"192.168.1.1\",\n \"cs-method\": \"GET\",\n \"cs-threat-risk\": \"High\",\n \"cs-uri-extension\": \".html\",\n \"cs-uri-path\": \"/path/to/resource\",\n \"cs-uri-port\": 80,\n \"cs-uri-query\": \"param=value\",\n \"cs-uri-scheme\": \"http\",\n \"cs-userdn\": \"user@example.com\",\n \"cs-version\": \"HTTP/1.1\",\n \"cs(X-Forwarded-For)\": \"192.168.0.1\",\n \"date\": \"2024-01-17\",\n \"ear-cas-file-reputation-score\": 95,\n \"ear-cs-referer\": \"http://referrer.com\",\n \"ear-upload-source\": \"Internal\",\n \"isolation-url\": \"http://isolation.example.com\",\n \"ma-detonated\": true,\n \"page-views\": 10,\n \"r-ip\": \"10.0.0.1\",\n \"r-supplier-country\": \"US\",\n \"risk-groups\": [\"GroupA\", \"GroupB\"],\n \"rs(content-type)\": \"text/html\",\n \"rs-icap-error-details\": \"RSICAPErrorDetails\",\n \"rs-icap-service\": \"RSICAPService1\",\n \"rs-icap-status\": \"RSICAPStatus1\",\n \"rs-version\": \"HTTP/1.1\",\n \"s-action\": \"Allow\",\n \"s-ip\": \"192.168.2.1\",\n \"s-source-ip\": \"192.168.2.2\",\n \"s-supplier-country\": \"CA\",\n \"s-supplier-failures\": 2,\n \"s-supplier-ip\": \"192.168.2.3\",\n \"sc-bytes\": 2048,\n \"sc-filter-result\": \"Allowed\",\n \"sc-status\": 200,\n \"search-terms\": \"keyword1 keyword2\",\n \"time\": \"12:34:56\",\n \"upload-source\": \"External\",\n \"verdict\": \"Clean\",\n \"x-bluecoat-access-type\": \"Direct\",\n \"x-bluecoat-appliance-name\": \"Appliance1\",\n \"x-bluecoat-application-name\": \"App2\",\n \"x-bluecoat-application-operation\": \"Operation1\",\n \"x-bluecoat-location-id\": \"Location1\",\n \"x-bluecoat-location-name\": \"LocationName1\",\n \"x-bluecoat-reference-id\": \"ReferenceID1\",\n \"x-bluecoat-request-tenant-id\": \"TenantID1\",\n \"x-bluecoat-placeholder\": \"Placeholder1\",\n \"x-bluecoat-transaction-uuid\": \"TransactionUUID1\",\n \"x-client-agent-sw\": \"AgentSoftware1\",\n \"x-client-agent-type\": \"AgentType1\",\n \"x-client-device-id\": \"DeviceID1\",\n \"x-client-device-name\": \"DeviceName1\",\n \"x-client-device-type\": \"DeviceType1\",\n \"x-client-os\": \"OS1\",\n \"x-cloud-rs\": \"CloudRS1\",\n \"x-client-security-posture-details\": \"SecurityDetails1\",\n \"x-client-security-posture-risk-score\": 75,\n \"s-computername\": \"Computer1\",\n \"x-cs(referer)-uri-categories\": [\"CategoryA\", \"CategoryB\"],\n \"x-cs-certificate-subject\": \"CertificateSubject1\",\n \"x-cs-client-ip-country\": \"DE\",\n \"x-cs-connection-negotiated-cipher\": \"Cipher1\",\n \"x-cs-connection-negotiated-cipher-size\": 128,\n \"x-cs-connection-negotiated-ssl-version\": \"TLSv1.2\",\n \"x-cs-ocsp-error\": \"OCSPError1\",\n \"x-data-leak-detected\": false,\n \"x-dns-cs-address\": \"DNSAddress1\",\n \"x-dns-cs-category\": \"DNSCategory1\",\n \"x-dns-cs-dns\": \"DNSName1\",\n \"x-dns-cs-opcode\": \"DNSOpcode1\",\n \"x-dns-cs-qclass\": \"DNSQClass1\",\n \"x-dns-cs-qtype\": \"DNSQType1\",\n \"x-dns-cs-threat-risk-level\": \"High\",\n \"x-dns-cs-transport\": \"DNSTransport1\",\n \"x-dns-lookup-time\": 50,\n \"x-dns-rs-a-records\": \"1.2.3.4,5.6.7.8\",\n \"x-dns-rs-cname-records\": \"cname1.example.com,cname2.example.com\",\n \"x-dns-rs-ptr-records\": \"ptr1.example.com,ptr2.example.com\",\n \"x-dns-rs-rcode\": \"NoError,NoError1\",\n \"x-exception-id\": \"ExceptionID1\",\n \"x-http-connect-host\": \"ConnectHost1\",\n \"x-http-connect-port\": 8080,\n \"x-icap-reqmod-header(x-icap-metadata)\": \"ReqmodHeader1\",\n \"x-icap-respmod-header(x-icap-metadata)\": \"RespmodHeader1\",\n \"x-random-ipv6\": \"2001:db8::1\",\n \"x-request-origin\": \"Origin1\",\n \"x-rs-certificate-hostname\": \"RSHostname1\",\n \"x-rs-certificate-hostname-categories\": [\"RSCategory1\", \"RSCategory2\"],\n \"x-rs-certificate-hostname-category\": \"RSHostnameCategory1\",\n \"x-rs-certificate-hostname-threat-risk\": \"Low\",\n \"x-rs-certificate-observed-errors\": 3,\n \"x-rs-certificate-validate-status\": \"Valid\",\n \"x-rs-connection-negotiated-cipher\": \"RSConnectionCipher1\",\n \"x-rs-connection-negotiated-cipher-size\": 256,\n \"x-rs-connection-negotiated-cipher-strength\": \"High\",\n \"x-rs-connection-negotiated-ssl-version\": \"TLSv1.3\",\n \"x-rs-ocsp-error\": \"RSOCSPError1\",\n \"x-sc-connection-issuer-keyring\": \"IssuerKeyring1\",\n \"x-sc-connection-issuer-keyring-alias\": \"IssuerAlias1\",\n \"x-sr-vpop-country\": \"SRVPopCountry1\",\n \"x-sr-vpop-country-code\": \"SRVPopCountryCode1\",\n \"x-sr-vpop-ip\": \"SRVPopIP1\",\n \"x-symc-dei-app\": \"DEIApp1\",\n \"x-symc-dei-via\": \"DEIVia1\",\n \"x-timestamp-unix\": 1642419296,\n \"x-virus-id\": \"VirusID1\"\n }", + "event": { + "action": "Allow", + "category": [ + "web" + ], + "kind": "event", + "type": [ + "access" + ] + }, + "@timestamp": "2024-01-17T12:34:56Z", + "broadcom": { + "data_leak_detected": "False", + "file_reputation_score": "95", + "forwarded_for": "192.168.0.1", + "threat_risk": { + "certificate_hostname": "Low", + "dns_lvl": "High", + "lvl": "High" + }, + "virus_id": "VirusID1" + }, + "client": { + "address": "192.168.1.1", + "bytes": 1024, + "ip": "192.168.1.1", + "user": { + "name": "user@example.com" + } + }, + "dns": { + "answers": [ + { + "data": "1.2.3.4", + "type": "A" + }, + { + "data": "5.6.7.8", + "type": "A" + }, + { + "data": "cname1.example.com", + "type": "CNAME" + }, + { + "data": "cname2.example.com", + "type": "CNAME" + }, + { + "data": "ptr1.example.com", + "type": "PTR" + }, + { + "data": "ptr2.example.com", + "type": "PTR" + }, + { + "data": "NoError", + "type": "RCODE" + }, + { + "data": "NoError1", + "type": "RCODE" + } + ], + "op_code": "DNSOpcode1", + "question": { + "class": "DNSQClass1", + "name": "DNSName1", + "type": "DNSQType1" + } + }, + "host": { + "os": { + "full": "OS1" + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "network": { + "application": "App1" + }, + "observer": { + "name": "Computer1", + "product": "Cloud Secure Web Gateway", + "vendor": "Broadcom" + }, + "related": { + "hosts": [ + "DNSName1", + "example.com" + ], + "ip": [ + "192.168.1.1", + "192.168.2.1" + ], + "user": [ + "user@example.com" + ] + }, + "server": { + "bytes": 2048, + "ip": "192.168.2.1" + }, + "tls": { + "server": { + "x509": { + "alternative_names": [ + "RSHostname1" + ] + } + } + }, + "url": { + "domain": "example.com", + "path": "/path/to/resource", + "port": 80, + "query": "param=value", + "registered_domain": "example.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 1656c6608e..188fb8c215 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -251,9 +251,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8", "port": 443 }, - "host": { - "name": " " - }, "network": { "protocol": "TCP" }, @@ -311,15 +308,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2023-08-28T15:43:14Z", "destination": { - "address": "5.6.7.8", - "ip": "5.6.7.8" + "address": "a.et.nytimes.com", + "domain": "a.et.nytimes.com", + "ip": "5.6.7.8", + "registered_domain": "nytimes.com", + "subdomain": "a.et", + "top_level_domain": "com" }, "file": { "type": "filetype 1" }, - "host": { - "name": "a.et.nytimes.com" - }, "http": { "request": { "bytes": 608, @@ -392,6 +390,110 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_event_web2.json" + + ```json + + { + "message": "{\"sourcetype\": \"zscalernss-web\",\"event\": {\"datetime\": \"2023-08-28 15:43:14\",\"reason\": \"Allowed\",\"event_id\": \"1111111111111111111\",\"protocol\": \"SSL\",\"action\": \"Allowed\",\"transactionsize\": \"608\",\"responsesize\": \"0\",\"requestsize\": \"608\",\"urlcategory\": \"News and Media\",\"serverip\": \"5.6.7.8\",\"requestmethod\": \"NA\",\"refererURL\": \"None\",\"useragent\": \"Unknown\",\"product\": \"NSS\",\"location\": \"Road%20Warrior\",\"ClientIP\": \"1.2.3.4\",\"status\": \"NA\",\"user\": \"john.doe@example.org\",\"url\": \"ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?9ea4b61fd3501b07\",\"vendor\": \"Zscaler\",\"hostname\": \"a.et.nytimes.com\",\"clientpublicIP\": \"4.3.2.1\",\"threatcategory\": \"Threat category 1\",\"threatname\": \"Threat Name 1\",\"filetype\": \"filetype 1\",\"appname\": \"General Browsing\",\"pagerisk\": \"0\",\"department\": \"Financial%20Dept\",\"urlsupercategory\": \"News and Media\",\"appclass\": \"General Browsing\",\"dlpengine\": \"None\",\"urlclass\": \"Bandwidth Loss\",\"threatclass\": \"threat class # 1\",\"dlpdictionaries\": \"None\",\"fileclass\": \"None\",\"bwthrottle\": \"NO\",\"contenttype\": \"Other\",\"unscannabletype\": \"None\",\"deviceowner\": \"johndoe\",\"devicehostname\": \" \",\"keyprotectiontype\": \"N/A\"}}", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "dataset": "web", + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-08-28T15:43:14Z", + "destination": { + "address": "a.et.nytimes.com", + "domain": "a.et.nytimes.com", + "ip": "5.6.7.8", + "registered_domain": "nytimes.com", + "subdomain": "a.et", + "top_level_domain": "com" + }, + "file": { + "type": "filetype 1" + }, + "http": { + "request": { + "bytes": 608, + "method": "NA" + }, + "response": { + "bytes": 0, + "mime_type": "Other" + } + }, + "network": { + "protocol": "SSL" + }, + "related": { + "hosts": [ + "a.et.nytimes.com", + "ctldl.windowsupdate.com" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "server": { + "ip": "5.6.7.8" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "ctldl.windowsupdate.com", + "path": "msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "query": "9ea4b61fd3501b07", + "registered_domain": "windowsupdate.com", + "subdomain": "ctldl", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.org" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Unknown", + "os": { + "name": "Other" + } + }, + "zscaler": { + "zia": { + "appname": "General Browsing", + "department": "Financial%20Dept", + "device": { + "owner": "johndoe" + }, + "event_id": "1111111111111111111", + "keyprotectiontype": "N/A", + "product": "NSS", + "source_type": "zscalernss-web", + "threat": { + "category": "Threat category 1", + "class": "threat class # 1", + "name": "Threat Name 1" + }, + "vendor": "Zscaler" + } + } + } + + ``` + + === "test_saas_security_event.json" ```json @@ -629,6 +731,7 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`destination.bytes` | `long` | Bytes sent from the destination to the source. | +|`destination.domain` | `keyword` | The domain name of the destination. | |`destination.geo.country_name` | `keyword` | Country name. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | @@ -662,6 +765,8 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`url.domain` | `keyword` | Domain of the url. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.path` | `wildcard` | Path of the request, such as "/search". | +|`url.query` | `keyword` | Query string of the request. | |`user.email` | `keyword` | User email address. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | |`zscaler.zia.appname` | `keyword` | ZScaler app name | diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index dbe4924f41..9aae1d5001 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -29,6 +29,92 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "action_overdict.json" + + ```json + + { + "message": "{ \"id\": \"abcdefgh\", \"date\": \"2024-01-31T10:11:13.974Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"user@test.fr\", \"from_header\": \"user user@test.fr\", \"to\": \"destuser@test.fr\", \"to_header\": \"header stuff\", \"subject\": \"subject\", \"message_id\": \"ABCDEF\", \"urls\": [ { \"url\": \"https://www.test.com/\" }, { \"url\": \"http://www.test.fr\" }, { \"url\": \"https://www.test.io\" } ], \"attachments\": [ { \"id\": \"abcdef\", \"filename\": \"image006.png\", \"extension\": \"png\", \"size\": 477, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } }, { \"id\": \"abcdef\", \"filename\": \"sample.pdf\", \"extension\": \"pdf\", \"size\": 237284, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } } ], \"status\": \"LOW_SPAM\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 460793, \"current_events\": [], \"whitelisted\": true, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": { \"country_name\": \"Ireland\", \"country_iso_code\": \"IE\", \"city_name\": \"Dublin\" }, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": \"\" }", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "png", + "hash": { + "md5": "abcdef", + "sha1": "abcdef", + "sha256": "abcdef", + "sha512": "abcdef" + }, + "name": "image006.png", + "size": 477 + } + }, + { + "file": { + "extension": "pdf", + "hash": { + "md5": "abcdef", + "sha1": "abcdef", + "sha256": "abcdef", + "sha512": "abcdef" + }, + "name": "sample.pdf", + "size": 237284 + } + } + ], + "from": { + "address": "user@test.fr" + }, + "local_id": "abcdefgh", + "message_id": "ABCDEF", + "subject": "subject", + "to": { + "address": "destuser@test.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image006.png", + "id": "abcdef" + }, + { + "filename": "sample.pdf", + "id": "abcdef" + } + ], + "from_header": "user user@test.fr", + "overdict": "clean", + "status": "LOW_SPAM", + "to_header": "header stuff", + "whitelist": "true" + } + } + + ``` + + === "email.json" ```json @@ -358,6 +444,7 @@ The following table lists the fields that are extracted, normalized under the EC |`vadesecure.campaign.nb_messages_remediated_unread` | `long` | The number of total unread messages involved in the remediation. | |`vadesecure.folder` | `keyword` | vadesecure.folder | |`vadesecure.from_header` | `keyword` | vadesecure.from_header | +|`vadesecure.overdict` | `keyword` | vadesecure.overdict | |`vadesecure.status` | `keyword` | vadesecure.status | |`vadesecure.substatus` | `keyword` | vadesecure.substatus | |`vadesecure.to_header` | `keyword` | vadesecure.to_header | diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index f5dcdbbd7c..77eb699561 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -996,6 +996,100 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_type_11_1.json" + + ```json + + { + "message": "{\n \"Version\": 1,\n \"Type\": 11,\n \"TypeComputedMap\": \"ProcessExecution\",\n \"Severity\": 0,\n \"ServerReserved\": 0,\n \"Attributes\": 2,\n \"AttributesComputedBitMap\": [\n \"Protection\"\n ],\n \"EventGuid\": \"{5024762E-73B4-40DC-823A-7B080C82C542}\",\n \"GenerateIncident\": true,\n \"Timestamp\": \"2024-02-01T08:10:33.7922326-08:00\",\n \"TimestampRaw\": 133512774337922326,\n \"SpecificData\": {\n \"SourceProcess\": {\n \"PID\": 7248,\n \"ProcessGuid\": \"{90FC03BE-4FBF-4184-A304-6D4B00AA152B}\",\n \"ProcessImageName\": \"C:\\\\ragnarlocker.exe\",\n \"VolumeZone\": 1,\n \"VolumeZoneComputedBitMap\": [\n \"Operating system\"\n ],\n \"ProcessCommandLine\": \"\\\"C:\\\\ragnarlocker.exe\\\" \",\n \"User\": \"S-1-5-21-1111111111-22222222-3333333333-000\",\n \"UserNameLookup\": \"Administrator\",\n \"UserDomainLookup\": \"EXAMPLE\",\n \"IntegrityLevel\": \"S-1-16-11111\",\n \"IntegrityLevelNameLookup\": \"High Mandatory Level\",\n \"IntegrityLevelDomainLookup\": \"Mandatory Label\",\n \"SessionID\": 1,\n \"HashMd5\": \"68B329DA9893E34099C7D8AD5CB9C940\",\n \"HashSha1\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"HashSha256\": \"01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B\",\n \"IsProtectedOrCritical\": false,\n \"CertificateSignatureState\": 2,\n \"CertificateSignatureStateComputedMap\": \"SignatureStateNoSignature\",\n \"Certificates\": [],\n \"ProcessStartTime\": \"2024-02-01T08:10:33.5801449-08:00\",\n \"ProcessStartTimeRaw\": 133512774335801449\n },\n \"Action\": {\n \"PolicyGuid\": \"{64AA4553-15FC-4188-B4AD-A0BDCFB11ED9}\",\n \"PolicyVersion\": 14,\n \"RuleGuid\": \"{B88B8874-E8E3-4F42-92B8-61D364DB65B9}\",\n \"BaseRuleGuid\": \"{0C4D019E-B7D5-4456-909A-C5F4152461AE}\",\n \"IdentifierGuid\": \"{BC74B5FB-8880-4A74-8316-FE865F9EA75C}\",\n \"Blocked\": true,\n \"UserDecision\": false,\n \"SourceProcessKilled\": true\n },\n \"CreatedProcess\": {\n \"PID\": 11308,\n \"ProcessGuid\": \"{24F0AA75-BC26-4245-829E-97087BB07A47}\",\n \"ProcessImageName\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"VolumeZone\": 1,\n \"VolumeZoneComputedBitMap\": [\n \"Operating system\"\n ],\n \"ProcessCommandLine\": \"cmd.exe /c vssadmin delete shadows /all /quiet\",\n \"User\": \"S-1-5-21-1111111111-22222222-3333333333-000\",\n \"UserNameLookup\": \"Administrator\",\n \"UserDomainLookup\": \"EXAMPLE\",\n \"IntegrityLevel\": \"S-1-16-11111\",\n \"IntegrityLevelNameLookup\": \"High Mandatory Level\",\n \"IntegrityLevelDomainLookup\": \"Mandatory Label\",\n \"SessionID\": 1,\n \"HashMd5\": \"68B329DA9893E34099C7D8AD5CB9C940\",\n \"HashSha1\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"HashSha256\": \"01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B\",\n \"IsProtectedOrCritical\": false,\n \"CertificateSignatureState\": 1,\n \"CertificateSignatureStateComputedMap\": \"SignatureStateTrusted\",\n \"Certificates\": [\n {\n \"Algorithm\": \"SHA256\",\n \"IssuerCN\": \"Microsoft Windows Production PCA 2011\",\n \"SubjectCN\": \"Microsoft Windows\",\n \"SigningTime\": \"2013-08-22T05:07:49.2400000-08:00\",\n \"ValidityStart\": \"2013-06-17T13:43:38.0000000-08:00\",\n \"ValidityEnd\": \"2014-09-17T13:43:38.0000000-08:00\"\n }\n ],\n \"ProcessStartTime\": \"2024-02-01T08:10:33.7833468-08:00\",\n \"ProcessStartTimeRaw\": 133512774337833468\n },\n \"ParentProcess\": {\n \"PID\": 7248,\n \"ProcessGuid\": \"{D057290C-D86A-441B-B3CB-C6E54D42EBA5}\",\n \"ProcessImageName\": \"C:\\\\ragnarlocker.exe\",\n \"VolumeZone\": 1,\n \"VolumeZoneComputedBitMap\": [\n \"Operating system\"\n ],\n \"ProcessCommandLine\": \"\\\"C:\\\\ragnarlocker.exe\\\" \",\n \"User\": \"S-1-5-21-1111111111-22222222-3333333333-000\",\n \"UserNameLookup\": \"Administrator\",\n \"UserDomainLookup\": \"EXAMPLE\",\n \"IntegrityLevel\": \"S-1-16-11111\",\n \"IntegrityLevelNameLookup\": \"High Mandatory Level\",\n \"IntegrityLevelDomainLookup\": \"Mandatory Label\",\n \"SessionID\": 1,\n \"HashMd5\": \"68B329DA9893E34099C7D8AD5CB9C940\",\n \"HashSha1\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"HashSha256\": \"01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B\",\n \"IsProtectedOrCritical\": false,\n \"CertificateSignatureState\": 2,\n \"CertificateSignatureStateComputedMap\": \"SignatureStateNoSignature\",\n \"Certificates\": [],\n \"ProcessStartTime\": \"2024-02-01T08:10:33.5801449-08:00\",\n \"ProcessStartTimeRaw\": 133512774335801449\n }\n },\n \"AdditionalData\": {\n \"AgentAddresses\": [\n \"172.24.0.14\"\n ],\n \"AgentGroupGuid\": \"{00000000-0000-0000-0000-000000000000}\",\n \"AgentGroupName\": \"Default group\",\n \"AgentGuid\": \"{074C7CCE-ACF4-4674-9650-4B63B569892F}\",\n \"AgentName\": \"WINSERVER2012\",\n \"CategoryName\": \"Process\",\n \"IncidentGuid\": \"{12CA4135-575E-49DE-89AD-4CD35EE2EB3B}\",\n \"Message\": \"The 'ragnarlocker.exe' process attempted to run the 'cmd.exe' process\",\n \"PolicyName\": \"Stormshield - Incredible policy (1)\",\n \"SeverityName\": \"Emergency\"\n }\n}", + "event": { + "category": [ + "process" + ], + "code": "ProcessExecution", + "kind": "event", + "reason": "The 'ragnarlocker.exe' process attempted to run the 'cmd.exe' process", + "severity": 0, + "type": [ + "start" + ] + }, + "@timestamp": "2024-02-01T16:10:33.792232Z", + "process": { + "command_line": "cmd.exe /c vssadmin delete shadows /all /quiet", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "md5": "68B329DA9893E34099C7D8AD5CB9C940", + "sha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC", + "sha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B" + }, + "name": "cmd.exe", + "parent": { + "command_line": "\"C:\\ragnarlocker.exe\" ", + "executable": "C:\\ragnarlocker.exe", + "hash": { + "md5": "68B329DA9893E34099C7D8AD5CB9C940", + "sha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC", + "sha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B" + }, + "name": "ragnarlocker.exe", + "pid": 7248, + "start": "2024-02-01T16:10:33.580144Z", + "user": { + "id": "S-1-5-21-1111111111-22222222-3333333333-000", + "name": "Administrator" + } + }, + "pid": 11308, + "start": "2024-02-01T16:10:33.783346Z", + "user": { + "id": "S-1-5-21-1111111111-22222222-3333333333-000", + "name": "Administrator" + } + }, + "related": { + "hash": [ + "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B", + "68B329DA9893E34099C7D8AD5CB9C940", + "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC" + ] + }, + "rule": { + "ruleset": "Stormshield - Incredible policy (1)", + "uuid": "B88B8874-E8E3-4F42-92B8-61D364DB65B9" + }, + "stormshield": { + "ses": { + "action": { + "blocked": true, + "user_decision": false + }, + "categoryname": "Process", + "incident": { + "id": "{12CA4135-575E-49DE-89AD-4CD35EE2EB3B}" + }, + "level": "Emergency", + "process": { + "parent": { + "user": { + "domain": "EXAMPLE" + } + }, + "user": { + "domain": "EXAMPLE" + } + }, + "source_process": { + "killed": true + }, + "type": "11" + } + } + } + + ``` + + === "test_type_173.json" ```json @@ -5736,6 +5830,91 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_type_55_1.json" + + ```json + + { + "message": "{\n \"Version\": 1,\n \"Type\": 55,\n \"TypeComputedMap\": \"CreateRemoteThread\",\n \"Severity\": 1,\n \"ServerReserved\": 0,\n \"Attributes\": 2,\n \"AttributesComputedBitMap\": [\n \"Protection\"\n ],\n \"EventGuid\": \"{3FC7A46F-A166-4316-B0B0-859DF8E93B98}\",\n \"GenerateIncident\": true,\n \"Timestamp\": \"2024-02-01T08:09:21.8983738-08:00\",\n \"TimestampRaw\": 133512773618983738,\n \"SpecificData\": {\n \"SourceProcess\": {\n \"PID\": 4452,\n \"ProcessGuid\": \"{18561EAB-115D-4B1E-ACF9-E185819BB548}\",\n \"ProcessImageName\": \"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"VolumeZone\": 1,\n \"VolumeZoneComputedBitMap\": [\n \"Operating system\"\n ],\n \"ProcessCommandLine\": \"C:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe -Embedding\",\n \"User\": \"S-1-5-18\",\n \"UserNameLookup\": \"SYSTEM\",\n \"UserDomainLookup\": \"NT AUTHORITY\",\n \"IntegrityLevel\": \"S-1-16-11111\",\n \"IntegrityLevelNameLookup\": \"System Mandatory Level\",\n \"IntegrityLevelDomainLookup\": \"Mandatory Label\",\n \"SessionID\": 0,\n \"HashMd5\": \"68B329DA9893E34099C7D8AD5CB9C940\",\n \"HashSha1\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"HashSha256\": \"01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B\",\n \"IsProtectedOrCritical\": false,\n \"CertificateSignatureState\": 1,\n \"CertificateSignatureStateComputedMap\": \"SignatureStateTrusted\",\n \"Certificates\": [\n {\n \"Algorithm\": \"SHA256\",\n \"IssuerCN\": \"Microsoft Windows Production PCA 2011\",\n \"SubjectCN\": \"Microsoft Windows\",\n \"SigningTime\": \"2016-12-10T03:42:04.9630000-08:00\",\n \"ValidityStart\": \"2016-10-11T12:39:31.0000000-08:00\",\n \"ValidityEnd\": \"2018-01-11T12:39:31.0000000-08:00\"\n }\n ],\n \"ProcessStartTime\": \"2024-02-01T08:04:31.5500341-08:00\",\n \"ProcessStartTimeRaw\": 133512770715500341\n },\n \"Action\": {\n \"PolicyGuid\": \"{05AB2138-A3DD-46D5-926E-901041D49FD8}\",\n \"PolicyVersion\": 14,\n \"RuleGuid\": \"{6082AB41-5836-4BDD-B479-19DC0ABA4302}\",\n \"BaseRuleGuid\": \"{2F13CCB0-21D2-43B0-8D10-D241A6989FBD}\",\n \"IdentifierGuid\": \"{94699F8C-0E7A-490E-A3CA-1C851232B577}\",\n \"Blocked\": false,\n \"UserDecision\": false,\n \"SourceProcessKilled\": false\n },\n \"TargetProcess\": {\n \"PID\": 608,\n \"ProcessGuid\": \"{1876D654-057F-4B5D-9D1B-69BA1C74DA4B}\",\n \"ProcessImageName\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"VolumeZone\": 1,\n \"VolumeZoneComputedBitMap\": [\n \"Operating system\"\n ],\n \"ProcessCommandLine\": \"C:\\\\Windows\\\\system32\\\\lsass.exe\",\n \"User\": \"S-1-5-18\",\n \"UserNameLookup\": \"SYSTEM\",\n \"UserDomainLookup\": \"NT AUTHORITY\",\n \"IntegrityLevel\": \"S-1-16-16384\",\n \"IntegrityLevelNameLookup\": \"System Mandatory Level\",\n \"IntegrityLevelDomainLookup\": \"Mandatory Label\",\n \"SessionID\": 0,\n \"HashMd5\": \"68B329DA9893E34099C7D8AD5CB9C940\",\n \"HashSha1\": \"ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC\",\n \"HashSha256\": \"01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B\",\n \"IsProtectedOrCritical\": false,\n \"CertificateSignatureState\": 1,\n \"CertificateSignatureStateComputedMap\": \"SignatureStateTrusted\",\n \"Certificates\": [\n {\n \"Algorithm\": \"SHA256\",\n \"IssuerCN\": \"Microsoft Windows Production PCA 2011\",\n \"SubjectCN\": \"Microsoft Windows Publisher\",\n \"SigningTime\": \"2013-08-22T04:32:54.6290000-08:00\",\n \"ValidityStart\": \"2013-03-13T13:34:10.0000000-08:00\",\n \"ValidityEnd\": \"2014-06-13T13:34:10.0000000-08:00\"\n }\n ],\n \"ProcessStartTime\": \"2024-02-01T08:03:34.5476641-08:00\",\n \"ProcessStartTimeRaw\": 133512770145476641\n }\n },\n \"AdditionalData\": {\n \"AgentAddresses\": [\n \"172.24.0.14\"\n ],\n \"AgentGroupGuid\": \"{00000000-0000-0000-0000-000000000000}\",\n \"AgentGroupName\": \"Default group\",\n \"AgentGuid\": \"{FD088C3A-30F3-4119-8FC0-7527538EF361}\",\n \"AgentName\": \"WINSERVER2012\",\n \"CategoryName\": \"Process\",\n \"IncidentGuid\": \"{49C0571C-0F35-46E6-A81C-35F8F011D8A5}\",\n \"Message\": \"The 'WmiPrvSE.exe' process injected code into the 'lsass.exe' process\",\n \"PolicyName\": \"Stormshield - Incredible policy (1)\",\n \"SeverityName\": \"Alert\"\n }\n}", + "event": { + "category": [ + "process" + ], + "code": "CreateRemoteThread", + "kind": "event", + "reason": "The 'WmiPrvSE.exe' process injected code into the 'lsass.exe' process", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2024-02-01T16:09:21.898373Z", + "action": { + "properties": { + "TargetCommandLine": "C:\\Windows\\system32\\lsass.exe", + "TargetImage": "C:\\Windows\\System32\\lsass.exe" + } + }, + "process": { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "md5": "68B329DA9893E34099C7D8AD5CB9C940", + "sha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC", + "sha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B" + }, + "name": "WmiPrvSE.exe", + "pid": 4452, + "start": "2024-02-01T16:04:31.550034Z", + "user": { + "id": "S-1-5-18", + "name": "SYSTEM" + } + }, + "related": { + "hash": [ + "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B", + "68B329DA9893E34099C7D8AD5CB9C940", + "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC" + ] + }, + "rule": { + "ruleset": "Stormshield - Incredible policy (1)", + "uuid": "6082AB41-5836-4BDD-B479-19DC0ABA4302" + }, + "stormshield": { + "ses": { + "action": { + "blocked": false, + "user_decision": false + }, + "categoryname": "Process", + "incident": { + "id": "{49C0571C-0F35-46E6-A81C-35F8F011D8A5}" + }, + "level": "Alert", + "process": { + "target": { + "command_line": "C:\\Windows\\system32\\lsass.exe", + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": "608" + }, + "user": { + "domain": "NT AUTHORITY" + } + }, + "source_process": { + "killed": false + }, + "type": "55" + } + } + } + + ``` + + === "test_type_56.json" ```json @@ -6122,6 +6301,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.md5` | `keyword` | MD5 hash. | @@ -6157,7 +6337,9 @@ The following table lists the fields that are extracted, normalized under the EC |`source.port` | `long` | Port of the source. | |`stormshield.ses.action.blocked` | `boolean` | Was the operation blocked | |`stormshield.ses.action.user_decision` | `boolean` | Was the user decision | +|`stormshield.ses.categoryname` | `keyword` | Category name | |`stormshield.ses.incident.id` | `keyword` | stormshield incident guid | +|`stormshield.ses.level` | `keyword` | Level of severity | |`stormshield.ses.process.parent.user.domain` | `keyword` | User's domain associated with the parent process of the event | |`stormshield.ses.process.target.command_line` | `keyword` | stormshield targeted process command line | |`stormshield.ses.process.target.executable` | `keyword` | stormshield targeted process executable |