diff --git a/_shared_content/automate/playbooks-on-premises.md b/_shared_content/automate/playbooks-on-premises.md index 6ecf11850a..b6e81d9419 100644 --- a/_shared_content/automate/playbooks-on-premises.md +++ b/_shared_content/automate/playbooks-on-premises.md @@ -1,12 +1,12 @@ # Playbooks On-premises -Our clients may find it necessary to execute Playbook actions within a local network that remains isolated from external internet access or rejects inbound connections. To meet this particular need, we enable users to select actions they want to perform on their local network directly from the Playbooks' user interface. +Our clients may find it necessary to execute Playbook actions within a local network that remains isolated from external internet access or rejects inbound connections. To meet this particular need, we enable users to select actions they want to perform on their local network directly from the Playbooks' user interface. -Clients must undertake a short installation process to harness the full potential of this security-enhancing feature. This involves installing our [dedicated agent](https://docs.sekoia.io/xdr/features/collect/integrations/endpoint/sekoiaio/) and Docker onto a Linux machine within their local network. The meticulous setup ensures that Playbook actions can be executed with the utmost reliability and security, maintaining the integrity of the local network environment. +Clients must undertake a short installation process to harness the full potential of this security-enhancing feature. This involves installing our [dedicated agent](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/) and Docker onto a Linux machine within their local network. The meticulous setup ensures that Playbook actions can be executed with the utmost reliability and security, maintaining the integrity of the local network environment. Below, we provide detailed instructions on how to accomplish the installation process. -!!! warning +!!! warning The Playbook runner supports only action, not trigger, execution on-premises. !!! INFO @@ -25,10 +25,10 @@ Below, we provide detailed instructions on how to accomplish the installation pr Playbooks On-prem are designed to support Linux distributions based on kernel version 3.10 or later. Here's a non-exhaustive list of supported distributions: -* Ubuntu 14.04 and newer -* Debian 8 and newer -* CentOS 7 and newer -* Redhat 7 and newer +- Ubuntu 14.04 and newer +- Debian 8 and newer +- CentOS 7 and newer +- Redhat 7 and newer ### Docker @@ -36,25 +36,28 @@ Playbooks On-prem rely on `docker` to execute actions. For instructions on how t #### podman -In certain Linux distributions, such as RHEL and CentOS, podman may come pre-installed, potentially preventing `docker`from working correctly. +In certain Linux distributions, such as RHEL and CentOS, podman may come pre-installed, potentially preventing `docker`from working correctly. Plus, podman can also inadvertently intercept and execute docker commands if the `podman-docker` package is installed. -Because of this, the playbook runner agent **requires the presence of both the Docker client and the Docker engine**. +Because of this, the playbook runner agent **requires the presence of both the Docker client and the Docker engine**. To uninstall `podman` and resolve any compatibility issues, follow the instructions below: -1. Remove packages +1. Remove packages + ``` sudo yum remove buildah skopeo podman containers-common atomic-registries docker container-tools ``` 2. Remove any left-over artifacts and files + ``` sudo rm -rf /etc/containers/* /var/lib/containers/* /etc/docker /etc/subuid* /etc/subgid* ``` -3. Delete any associated container storage +3. Delete any associated container storage + ``` cd ~ && rm -rf /.local/share/containers/ ``` @@ -64,17 +67,17 @@ To uninstall `podman` and resolve any compatibility issues, follow the instructi To ensure a bug-free installation, the Sekoia Endpoint Agent must be able to communicate with several external domains: - To pull module images: - - ghcr.io - - githubusercontent.com - + - ghcr.io + - githubusercontent.com + - To send execution results and store files: - - sekoia.io - - app.sekoia.io - - api.sekoia.io - - minio-symphony.prod.sekoia.io - - ... + - sekoia.io + - app.sekoia.io + - api.sekoia.io + - minio-symphony.prod.sekoia.io + - ... -### Testing the prerequisites +### Testing the prerequisites We've prepared a Docker image to facilitate the validation process and ensure the environment is properly configured for agent installation. @@ -102,15 +105,14 @@ Checking connectivity with the object storage ... OK * The region: `-e region=mco1` * Proxy information: `-e https_proxy={proxy_url}` +## Playbook runners -## Playbook runners - -A playbook runner is a local relay that launches playbook actions on a local network. -It can be used with any action in Sekoia.io playbooks. +A playbook runner is a local relay that launches playbook actions on a local network. +It can be used with any action in Sekoia.io playbooks. ### Create a playbook runner -To create a playbook runner, follow these steps: +To create a playbook runner, follow these steps: 1. On the playbooks listing page, select the `Playbook runners` button in the upper-right corner ![create playbook runner](/assets/playbooks/create_runner.png){: style="max-width:100%"} @@ -129,18 +131,18 @@ Your newly created playbook runner should now appear in the list. It will also b ![playbook runner instructions](/assets/playbooks/playbook_runner_action_on_premise.png){: align="right", width="280"} -Playbook runners can be used in any action in the playbook catalog. You can add them in the configuration panel that is shown when selecting an action in the playbook. +Playbook runners can be used in any action in the playbook catalog. You can add them in the configuration panel that is shown when selecting an action in the playbook. -To use a playbook runner for a specific action, follow these steps: +To use a playbook runner for a specific action, follow these steps: 1. Go to a playbook and select the action that should be executed on-premises 2. Open the configuration sidebar for this action and change "How to execute this action" to "On-premises" 3. In the "Which playbook runner" section, select the runner you want to use to execute this action -4. After selecting the playbook runner and completing the configuration, save the playbook +4. After selecting the playbook runner and completing the configuration, save the playbook ## Proxy support -The playbook runner can use a proxy server when executing actions if needed. +The playbook runner can use a proxy server when executing actions if needed. If you want to enable this feature, edit the configuration file at `/etc/endpoint-agent/config.yaml` and add the following line: @@ -174,7 +176,8 @@ To avoid errors during the TLS certificate validation step, specify the path to To enable this feature, follow these steps: -1. Edit the configuration file at `/etc/endpoint-agent/config.yaml` and add the following line: +1. Edit the configuration file at `/etc/endpoint-agent/config.yaml` and add the following line: + ```yaml CABundlePath: "path/to/bundle/cacert.pem" ``` @@ -182,7 +185,6 @@ To enable this feature, follow these steps: !!! tip The bundle must contain trusted CA certificates authorized to communicate with Sekoia.io. - ??? example "Bundle format example" The bundle usually contains a list of PEM-encoded certificates to trust, with optional comment lines starting with `#`. @@ -253,6 +255,7 @@ To enable this feature, follow these steps: ``` 2. Once the configuration is changed, restart the agent by running the following command: + ```bash sudo systemctl restart SEKOIAEndpointAgent.service ``` diff --git a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md index 3d2045760b..962c99c1d5 100644 --- a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md +++ b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md @@ -1,7 +1,6 @@ ## Event Categories - The following table lists the data source offered by this integration. | Data Source | Description | @@ -9,10 +8,6 @@ The following table lists the data source offered by this integration. | `Network device logs` | Meraki MX Security Appliance records traffic events flowing through | | `Web logs` | Meraki MX Security Appliance records traffic events flowing through | - - - - In details, the following table denotes the type of events produced by this integration. | Name | Values | @@ -21,18 +16,14 @@ In details, the following table denotes the type of events produced by this inte | Category | `network` | | Type | `denied`, `info` | - - - ## Event Samples Find below few samples of events and how they are normalized by Sekoia.io. - === "test_dhcp_lease.json" ```json - + { "message": "1673516966.834663913 FW_MX_01 events dhcp lease of ip 1.2.3.4 from mx mac AA:BB:CC:DD:EE:FF for client mac 01:02:03:04:05:06 from router 5.6.7.8 on subnet 255.255.255.0 with dns 9.10.11.12", "event": { @@ -68,14 +59,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mac": "01:02:03:04:05:06" } } - - ``` - + + ``` === "test_dhcp_no_offer.json" ```json - + { "message": "1673541902.311547724 FW_MX_01 events dhcp no offers for mac AA:BB:CC:DD:EE:FF", "event": { @@ -103,14 +93,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "mac": "AA:BB:CC:DD:EE:FF" } } - - ``` - + + ``` === "test_events_anyconnect_vpn_auth_failure.json" ```json - + { "message": "1673596662.226844514 FW_MX_01 events type=anyconnect_vpn_auth_failure msg= 'RADIUS[373] Server IP=1.2.3.4 Server port=1812 Peer IP=5.6.7.8 Peer port=56735: Authentication request rejected. '", "event": { @@ -154,14 +143,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 56735 } } - - ``` - + + ``` === "test_events_anyconnect_vpn_auth_success.json" ```json - + { "message": "1673596676.426899545 FW_MX_01 events type=anyconnect_vpn_auth_success msg= 'RADIUS[374] Server IP=1.2.3.4 Server port=1812 Peer IP=5.6.7.8 Peer port=56735 User=john.doe: Authentication request accepted. '", "event": { @@ -211,14 +199,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "john.doe" } } - - ``` - + + ``` === "test_events_anyconnect_vpn_connect_1.json" ```json - + { "message": "1673614753.814828766 FW_MX_01 events anyconnect_vpn_connect user id 'john.doe@sekoia.io' local ip 1.2.3.4 reconnected from 5.6.7.8", "event": { @@ -261,14 +248,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "john.doe" } } - - ``` - + + ``` === "test_events_anyconnect_vpn_connect_2.json" ```json - + { "message": "1673614753.814828766 FW_MX_01 events anyconnect_vpn_connect user id 'john.doe@sekoia.io' local ip 1.2.3.4 connected from 5.6.7.8", "event": { @@ -311,14 +297,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "john.doe" } } - - ``` - + + ``` === "test_events_anyconnect_vpn_connection_success.json" ```json - + { "message": "1673516936.233050742 FW_MX_01 events type=anyconnect_vpn_connection_success msg= 'Server IP=1.2.3.4 Server port=443 Prot[TCP] Peer IP=5.6.7.8 Peer port=55760 conn_id[55356] Connection closed. '", "event": { @@ -363,14 +348,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 55760 } } - - ``` - + + ``` === "test_events_anyconnect_vpn_session_manager.json" ```json - + { "message": "1673614757.517501781 FW_MX_01 events type=anyconnect_vpn_session_manager msg= 'Sess-ID[289] Peer IP=1.2.3.4 User[john.doe@sekoia.io]: Successfully added DTLS tunnel[289.4] '", "event": { @@ -410,14 +394,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "john.doe" } } - - ``` - + + ``` === "test_events_content_filtering_block.json" ```json - + { "message": "1673541348.531136002 FW_MX_01 events content_filtering_block url='https://docs.sekoia.io/...' server='1.2.3.4:443' client_mac='AA:BB:CC:DD:EE:FF'", "event": { @@ -467,14 +450,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "top_level_domain": "io" } } - - ``` - + + ``` === "test_firewall_allow.json" ```json - + { "message": "1673277220.253011885 FW_MX_01 firewall src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { @@ -517,14 +499,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39247 } } - - ``` - + + ``` === "test_firewall_allow_2.json" ```json - + { "message": "1673277220.253011885 FW_MX_01 firewall allow src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443", "event": { @@ -567,14 +548,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39247 } } - - ``` - + + ``` === "test_firewall_block.json" ```json - + { "message": "1673277244.954105815 FW_MX_01 firewall src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543 pattern: 1 all", "event": { @@ -617,14 +597,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 42644 } } - - ``` - + + ``` === "test_firewall_block_2.json" ```json - + { "message": "1673277244.954105815 FW_MX_01 firewall deny src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543", "event": { @@ -667,14 +646,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 42644 } } - - ``` - + + ``` === "test_flows_allow.json" ```json - + { "message": "1673277220.253011885 FW_MX_01 flows src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { @@ -717,14 +695,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39247 } } - - ``` - + + ``` === "test_flows_allow_2.json" ```json - + { "message": "1673277220.253011885 FW_MX_01 flows allow src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=39247 dport=443", "event": { @@ -767,14 +744,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39247 } } - - ``` - + + ``` === "test_flows_allow_ipv6.json" ```json - + { "message": "1673277220.253011885 FW_MX_01 flows src=fe80:110:8897:efab:9202:b3ff:fe1e:8329 dst=fe80:110:8897:efab:9202:b3ff:fe1e:8330 protocol=tcp sport=39247 dport=443 pattern: 0 (tcp || udp) && dst port 443", "event": { @@ -817,14 +793,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 39247 } } - - ``` - + + ``` === "test_flows_block.json" ```json - + { "message": "1673277244.954105815 FW_MX_01 flows src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543 pattern: 1 all", "event": { @@ -867,14 +842,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 42644 } } - - ``` - + + ``` === "test_flows_block_2.json" ```json - + { "message": "1673277244.954105815 FW_MX_01 flows deny src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=42644 dport=543", "event": { @@ -917,14 +891,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 42644 } } - - ``` - + + ``` === "test_ip_flow_end.json" ```json - + { "message": "1673277245.252432409 FW_MX_01 ip_flow_end src=1.2.3.4 dst=5.6.7.8 protocol=udp sport=56391 dport=53 translated_dst_ip=9.10.11.12 translated_port=53", "event": { @@ -968,14 +941,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 56391 } } - - ``` - + + ``` === "test_ip_flow_start.json" ```json - + { "message": "1673277245.262063982 FW_MX_01 ip_flow_start src=1.2.3.4 dst=5.6.7.8 protocol=tcp sport=64365 dport=443 translated_src_ip=9.10.11.12 translated_port=64365", "event": { @@ -1019,14 +991,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "port": 64365 } } - - ``` - + + ``` === "test_urls_1.json" ```json - + { "message": "1673277245.257656306 FW_MX_01 urls src=1.2.3.4:51960 dst=5.6.7.8:443 mac=AA:BB:CC:DD:EE:FF request: UNKNOWN https://www.google.com/...", "event": { @@ -1077,14 +1048,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "top_level_domain": "com" } } - - ``` - + + ``` === "test_urls_2.json" ```json - + { "message": "1673277244.773622789 FW_MX_01 urls src=1.2.3.4:64194 dst=5.6.7.8:80 mac=AA:BB:CC:DD:EE:FF request: GET http://www.msftconnecttest.com/connecttest.txt", "event": { @@ -1135,16 +1105,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "top_level_domain": "com" } } - - ``` - + + ``` === "test_urls_3.json" ```json - + { - "message": "1673277244.416181683 FW_MX_01 urls src=1.2.3.4:55566 dst=5.6.7.8:80 mac=AA:BB:CC:DD:EE:FF agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' request: GET http://docs.sekoia.io/xdr/features/collect/integrations/network/cisco_meraki/", + "message": "1673277244.416181683 FW_MX_01 urls src=1.2.3.4:55566 dst=5.6.7.8:80 mac=AA:BB:CC:DD:EE:FF agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' request: GET http://docs.sekoia.io/integration/integrations/network/cisco_meraki/", "event": { "category": [ "network" @@ -1184,8 +1153,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "domain": "docs.sekoia.io", - "original": "http://docs.sekoia.io/xdr/features/collect/integrations/network/cisco_meraki/", - "path": "/xdr/features/collect/integrations/network/cisco_meraki/", + "original": "http://docs.sekoia.io/integration/integrations/network/cisco_meraki/", + "path": "/integration/integrations/network/cisco_meraki/", "port": 80, "registered_domain": "sekoia.io", "scheme": "http", @@ -1205,14 +1174,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "version": "108.0.0" } } - - ``` - + + ``` === "test_urls_ipv6.json" ```json - + { "message": "1673277244.773622789 FW_MX_01 urls src=fe80:110:8897:efab:9202:b3ff:fe1e:8329:64194 dst=fe80:110:8897:efab:9202:b3ff:fe1e:8330:80 mac=AA:BB:CC:DD:EE:FF request: GET http://www.msftconnecttest.com/connecttest.txt", "event": { @@ -1263,12 +1231,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "top_level_domain": "com" } } - - ``` - - - - + + ``` ## Extracted Fields @@ -1300,4 +1264,3 @@ The following table lists the fields that are extracted, normalized under the EC |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | - diff --git a/docs/getting_started/best_practices.md b/docs/getting_started/best_practices.md index 9fce84ffba..09d8ef10a3 100644 --- a/docs/getting_started/best_practices.md +++ b/docs/getting_started/best_practices.md @@ -16,13 +16,13 @@ Our extensive catalog of over 900 rules, each [associated with a TTP from the MI - **Activate a new wave of higher effort level rules** after the initial RUN period, representing: - - 20% of level 3 / "Advanced" rules, - - 10% of level 4 / "Master" rules. + - 20% of level 3 / "Advanced" rules, + - 10% of level 4 / "Master" rules. - **Aim for continuous improvement**, reaching an average of: - - 10% tuning for level 3 rules with at least 1 alert-filter, - - 20% tuning for level 4 rules with at least 1 alert-filter. + - 10% tuning for level 3 rules with at least 1 alert-filter, + - 20% tuning for level 4 rules with at least 1 alert-filter. ### Intakes Configuration @@ -33,11 +33,10 @@ To ensure comprehensive and effective coverage, it is crucial to configure your - **2 company wide Network Based Intake** (e.g., Loadbalancer/Reverse-Proxy, Proxy, DNS). They help monitor internal network traffic and detect anomalies such as lateral movements by attackers and suspicious communications. - **1 company wide Email Security Based Intake** (e.g., Office, ProofPoint, Vade) **with security options enabled**. This helps identify phishing attacks, malware transmitted via email, and other email-related threats. - **1 Identity and Access Management Based Intake** for **on-premise** environments (e.g., Active Directory, Okta, Wallix) **and 1 for cloud** environments if applicable (e.g., Azure Entra ID, Cloudflare Access Requests, Google Workspace). This helps detect suspicious activities related to user access, such as unauthorized login attempts and privilege changes, and ensures security oversight across both on-premise and cloud environments. -- **Activity Logs**: Ensure that [Sekoia.io activity logs](https://docs.sekoia.io/xdr/features/collect/integrations/application/sekoiaio_activity_logs/) are activated. This allows monitoring actions and changes within the Sekoia.io platform itself, ensuring complete transparency and traceability. +- **Activity Logs**: Ensure that [Sekoia.io activity logs](https://docs.sekoia.io/integration/integrations/application/sekoiaio_activity_logs/) are activated. This allows monitoring actions and changes within the Sekoia.io platform itself, ensuring complete transparency and traceability. - **No intake should have zero events received** in the past 7 days. An intake without events can indicate a configuration or data collection issue, compromising threat detection capability. Ensure that notifications are configured to alert in the case of [an event drop for an intake](https://docs.sekoia.io/getting_started/notifications-Examples/#intakes). -- **Use the [Sekoia.io Forwarder](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/)** each time you need to forward On Premise events via syslog protocol to Sekoia.io SOC Platform to ease discriminate logs before adding them the relevant Intake Key. It also is the only log forwarder that our Support team will be able to provide you with assistance. - +- **Use the [Sekoia.io Forwarder](https://docs.sekoia.io/integration/ingestion_methods/syslog/sekoiaio_forwarder/)** each time you need to forward On Premise events via syslog protocol to Sekoia.io SOC Platform to ease discriminate logs before adding them the relevant Intake Key. It also is the only log forwarder that our Support team will be able to provide you with assistance. ### Events Quality @@ -66,9 +65,9 @@ Playbooks complement operational optimization by automating various types of man - **Keep the number of playbook executions per day low**: Aim for less than 60 executions per playbook per day, aligning with the number of raised alerts. Each playbook should have a specific objective to meet a particular need. - **Design playbooks with simplicity in mind**: On average, each playbook should be composed of less than 15 modules, including: - - **1 [Trigger](https://docs.sekoia.io/xdr/features/automate/triggers/)** such as the “Manual trigger” or “Alert created” trigger **with a filter condition** to start the playbook only for relevant cases. - - **Some [Operator](https://docs.sekoia.io/xdr/features/automate/operators/) modules** like "[Condition](https://docs.sekoia.io/xdr/features/automate/operators/#condition)" and "[Foreach](https://docs.sekoia.io/xdr/features/automate/operators/#foreach)" to halt the playbook execution if new information gathered during the process indicates that the playbook is unnecessary in the current context. - - **A majority of [Action](https://docs.sekoia.io/xdr/features/automate/actions/) modules** making it easily understandable for new team members and maintainable over time. To give you more details on the top 10 most used playbook Actions, here is a list: + - **1 [Trigger](https://docs.sekoia.io/xdr/features/automate/triggers/)** such as the “Manual trigger” or “Alert created” trigger **with a filter condition** to start the playbook only for relevant cases. + - **Some [Operator](https://docs.sekoia.io/xdr/features/automate/operators/) modules** like "[Condition](https://docs.sekoia.io/xdr/features/automate/operators/#condition)" and "[Foreach](https://docs.sekoia.io/xdr/features/automate/operators/#foreach)" to halt the playbook execution if new information gathered during the process indicates that the playbook is unnecessary in the current context. + - **A majority of [Action](https://docs.sekoia.io/xdr/features/automate/actions/) modules** making it easily understandable for new team members and maintainable over time. To give you more details on the top 10 most used playbook Actions, here is a list: 1. [Read JSON File](https://docs.sekoia.io/xdr/features/automate/library/fileutils/#read-json-file) 2. [Comment Alert](https://docs.sekoia.io/xdr/features/automate/library/sekoia-io/#comment-alert) diff --git a/docs/integration/index.md b/docs/integration/index.md new file mode 100644 index 0000000000..e20ec321b5 --- /dev/null +++ b/docs/integration/index.md @@ -0,0 +1 @@ +# Integrations diff --git a/docs/integration/ingestion_methods/https/logstash.md b/docs/integration/ingestion_methods/https/logstash.md index 65727509e4..214696a650 100644 --- a/docs/integration/ingestion_methods/https/logstash.md +++ b/docs/integration/ingestion_methods/https/logstash.md @@ -6,14 +6,14 @@ To push logs, you have to configure some filters in Logstash that will add the p ## Example -In the following example, we have multiple inputs to handle logs collected via Syslog (Apache HTTP Server and NGINX logs) and via [Beats (Winlogbeat)](/xdr/features/collect/integrations/endpoint/winlogbeat.md) and forward them to Sekoia.io. +In the following example, we have multiple inputs to handle logs collected via Syslog (Apache HTTP Server and NGINX logs) and via [Beats (Winlogbeat)](/integration/integrations/endpoint/winlogbeat.md) and forward them to Sekoia.io. In order to filter events effectively, Logstash uses tags as a key component. To ensure proper functionality, make sure to update the intake key value by editing the placeholder `CHANGE_ME_INTAKE_KEY` mentioned below. Additionally, you have the flexibility to incorporate multiple filters within the `filter` section as per your requirements. -!!! tip +!!! tip By adding additional filters, you can enhance the filtering capabilities of Logstash and customize the processing of events to suit your requirements. -!!! note +!!! note Beats agents require a specific output configuration as you need to forward the complete JSON event to Sekoia.io. ``` @@ -77,10 +77,11 @@ The above configuration will send your logs one at a time (one HTTP request per For more advanced use cases, where you want to send logs to Sekoia.io and to an Elasticsearch instance for example, a more advanced Logstash configuration is recommended to achieve higher throughput. This configuration uses multiple pipelines and pipeline-to-pipeline communications to duplicate events and format them to the expected payload format required by Sekoia.io. Events will be sent in batch mode, providing better performance. -!!! note +!!! note Beats events do not need to be duplicated into a second pipeline as the complete JSON event is sent to Sekoia.io. *pipelines.yml* + ``` - pipeline.id: my-pipeline_1 path.config: "/etc/path/to/p1.cfg" @@ -96,6 +97,7 @@ For more advanced use cases, where you want to send logs to Sekoia.io and to an ``` *p1.cfg* + ``` input { beats { @@ -123,6 +125,7 @@ output { ``` *p2.cfg* + ``` input { tcp { @@ -150,6 +153,7 @@ output { ``` *sekoiaio-apache2.cfg* + ``` input { pipeline { @@ -180,6 +184,7 @@ output { ``` *sekoiaio-nginx.cfg* + ``` input { pipeline { @@ -213,4 +218,4 @@ output { - [Logstash HTTP output plugin](https://www.elastic.co/guide/en/logstash/current/plugins-outputs-http.html) - [Logstash Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html) -- [Logstash Pipeline-to-pipeline communication](https://www.elastic.co/guide/en/logstash/current/pipeline-to-pipeline.html) \ No newline at end of file +- [Logstash Pipeline-to-pipeline communication](https://www.elastic.co/guide/en/logstash/current/pipeline-to-pipeline.html) diff --git a/docs/integration/integrations/application/cyberwatch_detection.md b/docs/integration/integrations/application/cyberwatch_detection.md index e7f267c9fd..cfab08dee6 100644 --- a/docs/integration/integrations/application/cyberwatch_detection.md +++ b/docs/integration/integrations/application/cyberwatch_detection.md @@ -18,7 +18,7 @@ This setup guide will show you how to forward your Cyberwatch logs to Sekoia.io ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/sekoiaio_forwarder/) documentation to set up a syslog concentrator. +Please consult the [Syslog Forwarding](https://docs.sekoia.io/integration/ingestion_methods/sekoiaio_forwarder/) documentation to set up a syslog concentrator. ### Enable Syslog forwarding for Cyberwatch diff --git a/docs/integration/integrations/application/manageengine_adauditplus.md b/docs/integration/integrations/application/manageengine_adauditplus.md index a6c47fc1ac..0bf1eb543d 100644 --- a/docs/integration/integrations/application/manageengine_adauditplus.md +++ b/docs/integration/integrations/application/manageengine_adauditplus.md @@ -2,7 +2,6 @@ uuid: 890207d2-4878-440d-9079-3dd25d472e0a name: ManageEngine ADAudit Plus type: intake - ## Overview ManageEngine ADAudit Plus is a robust Active Directory auditing and compliance solution, empowering organizations to track and monitor changes, detect security threats, and ensure regulatory compliance within their Active Directory environment. @@ -17,7 +16,6 @@ This integration supports the following events from ADAudit Plus: - Logon reports (`LogonReports`) - Audit reports (`DNSAuditReports` and `ADObjectsAuditReports`) - ## Configure ### Prerequisites @@ -36,15 +34,13 @@ In the ADAudit Plus console: 6. Save the configuration 7. After saving this configuration, Choose the categories to forward. - ## Create the intake Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `ManageEngine ADAuditPlus`. ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. - +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. {!_shared_content/operations_center/detection/generated/suggested_rules_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.md!} diff --git a/docs/integration/integrations/application/microsoft_iis.md b/docs/integration/integrations/application/microsoft_iis.md index 4b7732df97..a19744720b 100644 --- a/docs/integration/integrations/application/microsoft_iis.md +++ b/docs/integration/integrations/application/microsoft_iis.md @@ -3,6 +3,7 @@ name: Microsoft IIS type: intake ## Overview + Microsoft Internet Information Services (IIS) is a web server software for Windows, providing a secure and scalable platform for hosting and managing websites, applications, and services, widely used in enterprise environments. {!_shared_content/operations_center/detection/generated/suggested_rules_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.md!} @@ -97,19 +98,18 @@ To enable the connection between your events forwarder and the [Sekoia.io](http: 1. Open a PowerShell console as an administrator. 2. Use the following command to retrieve the certificate and save it to the appropriate directory: - + ```powershell Invoke-WebRequest -Uri -OutFile 'C:\\Program Files\\nxlog\\cert\\Sekoia.io-intake.pem' ``` - + 3. Restart the NXLog service through the Services tool as an administrator or use the following PowerShell command line as an administrator: - + ```powershell Restart-Service nxlog ``` - After completing these steps, your events forwarder should be able to establish a secure connection with the [Sekoia.io](http://sekoia.io/) intake using the newly downloaded certificate. @@ -178,7 +178,7 @@ To get started, follow these steps: !!! Note The iso8859-1 character encoding is limited to 256 characters, which is not enough to represent all French characters. This means that some French characters might not be correctly interpreted or displayed when using iso8859-1 encoding. For example, iso8859-1 does not include characters such as é, è, ê, and ë. - In order to correctly represent these characters, it is recommended to install the [Sekoia.io agent](https://docs.sekoia.io/xdr/features/collect/integrations/endpoint/sekoiaio/). This endpoint agent is specifically designed to handle such issues, ensuring the accurate and secure transmission of data. + In order to correctly represent these characters, it is recommended to install the [Sekoia.io agent](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/). This endpoint agent is specifically designed to handle such issues, ensuring the accurate and secure transmission of data. Restart the NXLog service through the Services tool as Administrator or use this Powershell command line as admin: @@ -198,4 +198,4 @@ Please read the dedicated documentation for each concentrator: - [Sekoia.io docker concentrator](https://www.notion.so/ingestion_methods/sekoiaio_forwarder/) !!! Note - While [Sekoia.io](http://sekoia.io/) docker concentrator is highly recommended, you are free to use the one that you are most comfortable with. \ No newline at end of file + While [Sekoia.io](http://sekoia.io/) docker concentrator is highly recommended, you are free to use the one that you are most comfortable with. diff --git a/docs/integration/integrations/application/rsa_securid.md b/docs/integration/integrations/application/rsa_securid.md index 399ca22ad6..47377942d9 100644 --- a/docs/integration/integrations/application/rsa_securid.md +++ b/docs/integration/integrations/application/rsa_securid.md @@ -27,15 +27,13 @@ In the Security Console of the RSA Authentication Manager: 5. In the section `Log Data Retention`, for each log data, select `Save to internal database and remote Syslog at the following hostname or IP address`, then type the location of the log concentration. 6. Click `Save` - ## Create the intake Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `RSA SecurID`. ## Forward logs to Sekoia.io -Please consult the [Sekoia Forwarder](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. - +Please consult the [Sekoia Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. ## Further Readings diff --git a/docs/integration/integrations/application/systancia_cleanroom.md b/docs/integration/integrations/application/systancia_cleanroom.md index 6511db99c2..7c27295fd6 100644 --- a/docs/integration/integrations/application/systancia_cleanroom.md +++ b/docs/integration/integrations/application/systancia_cleanroom.md @@ -19,12 +19,12 @@ This setup guide will show you how to forward your Systancia Cleanroom logs to S ### Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. ### Systancia Cleanroom 1. In the Systancia Clearoom system console, go to `Logger settings` - + ![logger_settings.png](/assets/operation_center/integration_catalog/application/systancia-cleanroom/logger_settings.png) 2. In the `Logger setting` panel: diff --git a/docs/integration/integrations/cloud_and_saas/azure/azure_linux.md b/docs/integration/integrations/cloud_and_saas/azure/azure_linux.md index 6585243512..b221aabd15 100644 --- a/docs/integration/integrations/cloud_and_saas/azure/azure_linux.md +++ b/docs/integration/integrations/cloud_and_saas/azure/azure_linux.md @@ -9,16 +9,15 @@ Azure Virtual Machines service is developed and managed by Microsoft Corp. !!! warning This format is deprecated. We highly recommend you to use one of these alternative formats: - - [Sekoia.io endpoint agent](/xdr/features/collect/integrations/endpoint/sekoiaio) - - [auditbeat](/xdr/features/collect/integrations/endpoint/auditbeat_linux) + - [Sekoia.io endpoint agent](/integration/integrations/endpoint/sekoiaio) + - [auditbeat](/integration/integrations/endpoint/auditbeat_linux) or one of these numerous EDR formats supported by Sekoia.io: - - [CrowdStrike Falcon](/xdr/features/collect/integrations/endpoint/crowdstrike_falcon) - - [Cybereason](/xdr/features/collect/integrations/endpoint/cybereason_malop) - - [Harfanglab](/xdr/features/collect/integrations/endpoint/harfanglab) - - [Sentinel One](/xdr/features/collect/integrations/endpoint/sentinelone) - - [Sophos EDR](/xdr/features/collect/integrations/endpoint/sophos_edr) - - [Tehtris](/xdr/features/collect/integrations/endpoint/tehtris_edr) - - [Trend Micro Deep Security](/xdr/features/collect/integrations/endpoint/trend_micro_deep_security) - + - [CrowdStrike Falcon](/integration/integrations/endpoint/crowdstrike_falcon) + - [Cybereason](/integration/integrations/endpoint/cybereason_malop) + - [Harfanglab](/integration/integrations/endpoint/harfanglab) + - [Sentinel One](/integration/integrations/endpoint/sentinelone) + - [Sophos EDR](/integration/integrations/endpoint/sophos_edr) + - [Tehtris](/integration/integrations/endpoint/tehtris_edr) + - [Trend Micro Deep Security](/integration/integrations/endpoint/trend_micro_deep_security) diff --git a/docs/integration/integrations/endpoint/trend_micro/trend_micro_apex_one.md b/docs/integration/integrations/endpoint/trend_micro/trend_micro_apex_one.md index 59a9b83cfc..788e7c247e 100644 --- a/docs/integration/integrations/endpoint/trend_micro/trend_micro_apex_one.md +++ b/docs/integration/integrations/endpoint/trend_micro/trend_micro_apex_one.md @@ -25,7 +25,6 @@ This integration supports the following log types: - Engine Update Status - Pattern Update Status - !!! warning This format is in beta @@ -52,22 +51,22 @@ To enable syslog forwarding: 5. Select `CEF` as the log format 6. Configure the frequency of the log forwarding 7. Select the log types to forward according to the list of supported log types: - - Application Control violations - - Attack Discovery detections - - Behavior Monitoring detections - - C&C Callback - - Content Violation - - Data Loss Prevention - - Device Control violations - - Suspicious File detections - - Network Content Inspection - - Virus/Malware detections - - Spyware/Grayware detections - - Predictive Machine Learning detections - - Virtual Analyzer detections - - Web Violation - - Engine Update Status - - Pattern Update Status + - Application Control violations + - Attack Discovery detections + - Behavior Monitoring detections + - C&C Callback + - Content Violation + - Data Loss Prevention + - Device Control violations + - Suspicious File detections + - Network Content Inspection + - Virus/Malware detections + - Spyware/Grayware detections + - Predictive Machine Learning detections + - Virtual Analyzer detections + - Web Violation + - Engine Update Status + - Pattern Update Status 8. Click `Test Connection` to validate the configuration 9. Click `Save` @@ -77,7 +76,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. ## Further Readings diff --git a/docs/integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md b/docs/integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md index 067502d70e..d788ba54a1 100644 --- a/docs/integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md +++ b/docs/integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md @@ -24,7 +24,7 @@ An internal syslog concentrator is required to collect and forward events to Sek To enable syslog forwarding for Trend Micro Deep Security, please follow [this guide](https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog.html). For Trend Micro Workload Security, please refer to [this documentation](https://cloudone.trendmicro.com/docs/workload-security/event-syslog/) -To enable Syslog forwarding, follow these steps: +To enable Syslog forwarding, follow these steps: 1. Log on your Security console 2. Provide the IP and the listening port (`514`) of the log concentrator and select `CEF` as the event format @@ -33,7 +33,7 @@ To enable Syslog forwarding, follow these steps: If the concentrator and all your agents are on the same network or could communicate safely (VPN, ...): -1. Select the transport protocol `UDP` and ask your agents to send events `Directly to the syslog server` +1. Select the transport protocol `UDP` and ask your agents to send events `Directly to the syslog server` 2. Apply the changes #### Indirect forwarding @@ -51,12 +51,10 @@ For the first connection: If not, please see the "Troubleshoot event forwarding" section on the Trend-Micro documentation. - ## Create the intake Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Trend Micro Deep Security / Workload Security. - ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](/integration/ingestion_methods/syslog/sekoiaio_forwarder) documentation to forward these logs to Sekoia.io. diff --git a/docs/integration/integrations/endpoint/windows.md b/docs/integration/integrations/endpoint/windows.md index f07a563470..49455ad98a 100644 --- a/docs/integration/integrations/endpoint/windows.md +++ b/docs/integration/integrations/endpoint/windows.md @@ -6,23 +6,23 @@ type: intake Microsoft Windows is a widely used operating system that has been developed by Microsoft since 1985. -This page will provide you with two methods for collecting and forwarding Windows logs to Sekoia.io. +This page will provide you with two methods for collecting and forwarding Windows logs to Sekoia.io. -- The first method involves using the NXLog agent to send logs directly from the Windows machine to Sekoia.io. +- The first method involves using the NXLog agent to send logs directly from the Windows machine to Sekoia.io. - The second method involves using NXLog to forward logs from an internal log concentrator to Sekoia.io. -Additionally, this documentation will offer guidance on collecting and forwarding logs from sensitive assets, such as Domain Controllers, without requiring the installation of a third-party agent. +Additionally, this documentation will offer guidance on collecting and forwarding logs from sensitive assets, such as Domain Controllers, without requiring the installation of a third-party agent. !!! Warning Please be advised that this documentation assumes the use of the 64-bit version of NXLog. If you are using the 32-bit version, it is crucial that you replace all references to `C:\Program Files\nxlog\` in the commands and configuration files with `C:\Program Files (x86)\nxlog\`. Failure to make this adjustment may result in errors. !!! Warning - Please be advised that collecting Windows events with NXLog on certain Windows languages that contain accents (such as French for "Système" keyword), are not correctly encoded by NXLog and results in an error of interpreation on our product. In such case, please consider the installation of our [agent](https://docs.sekoia.io/xdr/features/collect/integrations/endpoint/sekoiaio/) on the supported OS). - + Please be advised that collecting Windows events with NXLog on certain Windows languages that contain accents (such as French for "Système" keyword), are not correctly encoded by NXLog and results in an error of interpreation on our product. In such case, please consider the installation of our [agent](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/) on the supported OS). + ## Windows Event logs -On Microsoft Windows workstations and servers, most of the important hardward and software activities that are relevant for security detection and analysis, are logged into three files: +On Microsoft Windows workstations and servers, most of the important hardward and software activities that are relevant for security detection and analysis, are logged into three files: - `Application`: for Windows components such as drivers and built-in interface elements - `System`: records events related to programs installed on a system @@ -38,7 +38,7 @@ A common installation instruction and configuration file is available on [Floria !!! Warning Please be aware that installing this tool may generate additional logs, resulting in increased consumption of CPU resources. It is important to ensure that the equipment on which the tool is installed is appropriately sized and has sufficient resources to handle the additional workload. We recommend that you first test the installation on lower-risk assets before deploying it on more critical systems. - + You will find dedicated NXLog configuration file for Sysmon usage in [this section](#nxlog-configuration-for-sysmon-usage). {!_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md!} @@ -58,10 +58,9 @@ To get started with NXLog, follow these steps: 3. Navigate to the NXLog configuration file, which is located at `C:\Program Files\nxlog\conf\nxlog.conf` 4. Update the configuration file with your intake key by following these instructions: -!!! Note +!!! Note Don't forget to replace `YOUR_INTAKE_KEY` variable with your actual intake key. - ``` ## This is a sample configuration file. See the nxlog reference manual about the configuration options. ## It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html @@ -114,20 +113,21 @@ To get started with NXLog, follow these steps: To enable the connection between your events forwarder and the Sekoia.io intake, it is necessary to download the Sekoia.io intake certificate. Please follow these steps: -1. Open a PowerShell console as an administrator. +1. Open a PowerShell console as an administrator. 2. Use the following command to retrieve the certificate and save it to the appropriate directory: + ```powershell Invoke-WebRequest -Uri https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem -OutFile 'C:\Program Files\nxlog\cert\Sekoia.io-intake.pem' ``` 3. Restart the NXLog service through the Services tool as an administrator or use the following PowerShell command line as an administrator: + ```powershell Restart-Service nxlog ``` After completing these steps, your events forwarder should be able to establish a secure connection with the Sekoia.io intake using the newly downloaded certificate. - ## NXLog to a concentrator ### Configure NXLog @@ -141,7 +141,7 @@ To get started, follow these steps: 3. Navigate to the NXLog configuration file, which is located at `C:\Program Files\nxlog\conf\nxlog.conf` 4. Update the configuration file by following these instructions: -```shell +```shell ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html @@ -191,12 +191,12 @@ To get started, follow these steps: !!! Warning `OutputType Syslog_TLS` is needed for `TCP` transport even if you do not encrypt data. It does not depend on SSL transport at all. - **Remove it ONLY** if you use `UDP` - `om_udp`. + **Remove it ONLY** if you use `UDP` - `om_udp`. For more information, consult [NXLog documentation.](https://docs.nxlog.co/refman/current/xm/syslog.html) - + !!! Note - The iso8859-1 character encoding is limited to 256 characters, which is not enough to represent all French characters. This means that some French characters might not be correctly interpreted or displayed when using iso8859-1 encoding. For example, iso8859-1 does not include characters such as é, è, ê, and ë. - In order to correctly represent these characters, it is recommended to install the [Sekoia.io agent](https://docs.sekoia.io/xdr/features/collect/integrations/endpoint/sekoiaio/). This endpoint agent is specifically designed to handle such issues, ensuring the accurate and secure transmission of data. + The iso8859-1 character encoding is limited to 256 characters, which is not enough to represent all French characters. This means that some French characters might not be correctly interpreted or displayed when using iso8859-1 encoding. For example, iso8859-1 does not include characters such as é, è, ê, and ë. + In order to correctly represent these characters, it is recommended to install the [Sekoia.io agent](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/). This endpoint agent is specifically designed to handle such issues, ensuring the accurate and secure transmission of data. Restart the NXLog service through the Services tool as Administrator or use this Powershell command line as admin: @@ -205,13 +205,14 @@ Restart-Service nxlog ``` ### Configure the concentrator to forward events to Sekoia.io + Please read the dedicated documentation for each concentrator: -* [Rsyslog](../../../ingestion_methods/syslog/overview/) -* [Logstash](../../../ingestion_methods/logstash/) -* [Syslog-ng](../../../ingestion_methods/syslog-ng/) -* [Graylog](../../../ingestion_methods/graylog/) -* [Sekoia.io docker concentrator](../../../ingestion_methods/sekoiaio_forwarder/) +- [Rsyslog](../../../ingestion_methods/syslog/overview/) +- [Logstash](../../../ingestion_methods/logstash/) +- [Syslog-ng](../../../ingestion_methods/syslog-ng/) +- [Graylog](../../../ingestion_methods/graylog/) +- [Sekoia.io docker concentrator](../../../ingestion_methods/sekoiaio_forwarder/) !!! Note While Sekoia.io docker concentrator is highly recommended, you are free to use the one that you are most comfortable with. @@ -221,20 +222,23 @@ Please read the dedicated documentation for each concentrator: Most of the following commands are to be run as Administrator in a Powershell interpretor. ### Windows Event Collector (WEC) setup + The Windows Event Collector, also known as WEC, is a Microsoft service that can be enabled and configured to aggregate logs from the Windows Event Forwarders (WEF). -** 1. Get the WEC FQDN ** +**1. Get the WEC FQDN** Log in the Windows Event Collector and execute the following command: + ```powershell ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname ``` -!!! Note +!!! Note Please take note of the following information as it will be required in the upcoming section "Deploying the GPO'. Specifically, you will need to replace the `FQDN_WEC_SERVER` field with this information to complete the deployment process. - -** 2. Configure the subscription file** + +**2. Configure the subscription file** Get the SDDL information by executing the following command: + ``` wevtutil gl security ``` @@ -285,40 +289,44 @@ On the WEC server, create an XML file, named `DC_SUBSCRIPTION.xml` with the foll O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS) ``` + !!! warning - You have to replace Domain Computers domain group "(A;;GA;;;DC)" by "(A;;GA;;;S-1-5-....)" using information you previously collected in the `channelAccess`. + You have to replace Domain Computers domain group "(A;;GA;;;DC)" by "(A;;GA;;;S-1-5-....)" using information you previously collected in the `channelAccess`. More information of the SDDL format can be found [here.](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx) Ensure the file is correctly saved, then close it. -** 3. Configure the Windows Remote Management** +**3. Configure the Windows Remote Management** On the WEC server, open a command interpretor as Administrator, and run the following command: + ```powershell winrm qc -q ``` -** 4. Activate the "Event Collector" service** +**4. Activate the "Event Collector" service** As Administrator, enter the following command: + ```powershell wecutil qc /q ``` -** 5. Activate the subscription to a zone** +**5. Activate the subscription to a zone** As Administrator, enter the following command: !!! Warning - Please change the character `FILE_PATH`. - + Please change the character `FILE_PATH`. + ```powershell wecutil cs "\DC_SUBSCRIPTION.xml" ``` -** 6. Display the state of the subscription to this zone** +**6. Display the state of the subscription to this zone** As Administrator, enter the following command: + ```powershell wecutil gr DC_SUBSCRIPTION ``` @@ -331,7 +339,7 @@ The Windows Event Forwarder, also known as WEF, is a Microsoft service that can To configure the Event Log Reader, follow the steps below: -1. Configure the collector URI(s) to specify the location where you want to send the logs. The collector URI must be a valid HTTP or HTTPS address. +1. Configure the collector URI(s) to specify the location where you want to send the logs. The collector URI must be a valid HTTP or HTTPS address. 2. Start the WinRM service. Open a command prompt as an Administrator and run the following command: `net start winrm` @@ -344,6 +352,7 @@ Note that these steps are necessary to allow the Event Log Reader to access the **Configure the Windows Remote Management** On the AD admin console, open a command interpretor as Administrator and run the following command: + ```powershell winrm qc -q ``` @@ -362,9 +371,11 @@ Server=http://FQDN_WEC_SERVER:5985/wsman/SubscriptionManager/WEC,Refresh=60 **Apply the GPO** On the AD admin console, open a command interpretor as Administrator and run the following command: + ```powershell gpupdate /force ``` + !!! tip More documentation is available on the official [Microsoft documentation.](https://docs.microsoft.com/fr-fr/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection) @@ -437,6 +448,7 @@ To ensure proper logging configuration, please follow the steps below: ``` ## Sysmon usage + Sysmon is a Microsoft tool you can download on their [website](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). A common installation instruction and configuration file is available on [Florian Roth's Github](https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml). This configuration is an updated (and maintained) version of the [SwiftOnSecurity's configuration](https://github.com/SwiftOnSecurity/sysmon-config), which can also be used. @@ -444,18 +456,21 @@ A common installation instruction and configuration file is available on [Floria ### Install Sysmon 1. Download and extract Sysmon from the official the [website](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon). With powershell: + ```powershell Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "Sysmon.zip" Expand-Archive -Path Sysmon.zip -DestinationPath Sysmon ``` 2. Download the configuration you want to use, for instance from [Florian Roth's Github](https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml). With Powershell: + ```powershell cd .\Sysmon\ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/Neo23x0/sysmon-config/master/sysmonconfig-export.xml" -OutFile "sysmonconfig-export.xml" ``` 3. Install Sysmon + ```powershell .\Sysmon64.exe -accepteula -i sysmonconfig-export.xml ``` @@ -501,4 +516,5 @@ Restart-Service nxlog ``` ## Further Readings + - [NXLog Community Edition Reference Manual](https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html) diff --git a/docs/integration/integrations/network/cisco/cisco_identity_services_engine_ise.md b/docs/integration/integrations/network/cisco/cisco_identity_services_engine_ise.md index b070352ab8..92b8874042 100644 --- a/docs/integration/integrations/network/cisco/cisco_identity_services_engine_ise.md +++ b/docs/integration/integrations/network/cisco/cisco_identity_services_engine_ise.md @@ -26,7 +26,7 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n ## Forward logs to Sekoia.io -Please consult the [Syslog Forwarding](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Syslog Forwarding](https://docs.sekoia.io/integration/ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. ## Further Readings diff --git a/docs/integration/integrations/network/forcepoint_web_gateway.md b/docs/integration/integrations/network/forcepoint_web_gateway.md index 0625c22c27..1dcec67dd5 100644 --- a/docs/integration/integrations/network/forcepoint_web_gateway.md +++ b/docs/integration/integrations/network/forcepoint_web_gateway.md @@ -3,6 +3,7 @@ name: Forcepoint Secure Web Gateway type: intake ## Overview + Forcepoint Secure Web Gateway (SWG) is a proxy, installed on the endpoint, applying routing policies and analyzing the traffic against threats. This product is supported by Forcepoint LLC. @@ -22,8 +23,7 @@ This procedure should be repeated for each Forcepoint Policy Server. ### Prerequisites -An internal syslog concentrator is required to collect and forward events to Sekoia.io. We highly recommand you to use the [Sekoia.io Forwarder](/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/). - +An internal syslog concentrator is required to collect and forward events to Sekoia.io. We highly recommand you to use the [Sekoia.io Forwarder](/integration/ingestion_methods/syslog/sekoiaio_forwarder/). ### Enable SIEM Integration @@ -37,7 +37,6 @@ Select the `syslog/CEF` as SIEM format. Click `OK` then `Save and Deploy` to ena Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Forcepoint Secure Web Gateway. - ## Forward logs to Sekoia.io Please consult the [Sekoia.io Forwarder](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. diff --git a/docs/integration/integrations/network/suricata.md b/docs/integration/integrations/network/suricata.md index 5c6da6e87a..70f375a8b6 100644 --- a/docs/integration/integrations/network/suricata.md +++ b/docs/integration/integrations/network/suricata.md @@ -3,23 +3,27 @@ name: Suricata type: intake ## Overview -Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. +Suricata is a free and open source, mature, fast and robust network threat detection engine. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. {!_shared_content/operations_center/detection/generated/suggested_rules_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md!} ## Configure + Suricata leverages its EVE output module to report alerts, metadata, file info and protocol records in JSON. As described in the [official documentation](https://docs.suricata.io/en/latest/configuration/suricata-yaml.html), this module can report its findings through the [syslog](https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#output-types) facility. ### Configure log settings + Open the Suricata configuration file: `suricata.yaml` (please note that the path to the configuration file may change depending on the OS and your configuration): + ```bash sudo vim /etc/suricata/suricata.yaml ``` Paste the following declaration in your suricata configuration to trigger the production of syslog entries under the `local5` facility: + ``` outputs: - eve-log: @@ -35,13 +39,15 @@ outputs: - tls ``` -### Forward logs to Sekoia +### Forward logs to Sekoia + Given this Suricata configuration, your local built-in rsyslog service will handle produced records. Once your Suricata is configured to log threw syslog you have many options to forward those logs to Sekoia.io app. All of those solutions have their advantages. You will find more details about the type of events that are handled by each of them and how to set up those solutions on the dedicated documentations that follows: -- [Collect logs in files with Sekoia.io agent and send them directly to Sekoia.io via HTTP](https://docs.sekoia.io/xdr/features/collect/integrations/endpoint/sekoiaio/#collect-logs-in-files) -- [Forward local logs to a central Sekoia.io Forwarder prior to be transfered to Sekoia.io via Syslog](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/sekoiaio_forwarder/) -- [Update the local Rsyslog to send updated logs to a central Sekoia.io Forwarder or directly to Sekoia.io via Syslog](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/rsyslog/) +- [Collect logs in files with Sekoia.io agent and send them directly to Sekoia.io via HTTP](https://docs.sekoia.io/integration/integrations/endpoint/sekoiaio/#collect-logs-in-files) +- [Forward local logs to a central Sekoia.io Forwarder prior to be transfered to Sekoia.io via Syslog](https://docs.sekoia.io/integration/ingestion_methods/sekoiaio_forwarder/) +- [Update the local Rsyslog to send updated logs to a central Sekoia.io Forwarder or directly to Sekoia.io via Syslog](https://docs.sekoia.io/integration/ingestion_methods/syslog/rsyslog/) ## Further Readings + - [Suricata User Guide](https://suricata.readthedocs.io/) diff --git a/docs/integration/integrations/network/wallix.md b/docs/integration/integrations/network/wallix.md index 5d4ffec2d2..efb4eec29c 100644 --- a/docs/integration/integrations/network/wallix.md +++ b/docs/integration/integrations/network/wallix.md @@ -3,14 +3,15 @@ name: Wallix type: intake ## Overview -WALLIX Bastion is a “Privileged Access Management” solution. +WALLIX Bastion is a “Privileged Access Management” solution. {!_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md!} {!_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md!} ## Configure + This setup guide will show you how to forward logs produced by your Wallix bastion to Sekoia.io by means of an syslog transport channel. On the "SIEM Integration" page in the "System" menu, you can set up the routing of logged information log information to one or more other network devices syslog servers. @@ -18,29 +19,28 @@ On the "SIEM Integration" page in the "System" menu, you can set up the routing !!! Warning This page is only displayed when the "SIEM" functionality is associated with the license key. -To set up routing via the syslog server you previously setup, such as the [Sekoia.io Forwarder](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/), enter the following information: +To set up routing via the syslog server you previously setup, such as the [Sekoia.io Forwarder](https://docs.sekoia.io/integration/ingestion_methods/syslog/sekoiaio_forwarder/), enter the following information: - server IP address or FQDN, - transmission protocol (UDP or TCP), - port number, - log format (standard RFC 3164 format), - - choose the timestamp format as ISO format (YYYY-MM-DDTHH:MM:SS±TZ), that contains year and time zone. + - choose the timestamp format as ISO format (YYYY-MM-DDTHH:MM:SS±TZ), that contains year and time zone. - filter for selecting the categories of logged information to be sent via the server, including: - * configuration changes, - * authentication logs, - * account activities, - * SSH proxies events, - * RDP proxies events, - * SSH session, - * RDP session, - * VNC session. + - configuration changes, + - authentication logs, + - account activities, + - SSH proxies events, + - RDP proxies events, + - SSH session, + - RDP session, + - VNC session. !!! Note When upgrading from a version prior to WALLIX Bastion 8.2, all logged information categories are selected by default for all servers previously configured on this page. Logs will then be sent to the selected IP address, port and transmission protocol, and also stored on the local file system, so that they are always available for reading on the "Logs audit" page in the "Configuration" menu. - ### Configure the syslog server -Please consult the [Sekoia.io Forwarder](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. +Please consult the [Sekoia.io Forwarder](https://docs.sekoia.io/integration/ingestion_methods/syslog/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. diff --git a/docs/xdr/features/investigate/events.md b/docs/xdr/features/investigate/events.md index 209fc3a565..d9df901709 100644 --- a/docs/xdr/features/investigate/events.md +++ b/docs/xdr/features/investigate/events.md @@ -8,10 +8,10 @@ In this documentation, we will dive into the different parts that constitute the - The [Search bar](#search-bar) and its filtering and sharing options - The [list of events](#log-listing) and the detailed view of your parsed events - The mechanism behind [events enrichment](#events-enrichment) or how events are contextualized in Sekoia.io -- The [aggregation](#aggregation) feature and how to create an [anomaly detection rule](#Create-Anomaly-Detection-rule-from-the-aggregation-view) from your query +- The [aggregation](#aggregation) feature and how to create an [anomaly detection rule](#create-anomaly-detection-rule-from-the-aggregation-view) from your query !!! note - To send your logs to Sekoia.io, please refer to this [section](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/). + To send your logs to Sekoia.io, please refer to this [section](https://docs.sekoia.io/integration/ingestion_methods/). ## Search bar @@ -44,14 +44,13 @@ You can also add filters manually by clicking on the "Add Filter" icon below the | `<` | The field must be less than the specified number. *Only for numerical fields* | | `<=` | The field must be less than or equal to the specified number. *Only for numerical fields* | - ![event-filter](/assets/operation_center/events/events-filters.png){ align=right } Each filter is added as a badge below the `Search Bar`. A filter can be removed by clicking on the `X` at the end of the badge. You can also click on a filter to access a menu that will allow you to: -* Edit the filter -* Invert the filter (filtering out instead of filtering for, or vice versa) -* Temporarily disable or re-enable a filter +- Edit the filter +- Invert the filter (filtering out instead of filtering for, or vice versa) +- Temporarily disable or re-enable a filter To clear current filters, you can use the `Clear all` button at the end of the filters. @@ -82,7 +81,6 @@ Click on the `Apply` button to start your search based on these filters. ### Search history - Each events search performed is listed in the `Search History` for 30 days. You can use the search history to easily access past search results. It is accessible by clicking on the following button (a panel will be displayed with the previous searches) @@ -104,8 +102,8 @@ Search Results can be shared with your colleagues by sending them the unique sea To obtain the search URL, you can: -* Click on the `Share / Link` icon inside the `Search History` panel -* Copy the active URL from the browser address bar +- Click on the `Share / Link` icon inside the `Search History` panel +- Copy the active URL from the browser address bar ### Histogram @@ -155,7 +153,6 @@ Each line of log can be unrolled to show: ![line-details](/assets/operation_center/events/log-details.png){ align=right } - - `STIX`: Event as a STIX bundle that will be used by detection engines - `Raw event`: Event as received by Sekoia.io - `Detail`: Detailed information retrieved from the log after parsing with elements from the event related to the intake and the community. @@ -187,7 +184,6 @@ After adding an event to a case, you will notice that the selected case becomes To deselect the active case, click on the `X` next to its name. - ### Export the results of a search You can easily export the results of a search in `CSV` or `JSON` format and choose the fields you want to export. @@ -238,7 +234,6 @@ To see the value of enriched values, click on the enriched field and you'll be p !!! note If the value exists in the Intelligence Center, tags associated with the value in question will be added as additional context. - ## Aggregation Aggregation is a new (beta) feature on Sekoia.io! @@ -260,7 +255,6 @@ To compute aggregations on a list of events, you’ll have to: !!! note Aggregation view feature does not support the field `alert_short_ids`. - ### Aggregation methods - `Average` (only for numerical data): aggregate average of field values per bucket diff --git a/docs/xdr/features/investigate/querying_events.md b/docs/xdr/features/investigate/querying_events.md index 6e6338d2b2..e132bb8ba2 100644 --- a/docs/xdr/features/investigate/querying_events.md +++ b/docs/xdr/features/investigate/querying_events.md @@ -6,7 +6,7 @@ The [Events page](https://app.sekoia.io/operations/events) exposes a search capa ### Fields -The Tables below detail the main fields that can be used to narrow down your search. Events are normalized to use the [Elastic Common Schema (ECS) Reference](https://www.elastic.co/guide/en/ecs/master/index.html). Custom fields can also be used and are listed in the [Integrations section](https://docs.sekoia.io/xdr/features/collect/integrations/). +The Tables below detail the main fields that can be used to narrow down your search. Events are normalized to use the [Elastic Common Schema (ECS) Reference](https://www.elastic.co/guide/en/ecs/master/index.html). Custom fields can also be used and are listed in the [Integrations section](https://docs.sekoia.io/integration/integrations/). #### Action @@ -34,7 +34,6 @@ The Tables below detail the main fields that can be used to narrow down your sea | network.protocol | string | L7 Network protocol name. ex. http, lumberjack, transport protocol. | | network.transport | string | Protocol Name corresponding to the field `iana_number`. | - #### Destination | name | type | description | @@ -102,7 +101,6 @@ The Tables below detail the main fields that can be used to narrow down your sea | process.parent.name | string | Parent process' name | | process.parent.executable | string | Parent process' executable | - ### Example Get valid events, that are neither apache nor nginx logs: diff --git a/docs/xdr/xdr_quick_start.md b/docs/xdr/xdr_quick_start.md index b0654d84fe..29e319f789 100644 --- a/docs/xdr/xdr_quick_start.md +++ b/docs/xdr/xdr_quick_start.md @@ -2,7 +2,6 @@ ## Introduction - Following the creation of a new community, which represents your instance that is provided to you with the licence, there is a set of standard configurations on Sekoia.io Operations Center pages that needs to be completed. This note summarises a guidance on the primary steps to be taken in the first few minutes of setting up a community. The full guide on how to create and set up an account, create and invite users to a community, manage roles, permissions and notifications and much more, is available [here](https://docs.sekoia.io/getting_started/). @@ -25,10 +24,10 @@ The Intakes correspond to the different technologies used (also called Data Sour To create intakes associated to the technology you would like to collect: 1. Go to the Intakes page and create intakes one by one from the catalog. -2. Make sure the logs are pushed to Sekoia.io using [syslog](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/syslog/overview/) or [HTTPS](https://docs.sekoia.io/xdr/features/collect/ingestion_methods/https/overview/) protocols providing the `Intake key` accordingly, or pulled by API. +2. Make sure the logs are pushed to Sekoia.io using [syslog](https://docs.sekoia.io/integration/ingestion_methods/syslog/overview/) or [HTTPS](https://docs.sekoia.io/integration/ingestion_methods/https/overview/) protocols providing the `Intake key` accordingly, or pulled by API. !!! note - Find more details on each integration in our [integrations catalog](https://docs.sekoia.io/xdr/features/collect/integrations/). + Find more details on each integration in our [integrations catalog](https://docs.sekoia.io/integration/integrations/). ![intakes](/assets/operation_center/quick_start/intakes.png){: style="max-width:100%"} diff --git a/mkdocs.yml b/mkdocs.yml index 00a076adb2..a7cd744cc8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -2,899 +2,899 @@ copyright: Copyright © 2023 - Sekoia.io edit_uri: edit/main/docs/ extra: social: - - icon: fontawesome/brands/twitter - link: https://twitter.com/sekoia_io + - icon: fontawesome/brands/twitter + link: https://twitter.com/sekoia_io extra_css: -- stylesheets/sekoiaio.css -- stylesheets/lightgallery.min.css -- stylesheets/poppins.min.css -- stylesheets/inter.min.css + - stylesheets/sekoiaio.css + - stylesheets/lightgallery.min.css + - stylesheets/poppins.min.css + - stylesheets/inter.min.css extra_javascript: -- javascript/sekoiaio.js -- javascript/lightgallery.min.js -- javascript/hotjar.js -- javascript/posthog.js + - javascript/sekoiaio.js + - javascript/lightgallery.min.js + - javascript/hotjar.js + - javascript/posthog.js markdown_extensions: -- admonition -- attr_list -- md_in_html -- codehilite -- pymdownx.details -- pymdownx.highlight: - linenums: true - linenums_style: pymdownx-inline -- pymdownx.superfences -- pymdownx.tabbed: - alternate_style: true -- markdown_include.include -- lightgallery + - admonition + - attr_list + - md_in_html + - codehilite + - pymdownx.details + - pymdownx.highlight: + linenums: true + linenums_style: pymdownx-inline + - pymdownx.superfences + - pymdownx.tabbed: + alternate_style: true + - markdown_include.include + - lightgallery nav: -- Getting started: - - Overview: getting_started/index.md - - Where to start: getting_started/concepts.md - - Workspace setup: - - Join workspace: getting_started/join_community.md - - Create and manage communities: getting_started/create_community.md - - Account setup: - - Create account: getting_started/create_account.md - - Setup account: getting_started/account_settings.md - - Security and access: - - Account security: - - Two-Factor Authentication: getting_started/account_security.md - - Security tokens: getting_started/securitytokens.md - - Workspace security: - - Session duration: getting_started/session_duration.md - - Two-Factor Authentication: getting_started/twofactor_workspace.md - - SSO with OpenID Connect: getting_started/sso/openid_connect.md - - SSO with Microsoft Entra ID (Azure AD): getting_started/sso/azure.md - - SSO with Okta: getting_started/sso/okta.md - - Users and roles: - - Invite users: getting_started/invite_users.md - - Manage users: getting_started/manage_users.md - - Deactivate inactive users: getting_started/inactive_users.md - - Roles and permissions: - - Build-in roles: getting_started/roles.md - - Custom roles: getting_started/custom_roles.md - - Notifications: - - Create and manage notifications: getting_started/notifications-Listing_Creation.md - - Notification examples: getting_started/notifications-Examples.md - - API Keys: getting_started/manage_api_keys.md - - Sekoia regions: getting_started/regions.md - - Best practices: getting_started/best_practices.md - - Troubleshooting tips: getting_started/get_troubleshooting_tips.md -- Sekoia Defend (XDR): - - Introduction: xdr/index.md - - Quick start guide: xdr/xdr_quick_start.md - - Features: - - Collect: - - Ingestion methods: - - Overview: xdr/features/collect/ingestion_methods/index.md - - Https: - - Overview: xdr/features/collect/ingestion_methods/https/overview.md - - Formatting options: xdr/features/collect/ingestion_methods/https/format.md - - Forwarding logs using a third-party application: xdr/features/collect/ingestion_methods/https/third_part.md - - Syslog: - - Overview: xdr/features/collect/ingestion_methods/syslog/overview.md - - Sekoia.io Forwarder: xdr/features/collect/ingestion_methods/syslog/sekoiaio_forwarder.md - - Third-party syslog services: xdr/features/collect/ingestion_methods/syslog/syslog_service.md - - Cloud & SaaS: - - Overview: xdr/features/collect/ingestion_methods/cloud_saas/overview.md - - AWS S3: xdr/features/collect/ingestion_methods/cloud_saas/aws.md - - Azure Event Hub: xdr/features/collect/ingestion_methods/cloud_saas/azure.md - - Google Pub/Sub: xdr/features/collect/ingestion_methods/cloud_saas/gcp.md - - Integrations: - - Overview: xdr/features/collect/integrations/index.md - - Custom Format: xdr/features/collect/integrations/custom_format.md - - Application: - - Tenable Identity Exposure / Alsid: xdr/features/collect/integrations/application/alsid.md - - Apache HTTP Server: xdr/features/collect/integrations/application/apache.md - - BIND: xdr/features/collect/integrations/application/bind.md - - "\u0421\u0443berwatch Detection": xdr/features/collect/integrations/application/cyberwatch_detection.md - - FreeRADIUS: xdr/features/collect/integrations/application/freeradius.md - - HAProxy: xdr/features/collect/integrations/application/haproxy.md - - ISC DHCP: xdr/features/collect/integrations/application/dhcpd.md - - ManageEngine ADAudit Plus: xdr/features/collect/integrations/application/manageengine_adauditplus.md - - Microsoft IIS: xdr/features/collect/integrations/application/microsoft_iis.md - - Nginx: xdr/features/collect/integrations/application/nginx.md - - OpenLDAP: xdr/features/collect/integrations/application/openldap.md - - OpenSSH: xdr/features/collect/integrations/application/openssh.md - - OpenVPN: xdr/features/collect/integrations/application/openvpn.md - - RSA SecurID: xdr/features/collect/integrations/application/rsa_securid.md - - SEKOIA.IO activity logs: xdr/features/collect/integrations/application/sekoiaio_activity_logs.md - - Systancia Cleanroom: xdr/features/collect/integrations/application/systancia_cleanroom.md - - Unbound: xdr/features/collect/integrations/application/unbound.md - - Veeam Backup & Replication: xdr/features/collect/integrations/application/veeam_backup.md - - Cloud and SaaS: - - AWS: - - CloudTrail: xdr/features/collect/integrations/cloud_and_saas/aws/aws_cloudtrail.md - - GuardDuty: xdr/features/collect/integrations/cloud_and_saas/aws/aws_guardduty.md - - VPC Flow Logs: xdr/features/collect/integrations/cloud_and_saas/aws/aws_flow_logs.md - - S3 for logs: xdr/features/collect/integrations/cloud_and_saas/aws/aws_s3_logs.md - - WAF logs: xdr/features/collect/integrations/cloud_and_saas/aws/aws_waf.md - - CloudFront logs: xdr/features/collect/integrations/cloud_and_saas/aws/aws_cloudfront.md - - Cisco Umbrella: - - Cisco Umbrella Proxy: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md - - Cisco Umbrella IP: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md - - Cisco Umbrella DNS: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md - - Cloudflare: - - Access requests: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-access-requests.md - - Audit logs: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-audit-logs.md - - DNS logs: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-dns-logs.md - - Firewall events: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-firewall-events.md - - Gateway DNS: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-dns.md - - Gateway HTTP: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-http.md - - Gateway Network: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-network.md - - HTTP requests: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md - - Broadcom Cloud Secure Web Gateway: xdr/features/collect/integrations/cloud_and_saas/broadcom_cloud_swg.md - - Bitsight SPM: xdr/features/collect/integrations/cloud_and_saas/bitsight_spm.md - - Cato SASE: xdr/features/collect/integrations/cloud_and_saas/cato_sase.md - - Datadome Protection: xdr/features/collect/integrations/cloud_and_saas/datadome_protection.md - - Digital Shadows SearchLight: xdr/features/collect/integrations/cloud_and_saas/digital_shadows.md - - Cisco Duo Security: xdr/features/collect/integrations/cloud_and_saas/cisco_duo_security.md - - Claroty xDome: xdr/features/collect/integrations/cloud_and_saas/claroty_xdome.md - - ExtraHop Reveal(x) 360: xdr/features/collect/integrations/cloud_and_saas/extrahop_revealx_360.md - - Fastly Next-Gen WAF Alerts: xdr/features/collect/integrations/cloud_and_saas/fastly/fastly_waf.md - - Fastly Next-Gen WAF Audit Logs: xdr/features/collect/integrations/cloud_and_saas/fastly/fastly_audit_waf.md - - Github Audit Logs: xdr/features/collect/integrations/cloud_and_saas/github_audit_logs.md - - Google Cloud: - - Google Cloud Audit Logs: xdr/features/collect/integrations/cloud_and_saas/google/google_cloud_audit.md - - Google Kubernetes Engine: xdr/features/collect/integrations/cloud_and_saas/google/google_kubernetes_engine.md - - Google Cloud VPC Flow Logs: xdr/features/collect/integrations/cloud_and_saas/google/google_vpc_flow_logs.md - - Google Workspace: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - - Imperva WAF: xdr/features/collect/integrations/cloud_and_saas/imperva_waf.md - - Jumpcloud Directory Insights: xdr/features/collect/integrations/cloud_and_saas/jumpcloud_directory_insights.md - - Lacework Cloud Security: xdr/features/collect/integrations/cloud_and_saas/lacework_cloud_security.md - - Microsoft Azure: - - Microsoft Entra ID (Azure AD): xdr/features/collect/integrations/cloud_and_saas/azure/entra_id.md - - Azure Front Door: xdr/features/collect/integrations/cloud_and_saas/azure/azure_front_door.md - - Azure Database for MySQL: xdr/features/collect/integrations/cloud_and_saas/azure/azure_mysql.md - - Azure Linux: xdr/features/collect/integrations/cloud_and_saas/azure/azure_linux.md - - Azure Files: xdr/features/collect/integrations/cloud_and_saas/azure/azure_files.md - - Azure Key Vault: xdr/features/collect/integrations/cloud_and_saas/azure/azure_key_vault.md - - Azure Network Watcher: xdr/features/collect/integrations/cloud_and_saas/azure/azure_network_watcher.md - - Azure Windows: xdr/features/collect/integrations/cloud_and_saas/azure/azure_windows.md - - Microsoft Office 365: - - Office365: xdr/features/collect/integrations/cloud_and_saas/office365/o365.md - - Microsoft Defender for Office 365: xdr/features/collect/integrations/cloud_and_saas/office365/o365.md - - Microsoft 365 Defender: xdr/features/collect/integrations/cloud_and_saas/office365/microsoft_365_defender.md - - Message trace: xdr/features/collect/integrations/cloud_and_saas/office365/message_trace.md - - Netskope: - - Netskope Events: xdr/features/collect/integrations/cloud_and_saas/netskope/netskope_events.md - - Netskope Transaction Events: xdr/features/collect/integrations/cloud_and_saas/netskope/netskope_transaction.md - - OGO Shield WAF: xdr/features/collect/integrations/cloud_and_saas/ogo_shield.md - - Okta system log: xdr/features/collect/integrations/cloud_and_saas/okta_system_log.md - - Salesforce: xdr/features/collect/integrations/cloud_and_saas/salesforce.md - - SecurityScorecard's Vulnerability Assessment Scanner: xdr/features/collect/integrations/cloud_and_saas/securityscorecard_vas.md - - Sophos Threat Analysis Center: xdr/features/collect/integrations/cloud_and_saas/sophos_threat_analysis_center.md - - Ubika: - - Ubika Cloud Protector Alerts: xdr/features/collect/integrations/cloud_and_saas/ubika_cloud_protector_alerts.md - - Ubika Cloud Protector Traffic: xdr/features/collect/integrations/cloud_and_saas/ubika_cloud_protector_traffic.md - - Ubika WAAP Gateway: xdr/features/collect/integrations/cloud_and_saas/ubika_waap.md - - Zscaler ZIA: xdr/features/collect/integrations/cloud_and_saas/zscaler_zia.md - - Email: - - Apache Spamassassin: xdr/features/collect/integrations/email/spamassassin.md - - Cisco ESA: xdr/features/collect/integrations/email/cisco_esa.md - - Fortinet Fortimail: xdr/features/collect/integrations/email/fortimail.md - - Mimecast Email Security: xdr/features/collect/integrations/email/mimecast_email_security.md - - Postfix: xdr/features/collect/integrations/email/postfix.md - - Proofpoint: - - Proofpoint PoD: xdr/features/collect/integrations/email/proofpoint_pod.md - - Proofpoint TAP: xdr/features/collect/integrations/email/proofpoint_tap.md - - Trend Micro Email Security: xdr/features/collect/integrations/email/trend_micro_email_security.md - - Retarus Email Security: xdr/features/collect/integrations/email/retarus_email_security.md - - Vade Cloud: xdr/features/collect/integrations/email/vade_cloud.md - - Vade for M365: xdr/features/collect/integrations/email/vade.md - - Endpoint: - - Beats: - - Auditbeat Linux: xdr/features/collect/integrations/endpoint/auditbeat_linux.md - - Winlogbeat: xdr/features/collect/integrations/endpoint/winlogbeat.md - - Check Point Harmony Mobile: xdr/features/collect/integrations/endpoint/checkpoint_harmony_mobile.md - - CrowdStrike Falcon: xdr/features/collect/integrations/endpoint/crowdstrike_falcon.md - - CrowdStrike Falcon Telemetry: xdr/features/collect/integrations/endpoint/crowdstrike_falcon_telemetry.md - - Cybereason MalOp: xdr/features/collect/integrations/endpoint/cybereason_malop.md - - Cybereason MalOp activity: xdr/features/collect/integrations/endpoint/cybereason_malop_activity.md - - Darktrace Threat Visualizer: xdr/features/collect/integrations/endpoint/darktrace_threat_visualizer.md - - Daspren Parad: xdr/features/collect/integrations/endpoint/daspren_parad.md - - ESET Protect / Inspect: xdr/features/collect/integrations/endpoint/eset_protect.md - - HarfangLab: xdr/features/collect/integrations/endpoint/harfanglab.md - - IBM AIX: xdr/features/collect/integrations/endpoint/ibm_aix.md - - IBM iSeries (AS/400): xdr/features/collect/integrations/endpoint/ibm_i.md - - Linux: xdr/features/collect/integrations/endpoint/linux.md - - Microsoft Intune: xdr/features/collect/integrations/endpoint/microsoft_intune.md - - Panda Security Aether: xdr/features/collect/integrations/endpoint/panda_security_aether.md - - Palo Alto Cortex EDR: xdr/features/collect/integrations/endpoint/paloalto_cortex_edr.md - - Sekoia.io Endpoint Agent: xdr/features/collect/integrations/endpoint/sekoiaio.md - - SentinelOne EDR: xdr/features/collect/integrations/endpoint/sentinelone.md - - SentinelOne Cloud Funnel 1.0 [Deprecated]: xdr/features/collect/integrations/endpoint/sentinelone_deepvisibility.md - - SentinelOne Cloud Funnel 2.0: xdr/features/collect/integrations/endpoint/sentinelone_cloudfunnel2.0.md - - Sophos EDR: xdr/features/collect/integrations/endpoint/sophos_edr.md - - Stormshield SES: xdr/features/collect/integrations/endpoint/stormshield_endpoint.md - - Symantec/Broadcom Endpoint Security: xdr/features/collect/integrations/endpoint/symantec_epp.md - - Tanium: xdr/features/collect/integrations/endpoint/tanium.md - - TEHTRIS EDR: xdr/features/collect/integrations/endpoint/tehtris_edr.md - - Trend Micro: - - Trend Micro Apex One: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_apex_one.md - - Trend Micro Cloud One / Deep Security: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md - - Trellix ePO: xdr/features/collect/integrations/endpoint/trellix_epo.md - - Trellix EDR: xdr/features/collect/integrations/endpoint/trellix_edr.md - - VMware ESXi: xdr/features/collect/integrations/endpoint/vmware/vmware_esxi.md - - VMware VCenter: xdr/features/collect/integrations/endpoint/vmware/vmware_vcenter.md - - Windows: xdr/features/collect/integrations/endpoint/windows.md - - Windows Log Insight: xdr/features/collect/integrations/endpoint/log_insight_windows.md - - WithSecure Elements: xdr/features/collect/integrations/endpoint/withsecure_elements.md - - Kaspersky Endpoint Security: xdr/features/collect/integrations/endpoint/kaspersky_endpoint_security.md - - Network: - - ArubaOS Switch: xdr/features/collect/integrations/network/arubaos.md - - Check Point Firewall: xdr/features/collect/integrations/network/checkpoint.md - - Broadcom Edge SWG: xdr/features/collect/integrations/network/broadcom_edge_swg.md - - Cisco: - - Cisco Secure Firewall: xdr/features/collect/integrations/network/cisco/cisco_asa.md - - Cisco Secure Web Appliance: xdr/features/collect/integrations/network/cisco/cisco_wsa.md - - Cisco IOS: xdr/features/collect/integrations/network/cisco/cisco_ios.md - - Cisco Identity Services Engine (ISE): xdr/features/collect/integrations/network/cisco/cisco_identity_services_engine_ise.md - - Cisco NX-OS: xdr/features/collect/integrations/network/cisco/cisco_nx_os.md - - Cisco Meraki MX: xdr/features/collect/integrations/network/cisco/cisco_meraki_mx.md - - Citrix Netscaler / ADC: xdr/features/collect/integrations/network/citrix_netscaler_adc.md - - Ekinops OneOS: xdr/features/collect/integrations/network/ekinops_oneos.md - - EfficientIP SOLIDserver: xdr/features/collect/integrations/network/efficientip_solidserver_ddi.md - - Gatewatcher AionIQ: xdr/features/collect/integrations/network/gatewatcher_aioniq.md - - F5 BIG-IP: xdr/features/collect/integrations/network/f5-big-ip.md - - Forcepoint Secure Web Gateway: xdr/features/collect/integrations/network/forcepoint_web_gateway.md - - Fortinet: - - Fortinet Fortigate: xdr/features/collect/integrations/network/fortigate.md - - Fortinet Fortiproxy: xdr/features/collect/integrations/network/fortiproxy.md - - Fortinet Fortiweb: xdr/features/collect/integrations/network/fortiweb.md - - Infoblox DDI: xdr/features/collect/integrations/network/infoblox_ddi.md - - Juniper Switches: xdr/features/collect/integrations/network/juniper_switches.md - - Sophos Firewall: xdr/features/collect/integrations/network/sophos_fw.md - - Mc Afee/Skyhigh Secure Web Gateway: xdr/features/collect/integrations/network/skyhigh_secure_web_gateway.md - - Microsoft Always On VPN: xdr/features/collect/integrations/network/microsoft_always_on_vpn.md - - NetFilter: xdr/features/collect/integrations/network/netfilter.md - - Olfeo Secure Web Gateway: xdr/features/collect/integrations/network/olfeo_secure_web_gateway.md - - OPNSense: xdr/features/collect/integrations/network/opnsense.md - - Palo Alto Next-Generation Firewall: xdr/features/collect/integrations/network/paloalto.md - - pfSense: xdr/features/collect/integrations/network/pfsense.md - - Pulse / Ivanti Secure Connect: xdr/features/collect/integrations/network/pulse.md - - Rubycat PROVE IT: xdr/features/collect/integrations/network/rubycat_prove_it.md - - Sesame it Jizo: xdr/features/collect/integrations/network/sesameit_jizo.md - - SonicWall Firewall: xdr/features/collect/integrations/network/sonicwall_fw.md - - SonicWall SMA: xdr/features/collect/integrations/network/sonicwall_sma.md - - Squid: xdr/features/collect/integrations/network/squid.md - - Stormshield SNS: xdr/features/collect/integrations/network/stormshield_network_security.md - - Suricata: xdr/features/collect/integrations/network/suricata.md - - Trellix Network Security: xdr/features/collect/integrations/network/trellix_nx.md - - Varonis Data Security: xdr/features/collect/integrations/network/varonis_data_security.md - - Vectra Cognito Detect: xdr/features/collect/integrations/network/vectra.md - - Wallix: xdr/features/collect/integrations/network/wallix.md - - WatchGuard Firebox: xdr/features/collect/integrations/network/watchguard_firebox.md - - Zeek: xdr/features/collect/integrations/network/zeek.md - - Generic: - - CEF: xdr/features/collect/integrations/generic/cef.md - - Raw events: xdr/features/collect/integrations/generic/raw.md - - Intakes: xdr/features/collect/intakes.md - - Entities: xdr/features/collect/entities.md - - Assets: xdr/features/collect/assets.md - - Detect: - - IOCs Detection: xdr/features/detect/iocdetection.md - - Rules Catalog: xdr/features/detect/rules_catalog.md - - Built-in Rules: xdr/features/detect/built_in_detection_rules.md - - Sigma: xdr/features/detect/sigma.md - - Anomaly Detection: xdr/features/detect/anomaly.md - - IOCs Collections: xdr/features/detect/ioccollections.md - - Investigate: - - Alerts: xdr/features/investigate/alerts.md - - Events: xdr/features/investigate/events.md - - Cases: xdr/features/investigate/cases.md - - Events Query Language: xdr/features/investigate/events_query_language.md - - Querying Events: xdr/features/investigate/querying_events.md - - Query Builder (beta): xdr/features/investigate/query_builder.md - - Report: - - Dashboards: xdr/features/report/dashboards.md - - Threat Landscape: xdr/features/report/threat_landscape.md - - Automate: - - Playbooks: xdr/features/automate/index.md - - Playbooks On-premises: xdr/features/automate/playbooks-on-premises.md - - Manage accounts: xdr/features/automate/manage-accounts.md - - Navigate playbooks: xdr/features/automate/navigate-playbooks.md - - Build playbooks: xdr/features/automate/build-playbooks.md - - Triggers: xdr/features/automate/triggers.md - - Operators: xdr/features/automate/operators.md - - Actions: xdr/features/automate/actions.md - - Actions Library: - - AWS: xdr/features/automate/library/aws.md - - Atlassian JIRA: xdr/features/automate/library/atlassian-jira.md - - BinaryEdge's API: xdr/features/automate/library/binaryedge-s-api.md - - Bitsight: xdr/features/automate/library/bitsight.md - - Broadcom Cloud Secure Web Gateway: xdr/features/automate/library/broadcom-cloud-secure-web-gateway.md - - Cato Networks: xdr/features/automate/library/cato-networks.md - - Censys: xdr/features/automate/library/censys.md - - Certificate Transparency: xdr/features/automate/library/certificate-transparency.md - - Check Point: xdr/features/automate/library/check-point.md - - CrowdStrike: xdr/features/automate/library/crowdstrike.md - - CrowdStrike Falcon: xdr/features/automate/library/crowdstrike-falcon.md - - Cybereason: xdr/features/automate/library/cybereason.md - - Darktrace: xdr/features/automate/library/darktrace.md - - Detection Rules: xdr/features/automate/library/detection-rules.md - - Digital Shadows: xdr/features/automate/library/digital-shadows.md - - Duo: xdr/features/automate/library/duo.md - - ExtraHop: xdr/features/automate/library/extrahop.md - - Fortigate Firewalls: xdr/features/automate/library/fortigate-firewalls.md - - GLIMPS: xdr/features/automate/library/glimps.md - - Git: xdr/features/automate/library/git.md - - Github: xdr/features/automate/library/github.md - - Google: xdr/features/automate/library/google.md - - HTTP: xdr/features/automate/library/http.md - - HarfangLab: xdr/features/automate/library/harfanglab.md - - IKnowWhatYouDownload: xdr/features/automate/library/iknowwhatyoudownload.md - - IPInfo: xdr/features/automate/library/ipinfo.md - - IPtoASN: xdr/features/automate/library/iptoasn.md - - Imperva: xdr/features/automate/library/imperva.md - - Jumpcloud Directory Insights: xdr/features/automate/library/jumpcloud-directory-insights.md - - Lacework: xdr/features/automate/library/lacework.md - - MISP: xdr/features/automate/library/misp.md - - MWDB: xdr/features/automate/library/mwdb.md - - Mandrill: xdr/features/automate/library/mandrill.md - - Mattermost: xdr/features/automate/library/mattermost.md - - Microsoft Active Directory: xdr/features/automate/library/microsoft-active-directory.md - - Microsoft Azure: xdr/features/automate/library/microsoft-azure.md - - Microsoft Entra ID: xdr/features/automate/library/microsoft-entra-id.md - - Microsoft Office365: xdr/features/automate/library/microsoft-office365.md - - Microsoft Windows Server: xdr/features/automate/library/microsoft-windows-server.md - - Mimecast: xdr/features/automate/library/mimecast.md - - Netskope: xdr/features/automate/library/netskope.md - - Nybble: xdr/features/automate/library/nybble.md - - OSINT: xdr/features/automate/library/osint.md - - Okta: xdr/features/automate/library/okta.md - - Onyphe: xdr/features/automate/library/onyphe.md - - OpenAI: xdr/features/automate/library/openai.md - - PagerDuty: xdr/features/automate/library/pagerduty.md - - Panda Security: xdr/features/automate/library/panda-security.md - - Proofpoint: xdr/features/automate/library/proofpoint.md - - Public Suffix: xdr/features/automate/library/public-suffix.md - - RSS: xdr/features/automate/library/rss.md - - RiskIQ: xdr/features/automate/library/riskiq.md - - STIX: xdr/features/automate/library/stix.md - - Salesforce: xdr/features/automate/library/salesforce.md - - Sekoia.io: xdr/features/automate/library/sekoia-io.md - - SentinelOne: xdr/features/automate/library/sentinelone.md - - SentinelOneDeepVisibility: xdr/features/automate/library/sentinelonedeepvisibility.md - - ServiceNow: xdr/features/automate/library/servicenow.md - - Shodan: xdr/features/automate/library/shodan.md - - Skyhigh Security: xdr/features/automate/library/skyhigh-security.md - - Sophos: xdr/features/automate/library/sophos.md - - TEHTRIS: xdr/features/automate/library/tehtris.md - - The Hive: xdr/features/automate/library/the-hive.md - - Tranco: xdr/features/automate/library/tranco.md - - Trellix: xdr/features/automate/library/trellix.md - - Trend Micro: xdr/features/automate/library/trend-micro.md - - Triage: xdr/features/automate/library/triage.md - - Ubika: xdr/features/automate/library/ubika.md - - Utils: xdr/features/automate/library/utils.md - - Vade Cloud: xdr/features/automate/library/vade-cloud.md - - Vade Secure: xdr/features/automate/library/vade-secure.md - - VirusTotal: xdr/features/automate/library/virustotal.md - - Whois: xdr/features/automate/library/whois.md - - WithSecure: xdr/features/automate/library/withsecure.md - - Zscaler: xdr/features/automate/library/zscaler.md - - Debug playbooks: xdr/features/automate/debug-playbooks.md - - External integrations: - - FortiSOAR: xdr/features/integrations/fortisoar.md - - Palo Alto Cortex XSOAR: xdr/features/integrations/interconnect_sekoia_with_xsoar.md - - Usecases: - - Implement a blocklist in Sekoia.io: xdr/usecases/playbook/implement_blocklist.md - - Synchronize Alerts with an external tool: xdr/usecases/playbook/synchronize_alerts.md - - Send notifications to a Webhook using a playbook: xdr/usecases/playbook/notifications_using_playbooks.md - - FAQ: - - General: xdr/FAQ.md - - Alerts: xdr/FAQ/Alerts_qa.md - - Events: - - Events QA: xdr/FAQ/Events_qa.md - - Facing issues with logs collection: xdr/FAQ/Log_collection_Troubleshoot.md - - Detection: xdr/FAQ/Detection_qa.md - - Assets: xdr/FAQ/Assets_qa.md - - Sekoia.io Endpoint agent: xdr/FAQ/SEKOIA_Endpoint_Agent.md - - Datetime representation: xdr/FAQ/datetime.md - - Develop: - - Quickstart: xdr/develop/quickstart.md - - Guides: - - Filtering: xdr/develop/guides/filtering.md - - Automation: - - Overview: xdr/develop/guides/automation/overview.md - - Create a Module: xdr/develop/guides/automation/create_a_module.md - - Format: - - Overview: xdr/develop/guides/formats/overview.md - - Create a Format: xdr/develop/guides/formats/create_a_format.md - - Datasources: xdr/develop/guides/formats/datasources.md - - Definition of a structured event: xdr/develop/guides/formats/structured_event.md - - Definition of the taxonomy: xdr/develop/guides/formats/taxonomy.md - - How to write a parser: xdr/develop/guides/formats/parser.md - - How to write smart descriptions: xdr/develop/guides/formats/smartdescriptions.md - - Best Practices: - - Overview: xdr/develop/guides/formats/best_practices/overview.md - - Authentications: xdr/develop/guides/formats/best_practices/authentications.md - - REST API: - - Authentication and Community: xdr/develop/rest_api/community.md - - Dashboard: xdr/develop/rest_api/dashboard.md - - Configuration: xdr/develop/rest_api/configuration.md - - Parser: xdr/develop/rest_api/parser.md - - Alert: xdr/develop/rest_api/alert.md - - Assets: xdr/develop/rest_api/assets_v2.md - - Playbooks: xdr/develop/rest_api/playbooks.md - - Query Builder: xdr/develop/rest_api/query_builder.md - - Telemetry: xdr/develop/rest_api/telemetry.md -- Sekoia Intelligence (CTI): - - Introduction: cti/index.md - - Features: - - Data Models: cti/features/data_model.md - - Consume: - - Intelligence: cti/features/consume/intelligence.md - - Observables: cti/features/consume/observables.md - - Telemetry: cti/features/consume/telemetry.md - - Outgoing Feeds: cti/features/consume/feeds.md - - Graph Explorations: cti/features/consume/graph_explorations.md - - Enrichers: cti/features/consume/enrichers.md - - Export: cti/features/consume/export.md - - IOCs Collections: cti/features/consume/ioccollections.md - - Monitor: - - Dashboards: cti/features/monitor/dashboard.md - - Threat Landscape: cti/features/monitor/threat_landscape.md - - External Integrations: - - Overview: cti/features/integrations/index.md - - API: cti/features/integrations/api.md - - TAXII: cti/features/integrations/taxii.md - - Cortex Analyzer: cti/features/integrations/thehive.md - - MISP Feed: cti/features/integrations/misp.md - - Microsoft Sentinel: cti/features/integrations/microsoft-sentinel.md - - OpenCTI: cti/features/integrations/opencti.md - - Splunk: cti/features/integrations/splunk.md - - Splunk SOAR: cti/features/integrations/splunk_soar.md - - Anomali ThreatStream: cti/features/integrations/anomali.md - - PaloAlto Cortex XSOAR: cti/features/integrations/paloalto_xsoar.md - - ThreatQuotient: cti/features/integrations/threatquotient.md - - Develop: - - Overview: cti/develop/index.md - - Guides: - - Filtering: cti/develop/guides/filtering.md - - REST API: - - Authentication and Community: cti/develop/rest_api/community.md - - Intelligence: cti/develop/rest_api/intelligence.md - - Enrichment: cti/develop/rest_api/enrichments.md - - Telemetry: cti/develop/rest_api/telemetry.md - - Dashboard: cti/develop/rest_api/dashboard.md - - Playbooks: cti/develop/rest_api/playbooks.md - - External Dynamic List: cti/develop/rest_api/edl-gateway.md -- Sekoia.io TIP: - - Introduction: tip/index.md - - Features: - - Data Models: tip/features/data_model.md - - Consume: - - Intelligence: tip/features/consume/intelligence.md - - Observables: tip/features/consume/observables.md - - Outgoing Feeds: tip/features/consume/feeds.md - - Graph Explorations: tip/features/consume/graph_explorations.md - - Enrichers: tip/features/consume/enrichers.md - - Export: tip/features/consume/export.md - - IOCs Collections: tip/features/consume/ioccollections.md - - Produce and investigate: - - Content Proposals: tip/features/produce/content_proposals.md - - Incoming Feeds: tip/features/produce/incoming_feeds.md - - Warning Rules: tip/features/produce/warning_rules.md - - Expiration Rules: tip/features/produce/expiration_rules.md - - Monitor: - - Dashboards: tip/features/monitor/dashboard.md - - Threat Landscape: cti/features/monitor/threat_landscape.md - - External Integrations: - - Overview: tip/features/integrations/index.md - - API: tip/features/integrations/api.md - - TAXII: tip/features/integrations/taxii.md - - Cortex Analyzer: tip/features/integrations/thehive.md - - MISP Feed: tip/features/integrations/misp.md - - Microsoft Sentinel: tip/features/integrations/microsoft-sentinel.md - - OpenCTI: tip/features/integrations/opencti.md - - Splunk: tip/features/integrations/splunk.md - - PaloAlto Cortex XSOAR: tip/features/integrations/paloalto_xsoar.md - - Automate: - - Playbooks: tip/features/automate/index.md - - Manage accounts: xdr/features/automate/manage-accounts.md - - Navigate playbooks: tip/features/automate/navigate-playbooks.md - - Build playbooks: tip/features/automate/build-playbooks.md - - Triggers: tip/features/automate/triggers.md - - Operators: tip/features/automate/operators.md - - Actions: tip/features/automate/actions.md - - Actions Library: - - AWS: tip/features/automate/library/aws.md - - Atlassian JIRA: tip/features/automate/library/atlassian-jira.md - - BinaryEdge's API: tip/features/automate/library/binaryedge-s-api.md - - Bitsight: tip/features/automate/library/bitsight.md - - Broadcom Cloud Secure Web Gateway: tip/features/automate/library/broadcom-cloud-secure-web-gateway.md - - Cato Networks: tip/features/automate/library/cato-networks.md - - Censys: tip/features/automate/library/censys.md - - Certificate Transparency: tip/features/automate/library/certificate-transparency.md - - Check Point: tip/features/automate/library/check-point.md - - CrowdStrike: tip/features/automate/library/crowdstrike.md - - CrowdStrike Falcon: tip/features/automate/library/crowdstrike-falcon.md - - Cybereason: tip/features/automate/library/cybereason.md - - Darktrace: tip/features/automate/library/darktrace.md - - Detection Rules: tip/features/automate/library/detection-rules.md - - Digital Shadows: tip/features/automate/library/digital-shadows.md - - Duo: tip/features/automate/library/duo.md - - ExtraHop: tip/features/automate/library/extrahop.md - - Fortigate Firewalls: tip/features/automate/library/fortigate-firewalls.md - - GLIMPS: tip/features/automate/library/glimps.md - - Git: tip/features/automate/library/git.md - - Github: tip/features/automate/library/github.md - - Google: tip/features/automate/library/google.md - - HTTP: tip/features/automate/library/http.md - - HarfangLab: tip/features/automate/library/harfanglab.md - - IKnowWhatYouDownload: tip/features/automate/library/iknowwhatyoudownload.md - - IPInfo: tip/features/automate/library/ipinfo.md - - IPtoASN: tip/features/automate/library/iptoasn.md - - Imperva: tip/features/automate/library/imperva.md - - Jumpcloud Directory Insights: tip/features/automate/library/jumpcloud-directory-insights.md - - Lacework: tip/features/automate/library/lacework.md - - MISP: tip/features/automate/library/misp.md - - MWDB: tip/features/automate/library/mwdb.md - - Mandrill: tip/features/automate/library/mandrill.md - - Mattermost: tip/features/automate/library/mattermost.md - - Microsoft Active Directory: tip/features/automate/library/microsoft-active-directory.md - - Microsoft Azure: tip/features/automate/library/microsoft-azure.md - - Microsoft Entra ID (Azure AD): tip/features/automate/library/microsoft-entra-id.md - - Microsoft Office365: tip/features/automate/library/microsoft-office365.md - - Microsoft Windows Server: tip/features/automate/library/microsoft-windows-server.md - - Mimecast: tip/features/automate/library/mimecast.md - - Netskope: tip/features/automate/library/netskope.md - - Nybble: tip/features/automate/library/nybble.md - - OSINT: tip/features/automate/library/osint.md - - Okta: tip/features/automate/library/okta.md - - Onyphe: tip/features/automate/library/onyphe.md - - OpenAI: tip/features/automate/library/openai.md - - PagerDuty: tip/features/automate/library/pagerduty.md - - Panda Security: tip/features/automate/library/panda-security.md - - Proofpoint: tip/features/automate/library/proofpoint.md - - Public Suffix: tip/features/automate/library/public-suffix.md - - RSS: tip/features/automate/library/rss.md - - RiskIQ: tip/features/automate/library/riskiq.md - - STIX: tip/features/automate/library/stix.md - - Salesforce: tip/features/automate/library/salesforce.md - - Sekoia.io: tip/features/automate/library/sekoia-io.md - - SentinelOne: tip/features/automate/library/sentinelone.md - - SentinelOneDeepVisibility: tip/features/automate/library/sentinelonedeepvisibility.md - - ServiceNow: tip/features/automate/library/servicenow.md - - Shodan: tip/features/automate/library/shodan.md - - Skyhigh Security: tip/features/automate/library/skyhigh-security.md - - Sophos: tip/features/automate/library/sophos.md - - TEHTRIS: tip/features/automate/library/tehtris.md - - The Hive: tip/features/automate/library/the-hive.md - - Tranco: tip/features/automate/library/tranco.md - - Trellix: tip/features/automate/library/trellix.md - - Trend Micro: tip/features/automate/library/trend-micro.md - - Triage: tip/features/automate/library/triage.md - - Ubika: tip/features/automate/library/ubika.md - - Utils: tip/features/automate/library/utils.md - - Vade Cloud: tip/features/automate/library/vade-cloud.md - - Vade Secure: tip/features/automate/library/vade-secure.md - - VirusTotal: tip/features/automate/library/virustotal.md - - Whois: tip/features/automate/library/whois.md - - WithSecure: tip/features/automate/library/withsecure.md - - Zscaler: tip/features/automate/library/zscaler.md - - Develop: - - Overview: tip/develop/index.md - - Guides: - - Filtering: tip/develop/guides/filtering.md - - Playbooks: - - Overview: tip/develop/guides/automation/overview.md - - Quick start: tip/develop/guides/automation/create_a_module.md - - REST API: - - Authentication and Community: tip/develop/rest_api/community.md - - Intelligence: tip/develop/rest_api/intelligence.md - - Enrichment: tip/develop/rest_api/enrichments.md - - Dashboard: tip/develop/rest_api/dashboard.md - - Playbooks: tip/develop/rest_api/playbooks.md + - Getting started: + - Overview: getting_started/index.md + - Where to start: getting_started/concepts.md + - Workspace setup: + - Join workspace: getting_started/join_community.md + - Create and manage communities: getting_started/create_community.md + - Account setup: + - Create account: getting_started/create_account.md + - Setup account: getting_started/account_settings.md + - Security and access: + - Account security: + - Two-Factor Authentication: getting_started/account_security.md + - Security tokens: getting_started/securitytokens.md + - Workspace security: + - Session duration: getting_started/session_duration.md + - Two-Factor Authentication: getting_started/twofactor_workspace.md + - SSO with OpenID Connect: getting_started/sso/openid_connect.md + - SSO with Microsoft Entra ID (Azure AD): getting_started/sso/azure.md + - SSO with Okta: getting_started/sso/okta.md + - Users and roles: + - Invite users: getting_started/invite_users.md + - Manage users: getting_started/manage_users.md + - Deactivate inactive users: getting_started/inactive_users.md + - Roles and permissions: + - Build-in roles: getting_started/roles.md + - Custom roles: getting_started/custom_roles.md + - Notifications: + - Create and manage notifications: getting_started/notifications-Listing_Creation.md + - Notification examples: getting_started/notifications-Examples.md + - API Keys: getting_started/manage_api_keys.md + - Sekoia regions: getting_started/regions.md + - Best practices: getting_started/best_practices.md + - Troubleshooting tips: getting_started/get_troubleshooting_tips.md + - Sekoia Defend (XDR): + - Introduction: xdr/index.md + - Quick start guide: xdr/xdr_quick_start.md + - Features: + - Collect: + - Ingestion methods: + - Overview: integration/ingestion_methods/index.md + - Https: + - Overview: integration/ingestion_methods/https/overview.md + - Formatting options: integration/ingestion_methods/https/format.md + - Forwarding logs using a third-party application: integration/ingestion_methods/https/third_part.md + - Syslog: + - Overview: integration/ingestion_methods/syslog/overview.md + - Sekoia.io Forwarder: integration/ingestion_methods/syslog/sekoiaio_forwarder.md + - Third-party syslog services: integration/ingestion_methods/syslog/syslog_service.md + - Cloud & SaaS: + - Overview: integration/ingestion_methods/cloud_saas/overview.md + - AWS S3: integration/ingestion_methods/cloud_saas/aws.md + - Azure Event Hub: integration/ingestion_methods/cloud_saas/azure.md + - Google Pub/Sub: integration/ingestion_methods/cloud_saas/gcp.md + - Integrations: + - Overview: integration/integrations/index.md + - Custom Format: integration/integrations/custom_format.md + - Application: + - Tenable Identity Exposure / Alsid: integration/integrations/application/alsid.md + - Apache HTTP Server: integration/integrations/application/apache.md + - BIND: integration/integrations/application/bind.md + - "\u0421\u0443berwatch Detection": integration/integrations/application/cyberwatch_detection.md + - FreeRADIUS: integration/integrations/application/freeradius.md + - HAProxy: integration/integrations/application/haproxy.md + - ISC DHCP: integration/integrations/application/dhcpd.md + - ManageEngine ADAudit Plus: integration/integrations/application/manageengine_adauditplus.md + - Microsoft IIS: integration/integrations/application/microsoft_iis.md + - Nginx: integration/integrations/application/nginx.md + - OpenLDAP: integration/integrations/application/openldap.md + - OpenSSH: integration/integrations/application/openssh.md + - OpenVPN: integration/integrations/application/openvpn.md + - RSA SecurID: integration/integrations/application/rsa_securid.md + - SEKOIA.IO activity logs: integration/integrations/application/sekoiaio_activity_logs.md + - Systancia Cleanroom: integration/integrations/application/systancia_cleanroom.md + - Unbound: integration/integrations/application/unbound.md + - Veeam Backup & Replication: integration/integrations/application/veeam_backup.md + - Cloud and SaaS: + - AWS: + - CloudTrail: integration/integrations/cloud_and_saas/aws/aws_cloudtrail.md + - GuardDuty: integration/integrations/cloud_and_saas/aws/aws_guardduty.md + - VPC Flow Logs: integration/integrations/cloud_and_saas/aws/aws_flow_logs.md + - S3 for logs: integration/integrations/cloud_and_saas/aws/aws_s3_logs.md + - WAF logs: integration/integrations/cloud_and_saas/aws/aws_waf.md + - CloudFront logs: integration/integrations/cloud_and_saas/aws/aws_cloudfront.md + - Cisco Umbrella: + - Cisco Umbrella Proxy: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md + - Cisco Umbrella IP: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md + - Cisco Umbrella DNS: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md + - Cloudflare: + - Access requests: integration/integrations/cloud_and_saas/cloudflare/cloudflare-access-requests.md + - Audit logs: integration/integrations/cloud_and_saas/cloudflare/cloudflare-audit-logs.md + - DNS logs: integration/integrations/cloud_and_saas/cloudflare/cloudflare-dns-logs.md + - Firewall events: integration/integrations/cloud_and_saas/cloudflare/cloudflare-firewall-events.md + - Gateway DNS: integration/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-dns.md + - Gateway HTTP: integration/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-http.md + - Gateway Network: integration/integrations/cloud_and_saas/cloudflare/cloudflare-gateway-network.md + - HTTP requests: integration/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md + - Broadcom Cloud Secure Web Gateway: integration/integrations/cloud_and_saas/broadcom_cloud_swg.md + - Bitsight SPM: integration/integrations/cloud_and_saas/bitsight_spm.md + - Cato SASE: integration/integrations/cloud_and_saas/cato_sase.md + - Datadome Protection: integration/integrations/cloud_and_saas/datadome_protection.md + - Digital Shadows SearchLight: integration/integrations/cloud_and_saas/digital_shadows.md + - Cisco Duo Security: integration/integrations/cloud_and_saas/cisco_duo_security.md + - Claroty xDome: integration/integrations/cloud_and_saas/claroty_xdome.md + - ExtraHop Reveal(x) 360: integration/integrations/cloud_and_saas/extrahop_revealx_360.md + - Fastly Next-Gen WAF Alerts: integration/integrations/cloud_and_saas/fastly/fastly_waf.md + - Fastly Next-Gen WAF Audit Logs: integration/integrations/cloud_and_saas/fastly/fastly_audit_waf.md + - Github Audit Logs: integration/integrations/cloud_and_saas/github_audit_logs.md + - Google Cloud: + - Google Cloud Audit Logs: integration/integrations/cloud_and_saas/google/google_cloud_audit.md + - Google Kubernetes Engine: integration/integrations/cloud_and_saas/google/google_kubernetes_engine.md + - Google Cloud VPC Flow Logs: integration/integrations/cloud_and_saas/google/google_vpc_flow_logs.md + - Google Workspace: integration/integrations/cloud_and_saas/google/google_reports.md + - Imperva WAF: integration/integrations/cloud_and_saas/imperva_waf.md + - Jumpcloud Directory Insights: integration/integrations/cloud_and_saas/jumpcloud_directory_insights.md + - Lacework Cloud Security: integration/integrations/cloud_and_saas/lacework_cloud_security.md + - Microsoft Azure: + - Microsoft Entra ID (Azure AD): integration/integrations/cloud_and_saas/azure/entra_id.md + - Azure Front Door: integration/integrations/cloud_and_saas/azure/azure_front_door.md + - Azure Database for MySQL: integration/integrations/cloud_and_saas/azure/azure_mysql.md + - Azure Linux: integration/integrations/cloud_and_saas/azure/azure_linux.md + - Azure Files: integration/integrations/cloud_and_saas/azure/azure_files.md + - Azure Key Vault: integration/integrations/cloud_and_saas/azure/azure_key_vault.md + - Azure Network Watcher: integration/integrations/cloud_and_saas/azure/azure_network_watcher.md + - Azure Windows: integration/integrations/cloud_and_saas/azure/azure_windows.md + - Microsoft Office 365: + - Office365: integration/integrations/cloud_and_saas/office365/o365.md + - Microsoft Defender for Office 365: integration/integrations/cloud_and_saas/office365/o365.md + - Microsoft 365 Defender: integration/integrations/cloud_and_saas/office365/microsoft_365_defender.md + - Message trace: integration/integrations/cloud_and_saas/office365/message_trace.md + - Netskope: + - Netskope Events: integration/integrations/cloud_and_saas/netskope/netskope_events.md + - Netskope Transaction Events: integration/integrations/cloud_and_saas/netskope/netskope_transaction.md + - OGO Shield WAF: integration/integrations/cloud_and_saas/ogo_shield.md + - Okta system log: integration/integrations/cloud_and_saas/okta_system_log.md + - Salesforce: integration/integrations/cloud_and_saas/salesforce.md + - SecurityScorecard's Vulnerability Assessment Scanner: integration/integrations/cloud_and_saas/securityscorecard_vas.md + - Sophos Threat Analysis Center: integration/integrations/cloud_and_saas/sophos_threat_analysis_center.md + - Ubika: + - Ubika Cloud Protector Alerts: integration/integrations/cloud_and_saas/ubika_cloud_protector_alerts.md + - Ubika Cloud Protector Traffic: integration/integrations/cloud_and_saas/ubika_cloud_protector_traffic.md + - Ubika WAAP Gateway: integration/integrations/cloud_and_saas/ubika_waap.md + - Zscaler ZIA: integration/integrations/cloud_and_saas/zscaler_zia.md + - Email: + - Apache Spamassassin: integration/integrations/email/spamassassin.md + - Cisco ESA: integration/integrations/email/cisco_esa.md + - Fortinet Fortimail: integration/integrations/email/fortimail.md + - Mimecast Email Security: integration/integrations/email/mimecast_email_security.md + - Postfix: integration/integrations/email/postfix.md + - Proofpoint: + - Proofpoint PoD: integration/integrations/email/proofpoint_pod.md + - Proofpoint TAP: integration/integrations/email/proofpoint_tap.md + - Trend Micro Email Security: integration/integrations/email/trend_micro_email_security.md + - Retarus Email Security: integration/integrations/email/retarus_email_security.md + - Vade Cloud: integration/integrations/email/vade_cloud.md + - Vade for M365: integration/integrations/email/vade.md + - Endpoint: + - Beats: + - Auditbeat Linux: integration/integrations/endpoint/auditbeat_linux.md + - Winlogbeat: integration/integrations/endpoint/winlogbeat.md + - Check Point Harmony Mobile: integration/integrations/endpoint/checkpoint_harmony_mobile.md + - CrowdStrike Falcon: integration/integrations/endpoint/crowdstrike_falcon.md + - CrowdStrike Falcon Telemetry: integration/integrations/endpoint/crowdstrike_falcon_telemetry.md + - Cybereason MalOp: integration/integrations/endpoint/cybereason_malop.md + - Cybereason MalOp activity: integration/integrations/endpoint/cybereason_malop_activity.md + - Darktrace Threat Visualizer: integration/integrations/endpoint/darktrace_threat_visualizer.md + - Daspren Parad: integration/integrations/endpoint/daspren_parad.md + - ESET Protect / Inspect: integration/integrations/endpoint/eset_protect.md + - HarfangLab: integration/integrations/endpoint/harfanglab.md + - IBM AIX: integration/integrations/endpoint/ibm_aix.md + - IBM iSeries (AS/400): integration/integrations/endpoint/ibm_i.md + - Linux: integration/integrations/endpoint/linux.md + - Microsoft Intune: integration/integrations/endpoint/microsoft_intune.md + - Panda Security Aether: integration/integrations/endpoint/panda_security_aether.md + - Palo Alto Cortex EDR: integration/integrations/endpoint/paloalto_cortex_edr.md + - Sekoia.io Endpoint Agent: integration/integrations/endpoint/sekoiaio.md + - SentinelOne EDR: integration/integrations/endpoint/sentinelone.md + - SentinelOne Cloud Funnel 1.0 [Deprecated]: integration/integrations/endpoint/sentinelone_deepvisibility.md + - SentinelOne Cloud Funnel 2.0: integration/integrations/endpoint/sentinelone_cloudfunnel2.0.md + - Sophos EDR: integration/integrations/endpoint/sophos_edr.md + - Stormshield SES: integration/integrations/endpoint/stormshield_endpoint.md + - Symantec/Broadcom Endpoint Security: integration/integrations/endpoint/symantec_epp.md + - Tanium: integration/integrations/endpoint/tanium.md + - TEHTRIS EDR: integration/integrations/endpoint/tehtris_edr.md + - Trend Micro: + - Trend Micro Apex One: integration/integrations/endpoint/trend_micro/trend_micro_apex_one.md + - Trend Micro Cloud One / Deep Security: integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md + - Trellix ePO: integration/integrations/endpoint/trellix_epo.md + - Trellix EDR: integration/integrations/endpoint/trellix_edr.md + - VMware ESXi: integration/integrations/endpoint/vmware/vmware_esxi.md + - VMware VCenter: integration/integrations/endpoint/vmware/vmware_vcenter.md + - Windows: integration/integrations/endpoint/windows.md + - Windows Log Insight: integration/integrations/endpoint/log_insight_windows.md + - WithSecure Elements: integration/integrations/endpoint/withsecure_elements.md + - Kaspersky Endpoint Security: integration/integrations/endpoint/kaspersky_endpoint_security.md + - Network: + - ArubaOS Switch: integration/integrations/network/arubaos.md + - Check Point Firewall: integration/integrations/network/checkpoint.md + - Broadcom Edge SWG: integration/integrations/network/broadcom_edge_swg.md + - Cisco: + - Cisco Secure Firewall: integration/integrations/network/cisco/cisco_asa.md + - Cisco Secure Web Appliance: integration/integrations/network/cisco/cisco_wsa.md + - Cisco IOS: integration/integrations/network/cisco/cisco_ios.md + - Cisco Identity Services Engine (ISE): integration/integrations/network/cisco/cisco_identity_services_engine_ise.md + - Cisco NX-OS: integration/integrations/network/cisco/cisco_nx_os.md + - Cisco Meraki MX: integration/integrations/network/cisco/cisco_meraki_mx.md + - Citrix Netscaler / ADC: integration/integrations/network/citrix_netscaler_adc.md + - Ekinops OneOS: integration/integrations/network/ekinops_oneos.md + - EfficientIP SOLIDserver: integration/integrations/network/efficientip_solidserver_ddi.md + - Gatewatcher AionIQ: integration/integrations/network/gatewatcher_aioniq.md + - F5 BIG-IP: integration/integrations/network/f5-big-ip.md + - Forcepoint Secure Web Gateway: integration/integrations/network/forcepoint_web_gateway.md + - Fortinet: + - Fortinet Fortigate: integration/integrations/network/fortigate.md + - Fortinet Fortiproxy: integration/integrations/network/fortiproxy.md + - Fortinet Fortiweb: integration/integrations/network/fortiweb.md + - Infoblox DDI: integration/integrations/network/infoblox_ddi.md + - Juniper Switches: integration/integrations/network/juniper_switches.md + - Sophos Firewall: integration/integrations/network/sophos_fw.md + - Mc Afee/Skyhigh Secure Web Gateway: integration/integrations/network/skyhigh_secure_web_gateway.md + - Microsoft Always On VPN: integration/integrations/network/microsoft_always_on_vpn.md + - NetFilter: integration/integrations/network/netfilter.md + - Olfeo Secure Web Gateway: integration/integrations/network/olfeo_secure_web_gateway.md + - OPNSense: integration/integrations/network/opnsense.md + - Palo Alto Next-Generation Firewall: integration/integrations/network/paloalto.md + - pfSense: integration/integrations/network/pfsense.md + - Pulse / Ivanti Secure Connect: integration/integrations/network/pulse.md + - Rubycat PROVE IT: integration/integrations/network/rubycat_prove_it.md + - Sesame it Jizo: integration/integrations/network/sesameit_jizo.md + - SonicWall Firewall: integration/integrations/network/sonicwall_fw.md + - SonicWall SMA: integration/integrations/network/sonicwall_sma.md + - Squid: integration/integrations/network/squid.md + - Stormshield SNS: integration/integrations/network/stormshield_network_security.md + - Suricata: integration/integrations/network/suricata.md + - Trellix Network Security: integration/integrations/network/trellix_nx.md + - Varonis Data Security: integration/integrations/network/varonis_data_security.md + - Vectra Cognito Detect: integration/integrations/network/vectra.md + - Wallix: integration/integrations/network/wallix.md + - WatchGuard Firebox: integration/integrations/network/watchguard_firebox.md + - Zeek: integration/integrations/network/zeek.md + - Generic: + - CEF: integration/integrations/generic/cef.md + - Raw events: integration/integrations/generic/raw.md + - Intakes: xdr/features/collect/intakes.md + - Entities: xdr/features/collect/entities.md + - Assets: xdr/features/collect/assets.md + - Detect: + - IOCs Detection: xdr/features/detect/iocdetection.md + - Rules Catalog: xdr/features/detect/rules_catalog.md + - Built-in Rules: xdr/features/detect/built_in_detection_rules.md + - Sigma: xdr/features/detect/sigma.md + - Anomaly Detection: xdr/features/detect/anomaly.md + - IOCs Collections: xdr/features/detect/ioccollections.md + - Investigate: + - Alerts: xdr/features/investigate/alerts.md + - Events: xdr/features/investigate/events.md + - Cases: xdr/features/investigate/cases.md + - Events Query Language: xdr/features/investigate/events_query_language.md + - Querying Events: xdr/features/investigate/querying_events.md + - Query Builder (beta): xdr/features/investigate/query_builder.md + - Report: + - Dashboards: xdr/features/report/dashboards.md + - Threat Landscape: xdr/features/report/threat_landscape.md + - Automate: + - Playbooks: xdr/features/automate/index.md + - Playbooks On-premises: xdr/features/automate/playbooks-on-premises.md + - Manage accounts: xdr/features/automate/manage-accounts.md + - Navigate playbooks: xdr/features/automate/navigate-playbooks.md + - Build playbooks: xdr/features/automate/build-playbooks.md + - Triggers: xdr/features/automate/triggers.md + - Operators: xdr/features/automate/operators.md + - Actions: xdr/features/automate/actions.md + - Actions Library: + - AWS: xdr/features/automate/library/aws.md + - Atlassian JIRA: xdr/features/automate/library/atlassian-jira.md + - BinaryEdge's API: xdr/features/automate/library/binaryedge-s-api.md + - Bitsight: xdr/features/automate/library/bitsight.md + - Broadcom Cloud Secure Web Gateway: xdr/features/automate/library/broadcom-cloud-secure-web-gateway.md + - Cato Networks: xdr/features/automate/library/cato-networks.md + - Censys: xdr/features/automate/library/censys.md + - Certificate Transparency: xdr/features/automate/library/certificate-transparency.md + - Check Point: xdr/features/automate/library/check-point.md + - CrowdStrike: xdr/features/automate/library/crowdstrike.md + - CrowdStrike Falcon: xdr/features/automate/library/crowdstrike-falcon.md + - Cybereason: xdr/features/automate/library/cybereason.md + - Darktrace: xdr/features/automate/library/darktrace.md + - Detection Rules: xdr/features/automate/library/detection-rules.md + - Digital Shadows: xdr/features/automate/library/digital-shadows.md + - Duo: xdr/features/automate/library/duo.md + - ExtraHop: xdr/features/automate/library/extrahop.md + - Fortigate Firewalls: xdr/features/automate/library/fortigate-firewalls.md + - GLIMPS: xdr/features/automate/library/glimps.md + - Git: xdr/features/automate/library/git.md + - Github: xdr/features/automate/library/github.md + - Google: xdr/features/automate/library/google.md + - HTTP: xdr/features/automate/library/http.md + - HarfangLab: xdr/features/automate/library/harfanglab.md + - IKnowWhatYouDownload: xdr/features/automate/library/iknowwhatyoudownload.md + - IPInfo: xdr/features/automate/library/ipinfo.md + - IPtoASN: xdr/features/automate/library/iptoasn.md + - Imperva: xdr/features/automate/library/imperva.md + - Jumpcloud Directory Insights: xdr/features/automate/library/jumpcloud-directory-insights.md + - Lacework: xdr/features/automate/library/lacework.md + - MISP: xdr/features/automate/library/misp.md + - MWDB: xdr/features/automate/library/mwdb.md + - Mandrill: xdr/features/automate/library/mandrill.md + - Mattermost: xdr/features/automate/library/mattermost.md + - Microsoft Active Directory: xdr/features/automate/library/microsoft-active-directory.md + - Microsoft Azure: xdr/features/automate/library/microsoft-azure.md + - Microsoft Entra ID: xdr/features/automate/library/microsoft-entra-id.md + - Microsoft Office365: xdr/features/automate/library/microsoft-office365.md + - Microsoft Windows Server: xdr/features/automate/library/microsoft-windows-server.md + - Mimecast: xdr/features/automate/library/mimecast.md + - Netskope: xdr/features/automate/library/netskope.md + - Nybble: xdr/features/automate/library/nybble.md + - OSINT: xdr/features/automate/library/osint.md + - Okta: xdr/features/automate/library/okta.md + - Onyphe: xdr/features/automate/library/onyphe.md + - OpenAI: xdr/features/automate/library/openai.md + - PagerDuty: xdr/features/automate/library/pagerduty.md + - Panda Security: xdr/features/automate/library/panda-security.md + - Proofpoint: xdr/features/automate/library/proofpoint.md + - Public Suffix: xdr/features/automate/library/public-suffix.md + - RSS: xdr/features/automate/library/rss.md + - RiskIQ: xdr/features/automate/library/riskiq.md + - STIX: xdr/features/automate/library/stix.md + - Salesforce: xdr/features/automate/library/salesforce.md + - Sekoia.io: xdr/features/automate/library/sekoia-io.md + - SentinelOne: xdr/features/automate/library/sentinelone.md + - SentinelOneDeepVisibility: xdr/features/automate/library/sentinelonedeepvisibility.md + - ServiceNow: xdr/features/automate/library/servicenow.md + - Shodan: xdr/features/automate/library/shodan.md + - Skyhigh Security: xdr/features/automate/library/skyhigh-security.md + - Sophos: xdr/features/automate/library/sophos.md + - TEHTRIS: xdr/features/automate/library/tehtris.md + - The Hive: xdr/features/automate/library/the-hive.md + - Tranco: xdr/features/automate/library/tranco.md + - Trellix: xdr/features/automate/library/trellix.md + - Trend Micro: xdr/features/automate/library/trend-micro.md + - Triage: xdr/features/automate/library/triage.md + - Ubika: xdr/features/automate/library/ubika.md + - Utils: xdr/features/automate/library/utils.md + - Vade Cloud: xdr/features/automate/library/vade-cloud.md + - Vade Secure: xdr/features/automate/library/vade-secure.md + - VirusTotal: xdr/features/automate/library/virustotal.md + - Whois: xdr/features/automate/library/whois.md + - WithSecure: xdr/features/automate/library/withsecure.md + - Zscaler: xdr/features/automate/library/zscaler.md + - Debug playbooks: xdr/features/automate/debug-playbooks.md + - External integrations: + - FortiSOAR: xdr/features/integrations/fortisoar.md + - Palo Alto Cortex XSOAR: xdr/features/integrations/interconnect_sekoia_with_xsoar.md + - Usecases: + - Implement a blocklist in Sekoia.io: xdr/usecases/playbook/implement_blocklist.md + - Synchronize Alerts with an external tool: xdr/usecases/playbook/synchronize_alerts.md + - Send notifications to a Webhook using a playbook: xdr/usecases/playbook/notifications_using_playbooks.md + - FAQ: + - General: xdr/FAQ.md + - Alerts: xdr/FAQ/Alerts_qa.md + - Events: + - Events QA: xdr/FAQ/Events_qa.md + - Facing issues with logs collection: xdr/FAQ/Log_collection_Troubleshoot.md + - Detection: xdr/FAQ/Detection_qa.md + - Assets: xdr/FAQ/Assets_qa.md + - Sekoia.io Endpoint agent: xdr/FAQ/SEKOIA_Endpoint_Agent.md + - Datetime representation: xdr/FAQ/datetime.md + - Develop: + - Quickstart: xdr/develop/quickstart.md + - Guides: + - Filtering: xdr/develop/guides/filtering.md + - Automation: + - Overview: xdr/develop/guides/automation/overview.md + - Create a Module: xdr/develop/guides/automation/create_a_module.md + - Format: + - Overview: xdr/develop/guides/formats/overview.md + - Create a Format: xdr/develop/guides/formats/create_a_format.md + - Datasources: xdr/develop/guides/formats/datasources.md + - Definition of a structured event: xdr/develop/guides/formats/structured_event.md + - Definition of the taxonomy: xdr/develop/guides/formats/taxonomy.md + - How to write a parser: xdr/develop/guides/formats/parser.md + - How to write smart descriptions: xdr/develop/guides/formats/smartdescriptions.md + - Best Practices: + - Overview: xdr/develop/guides/formats/best_practices/overview.md + - Authentications: xdr/develop/guides/formats/best_practices/authentications.md + - REST API: + - Authentication and Community: xdr/develop/rest_api/community.md + - Dashboard: xdr/develop/rest_api/dashboard.md + - Configuration: xdr/develop/rest_api/configuration.md + - Parser: xdr/develop/rest_api/parser.md + - Alert: xdr/develop/rest_api/alert.md + - Assets: xdr/develop/rest_api/assets_v2.md + - Playbooks: xdr/develop/rest_api/playbooks.md + - Query Builder: xdr/develop/rest_api/query_builder.md + - Telemetry: xdr/develop/rest_api/telemetry.md + - Sekoia Intelligence (CTI): + - Introduction: cti/index.md + - Features: + - Data Models: cti/features/data_model.md + - Consume: + - Intelligence: cti/features/consume/intelligence.md + - Observables: cti/features/consume/observables.md + - Telemetry: cti/features/consume/telemetry.md + - Outgoing Feeds: cti/features/consume/feeds.md + - Graph Explorations: cti/features/consume/graph_explorations.md + - Enrichers: cti/features/consume/enrichers.md + - Export: cti/features/consume/export.md + - IOCs Collections: cti/features/consume/ioccollections.md + - Monitor: + - Dashboards: cti/features/monitor/dashboard.md + - Threat Landscape: cti/features/monitor/threat_landscape.md + - External Integrations: + - Overview: cti/features/integrations/index.md + - API: cti/features/integrations/api.md + - TAXII: cti/features/integrations/taxii.md + - Cortex Analyzer: cti/features/integrations/thehive.md + - MISP Feed: cti/features/integrations/misp.md + - Microsoft Sentinel: cti/features/integrations/microsoft-sentinel.md + - OpenCTI: cti/features/integrations/opencti.md + - Splunk: cti/features/integrations/splunk.md + - Splunk SOAR: cti/features/integrations/splunk_soar.md + - Anomali ThreatStream: cti/features/integrations/anomali.md + - PaloAlto Cortex XSOAR: cti/features/integrations/paloalto_xsoar.md + - ThreatQuotient: cti/features/integrations/threatquotient.md + - Develop: + - Overview: cti/develop/index.md + - Guides: + - Filtering: cti/develop/guides/filtering.md + - REST API: + - Authentication and Community: cti/develop/rest_api/community.md + - Intelligence: cti/develop/rest_api/intelligence.md + - Enrichment: cti/develop/rest_api/enrichments.md + - Telemetry: cti/develop/rest_api/telemetry.md + - Dashboard: cti/develop/rest_api/dashboard.md + - Playbooks: cti/develop/rest_api/playbooks.md + - External Dynamic List: cti/develop/rest_api/edl-gateway.md + - Sekoia.io TIP: + - Introduction: tip/index.md + - Features: + - Data Models: tip/features/data_model.md + - Consume: + - Intelligence: tip/features/consume/intelligence.md + - Observables: tip/features/consume/observables.md + - Outgoing Feeds: tip/features/consume/feeds.md + - Graph Explorations: tip/features/consume/graph_explorations.md + - Enrichers: tip/features/consume/enrichers.md + - Export: tip/features/consume/export.md + - IOCs Collections: tip/features/consume/ioccollections.md + - Produce and investigate: + - Content Proposals: tip/features/produce/content_proposals.md + - Incoming Feeds: tip/features/produce/incoming_feeds.md + - Warning Rules: tip/features/produce/warning_rules.md + - Expiration Rules: tip/features/produce/expiration_rules.md + - Monitor: + - Dashboards: tip/features/monitor/dashboard.md + - Threat Landscape: cti/features/monitor/threat_landscape.md + - External Integrations: + - Overview: tip/features/integrations/index.md + - API: tip/features/integrations/api.md + - TAXII: tip/features/integrations/taxii.md + - Cortex Analyzer: tip/features/integrations/thehive.md + - MISP Feed: tip/features/integrations/misp.md + - Microsoft Sentinel: tip/features/integrations/microsoft-sentinel.md + - OpenCTI: tip/features/integrations/opencti.md + - Splunk: tip/features/integrations/splunk.md + - PaloAlto Cortex XSOAR: tip/features/integrations/paloalto_xsoar.md + - Automate: + - Playbooks: tip/features/automate/index.md + - Manage accounts: xdr/features/automate/manage-accounts.md + - Navigate playbooks: tip/features/automate/navigate-playbooks.md + - Build playbooks: tip/features/automate/build-playbooks.md + - Triggers: tip/features/automate/triggers.md + - Operators: tip/features/automate/operators.md + - Actions: tip/features/automate/actions.md + - Actions Library: + - AWS: tip/features/automate/library/aws.md + - Atlassian JIRA: tip/features/automate/library/atlassian-jira.md + - BinaryEdge's API: tip/features/automate/library/binaryedge-s-api.md + - Bitsight: tip/features/automate/library/bitsight.md + - Broadcom Cloud Secure Web Gateway: tip/features/automate/library/broadcom-cloud-secure-web-gateway.md + - Cato Networks: tip/features/automate/library/cato-networks.md + - Censys: tip/features/automate/library/censys.md + - Certificate Transparency: tip/features/automate/library/certificate-transparency.md + - Check Point: tip/features/automate/library/check-point.md + - CrowdStrike: tip/features/automate/library/crowdstrike.md + - CrowdStrike Falcon: tip/features/automate/library/crowdstrike-falcon.md + - Cybereason: tip/features/automate/library/cybereason.md + - Darktrace: tip/features/automate/library/darktrace.md + - Detection Rules: tip/features/automate/library/detection-rules.md + - Digital Shadows: tip/features/automate/library/digital-shadows.md + - Duo: tip/features/automate/library/duo.md + - ExtraHop: tip/features/automate/library/extrahop.md + - Fortigate Firewalls: tip/features/automate/library/fortigate-firewalls.md + - GLIMPS: tip/features/automate/library/glimps.md + - Git: tip/features/automate/library/git.md + - Github: tip/features/automate/library/github.md + - Google: tip/features/automate/library/google.md + - HTTP: tip/features/automate/library/http.md + - HarfangLab: tip/features/automate/library/harfanglab.md + - IKnowWhatYouDownload: tip/features/automate/library/iknowwhatyoudownload.md + - IPInfo: tip/features/automate/library/ipinfo.md + - IPtoASN: tip/features/automate/library/iptoasn.md + - Imperva: tip/features/automate/library/imperva.md + - Jumpcloud Directory Insights: tip/features/automate/library/jumpcloud-directory-insights.md + - Lacework: tip/features/automate/library/lacework.md + - MISP: tip/features/automate/library/misp.md + - MWDB: tip/features/automate/library/mwdb.md + - Mandrill: tip/features/automate/library/mandrill.md + - Mattermost: tip/features/automate/library/mattermost.md + - Microsoft Active Directory: tip/features/automate/library/microsoft-active-directory.md + - Microsoft Azure: tip/features/automate/library/microsoft-azure.md + - Microsoft Entra ID (Azure AD): tip/features/automate/library/microsoft-entra-id.md + - Microsoft Office365: tip/features/automate/library/microsoft-office365.md + - Microsoft Windows Server: tip/features/automate/library/microsoft-windows-server.md + - Mimecast: tip/features/automate/library/mimecast.md + - Netskope: tip/features/automate/library/netskope.md + - Nybble: tip/features/automate/library/nybble.md + - OSINT: tip/features/automate/library/osint.md + - Okta: tip/features/automate/library/okta.md + - Onyphe: tip/features/automate/library/onyphe.md + - OpenAI: tip/features/automate/library/openai.md + - PagerDuty: tip/features/automate/library/pagerduty.md + - Panda Security: tip/features/automate/library/panda-security.md + - Proofpoint: tip/features/automate/library/proofpoint.md + - Public Suffix: tip/features/automate/library/public-suffix.md + - RSS: tip/features/automate/library/rss.md + - RiskIQ: tip/features/automate/library/riskiq.md + - STIX: tip/features/automate/library/stix.md + - Salesforce: tip/features/automate/library/salesforce.md + - Sekoia.io: tip/features/automate/library/sekoia-io.md + - SentinelOne: tip/features/automate/library/sentinelone.md + - SentinelOneDeepVisibility: tip/features/automate/library/sentinelonedeepvisibility.md + - ServiceNow: tip/features/automate/library/servicenow.md + - Shodan: tip/features/automate/library/shodan.md + - Skyhigh Security: tip/features/automate/library/skyhigh-security.md + - Sophos: tip/features/automate/library/sophos.md + - TEHTRIS: tip/features/automate/library/tehtris.md + - The Hive: tip/features/automate/library/the-hive.md + - Tranco: tip/features/automate/library/tranco.md + - Trellix: tip/features/automate/library/trellix.md + - Trend Micro: tip/features/automate/library/trend-micro.md + - Triage: tip/features/automate/library/triage.md + - Ubika: tip/features/automate/library/ubika.md + - Utils: tip/features/automate/library/utils.md + - Vade Cloud: tip/features/automate/library/vade-cloud.md + - Vade Secure: tip/features/automate/library/vade-secure.md + - VirusTotal: tip/features/automate/library/virustotal.md + - Whois: tip/features/automate/library/whois.md + - WithSecure: tip/features/automate/library/withsecure.md + - Zscaler: tip/features/automate/library/zscaler.md + - Develop: + - Overview: tip/develop/index.md + - Guides: + - Filtering: tip/develop/guides/filtering.md + - Playbooks: + - Overview: tip/develop/guides/automation/overview.md + - Quick start: tip/develop/guides/automation/create_a_module.md + - REST API: + - Authentication and Community: tip/develop/rest_api/community.md + - Intelligence: tip/develop/rest_api/intelligence.md + - Enrichment: tip/develop/rest_api/enrichments.md + - Dashboard: tip/develop/rest_api/dashboard.md + - Playbooks: tip/develop/rest_api/playbooks.md plugins: -- search: null -- redirects: - redirect_maps: - 'api/automation: symphony orchestrator': xdr/develop/rest_api/playbooks.md - api/dashboards: xdr/develop/rest_api/dashboard.md - api/identity & authentication: xdr/develop/rest_api/community.md - 'api/ingest: manage and test event parsers': xdr/develop/rest_api/parser.md - 'api/intelligence center: cyber threat intelligence database': cti/develop/rest_api/intelligence.md - 'api/intelligence center: enrichment': cti/develop/rest_api/enrichments.md - 'api/operation center: alerts & case management': xdr/develop/rest_api/alert.md - 'api/operation center: asset management': xdr/develop/rest_api/assets.md - 'api/operation center: rules, entities, intakes, events.md': xdr/develop/rest_api/configuration.md - api/profile & permissions: xdr/develop/rest_api/community.md - cti/develop/rest_api/identity_and_authentication.md: cti/develop/rest_api/community.md - develop/guides/filtering.md: xdr/develop/guides/filtering.md - develop/guides/get_started.md: xdr/develop/guides/get_started.md - develop/rest_api/community.md: xdr/develop/rest_api/community.md - develop/rest_api/dashboard.md: xdr/develop/rest_api/community.md - develop/rest_api/identity_and_authentication.md: xdr/develop/rest_api/community.md - develop/rest_api/intelligence_center/enrichments.md: cti/develop/rest_api/enrichments.md - develop/rest_api/intelligence_center/intelligence.md: cti/develop/rest_api/intelligence.md - develop/rest_api/operation_center/alert.md: xdr/develop/rest_api/alert.md - develop/rest_api/operation_center/assets.md: xdr/develop/rest_api/assets.md - develop/rest_api/operation_center/configuration.md: xdr/develop/rest_api/configuration.md - develop/rest_api/operation_center/parser.md: xdr/develop/rest_api/parser.md - develop/rest_api/playbooks.md: xdr/develop/rest_api/playbooks.md - getting_started/2fa.md: getting_started/account_security.md - getting_started/apikey_creation.md: getting_started/manage_api_keys.md - getting_started/first_steps.md: getting_started/index.md - getting_started/inviting_users_to_join_your_community.md: getting_started/invite_users.md - integrations/alsid.md: xdr/features/collect/integrations/application/alsid.md - integrations/apache.md: xdr/features/collect/integrations/application/apache.md - integrations/auditbeat.md: xdr/features/collect/integrations/endpoint/auditbeat_linux.md - integrations/auditbeat_linux.md: xdr/features/collect/integrations/endpoint/auditbeat_linux.md - integrations/aws-cloudtrail.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_cloudtrail.md - integrations/aws-flow-logs.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_flow_logs.md - integrations/aws-s3-logs.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_s3_logs.md - integrations/aws_cloudtrail.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_cloudtrail.md - integrations/aws_flow_logs.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_flow_logs.md - integrations/aws_s3_logs.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_s3_logs.md - integrations/azure-ad.md: xdr/features/collect/integrations/cloud_and_saas/azure/entra_id.md - integrations/azure-files.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_files.md - integrations/azure-linux.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_linux.md - integrations/azure-mysql.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_mysql.md - integrations/azure-network-watcher.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_network_watcher.md - integrations/azure-windows.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_windows.md - integrations/azure_files.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_files.md - integrations/azure_front_door.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_front_door.md - integrations/azure_linux.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_linux.md - integrations/azure_mysql.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_mysql.md - integrations/azure_network_watcher.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_network_watcher.md - integrations/azure_windows.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_windows.md - integrations/bind.md: xdr/features/collect/integrations/application/bind.md - integrations/cef.md: xdr/features/collect/integrations/generic/cef.md - integrations/checkpoint.md: xdr/features/collect/integrations/network/checkpoint.md - integrations/cisco-asa.md: xdr/features/collect/integrations/network/cisco/cisco_asa.md - integrations/cisco_asa.md: xdr/features/collect/integrations/network/cisco/cisco_asa.md - integrations/cyberwatch.md: xdr/features/collect/integrations/application/cyberwatch_detection.md - integrations/dhcpd.md: xdr/features/collect/integrations/application/dhcpd.md - integrations/digital_shadows.md: xdr/features/collect/integrations/cloud_and_saas/digital_shadows.md - integrations/f5-big-ip.md: xdr/features/collect/integrations/network/f5-big-ip.md - integrations/forcepoint-swg.md: xdr/features/collect/integrations/network/forcepoint_web_gateway.md - integrations/fortigate.md: xdr/features/collect/integrations/network/fortigate.md - integrations/fortimail.md: xdr/features/collect/integrations/email/fortimail.md - integrations/fortiproxy.md: xdr/features/collect/integrations/network/fortiproxy.md - integrations/fortiweb.md: xdr/features/collect/integrations/network/fortiweb.md - integrations/freeradius.md: xdr/index.md - integrations/fsecure.md: xdr/index.md - integrations/github_audit_logs.md: xdr/features/collect/integrations/cloud_and_saas/github_audit_logs.md - integrations/google_drive_reports.md: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - integrations/google_kubernetes_engine.md: xdr/features/collect/integrations/cloud_and_saas/google/google_kubernetes_engine.md - integrations/google_vpc_flow_logs.md: xdr/features/collect/integrations/cloud_and_saas/google/google_vpc_flow_logs.md - integrations/google_workspace.md: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - integrations/haproxy.md: xdr/features/collect/integrations/application/haproxy.md - integrations/harfanglab.md: xdr/features/collect/integrations/endpoint/harfanglab.md - integrations/imperva_waf.md: xdr/features/collect/integrations/cloud_and_saas/imperva_waf.md - integrations/index.md: xdr/features/collect/integrations/index.md - integrations/infoblox-ddi.md: xdr/features/collect/integrations/network/infoblox_ddi.md - integrations/infoblox_ddi.md: xdr/features/collect/integrations/network/infoblox_ddi.md - integrations/intra_id.md: xdr/features/collect/integrations/cloud_and_saas/azure/entra_id.md - integrations/linux.md: xdr/features/collect/integrations/endpoint/linux.md - integrations/log-insight-windows.md: xdr/features/collect/integrations/endpoint/log_insight_windows.md - integrations/log_insight_windows.md: xdr/features/collect/integrations/endpoint/log_insight_windows.md - integrations/netfilter.md: xdr/features/collect/integrations/network/netfilter.md - integrations/nginx.md: xdr/features/collect/integrations/application/nginx.md - integrations/o365-message-trace.md: xdr/features/collect/integrations/cloud_and_saas/office365/message_trace.md - integrations/o365.md: xdr/features/collect/integrations/cloud_and_saas/office365/o365.md - integrations/openldap.md: xdr/features/collect/integrations/application/openldap.md - integrations/openssh.md: xdr/features/collect/integrations/application/openssh.md - integrations/paloalto.md: xdr/features/collect/integrations/network/paloalto.md - integrations/panda-security-aether.md: xdr/features/collect/integrations/endpoint/panda_security_aether.md - integrations/postfix.md: xdr/features/collect/integrations/email/postfix.md - integrations/proofpoint-tap.md: xdr/features/collect/integrations/email/proofpoint_tap.md - integrations/proofpoint_tap.md: xdr/features/collect/integrations/email/proofpoint_tap.md - integrations/prove-it.md: xdr/index.md - integrations/pulse-connect-secure.md: xdr/features/collect/integrations/network/pulse.md - integrations/pulse.md: xdr/features/collect/integrations/network/pulse.md - integrations/raw.md: xdr/features/collect/integrations/generic/raw.md - integrations/retarus-email-security.md: xdr/features/collect/integrations/email/retarus_email_security.md - integrations/salesforce.md: xdr/features/collect/integrations/cloud_and_saas/salesforce.md - integrations/sekoiaio-activity-logs.md: xdr/features/collect/integrations/application/sekoiaio_activity_logs.md - integrations/sekoiaio_activity_logs.md: xdr/features/collect/integrations/application/sekoiaio_activity_logs.md - integrations/sentinelone-deepvisibility.md: xdr/features/collect/integrations/endpoint/sentinelone_deepvisibility.md - integrations/sentinelone.md: xdr/features/collect/integrations/endpoint/sentinelone.md - integrations/sentinelone_deepvisibility.md: xdr/features/collect/integrations/endpoint/sentinelone_deepvisibility.md - integrations/sophos_edr.md: xdr/features/collect/integrations/endpoint/sophos_edr.md - integrations/sophos_fw.md: xdr/features/collect/integrations/network/sophos_fw.md - integrations/spamassassin.md: xdr/features/collect/integrations/email/spamassassin.md - integrations/squid.md: xdr/features/collect/integrations/network/squid.md - integrations/stormshield_endpoint.md: xdr/features/collect/integrations/endpoint/stormshield_endpoint.md - integrations/stormshield_network_security.md: xdr/features/collect/integrations/network/stormshield_network_security.md - integrations/suricata.md: xdr/features/collect/integrations/network/suricata.md - integrations/symantec-endpoint-protection.md: xdr/features/collect/integrations/endpoint/symantec_epp.md - integrations/symantec_endpoint_protection.md: xdr/features/collect/integrations/endpoint/symantec_epp.md - integrations/tanium.md: xdr/features/collect/integrations/endpoint/tanium.md - integrations/thehive.md: tip/features/integrations/thehive.md - integrations/transport.md: xdr/features/collect/ingestion_methods/index.md - integrations/transport/graylog.md: xdr/features/collect/ingestion_methods/graylog.md - integrations/transport/https.md: xdr/features/collect/ingestion_methods/https/format.md - integrations/transport/logstash.md: xdr/features/collect/ingestion_methods/logstash.md - integrations/transport/rsyslog.md: xdr/features/collect/ingestion_methods/rsyslog.md - integrations/transport/syslog-ng.md: xdr/features/collect/ingestion_methods/syslog-ng.md - integrations/umbrella-dns.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md - integrations/umbrella-ip.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md - integrations/umbrella-proxy.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md - integrations/umbrella_dns.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md - integrations/umbrella_ip.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md - integrations/umbrella_proxy.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md - integrations/unbound.md: xdr/features/collect/integrations/application/unbound.md - integrations/vade.md: xdr/features/collect/integrations/email/vade.md - integrations/vectra-cognito-detect.md: xdr/features/collect/integrations/network/vectra.md - integrations/wallix-bastion.md: xdr/features/collect/integrations/network/wallix.md - integrations/wazuh.md: xdr/index.md - integrations/windows.md: xdr/features/collect/integrations/endpoint/windows.md - integrations/zeek.md: xdr/features/collect/integrations/network/zeek.md - intelligence_center.md: cti/index.md - intelligence_center/api.md: cti/develop/index.md - intelligence_center/dashboard.md: cti/features/monitor/dashboard.md - intelligence_center/data_export.md: cti/features/consume/export.md - intelligence_center/data_model.md: cti/features/data_model.md - intelligence_center/enricher.md: cti/features/consume/enrichers.md - intelligence_center/graph_explorations.md: cti/features/consume/graph_explorations.md - intelligence_center/integrations.md: cti/features/integrations/index.md - intelligence_center/integrations/anomali.md: cti/features/integrations/anomali.md - intelligence_center/integrations/microsoft-sentinel.md: cti/features/integrations/microsoft-sentinel.md - intelligence_center/integrations/misp.md: cti/features/integrations/misp.md - intelligence_center/integrations/opencti.md: cti/features/integrations/opencti.md - intelligence_center/integrations/splunk.md: cti/features/integrations/splunk.md - intelligence_center/integrations/thehive.md: cti/features/integrations/thehive.md - intelligence_center/intelligence.md: cti/features/consume/intelligence.md - intelligence_center/observables.md: cti/features/consume/observables.md - operation_center.md: xdr/index.md - operation_center/actions.md: xdr/features/automate/actions.md - operation_center/alerts.md: xdr/features/investigate/alerts.md - operation_center/assets.md: xdr/features/collect/assets.md - operation_center/cases.md: xdr/features/investigate/cases.md - operation_center/data_collection/index.md: xdr/features/collect/ingestion_methods/index.md - operation_center/data_collection/ingestion_methods.md: xdr/features/collect/ingestion_methods/index.md - operation_center/data_collection/ingestion_methods/graylog.md: xdr/features/collect/ingestion_methods/graylog.md - operation_center/data_collection/ingestion_methods/https.md: xdr/features/collect/ingestion_methods/https/format.md - operation_center/data_collection/ingestion_methods/logstash.md: xdr/features/collect/ingestion_methods/logstash.md - operation_center/data_collection/ingestion_methods/rsyslog.md: xdr/features/collect/ingestion_methods/rsyslog.md - operation_center/data_collection/ingestion_methods/sekoiaio.md: xdr/features/collect/integrations/endpoint/sekoiaio.md - operation_center/data_collection/ingestion_methods/syslog-ng.md: xdr/features/collect/ingestion_methods/syslog-ng.md - operation_center/entities.md: xdr/features/collect/entities.md - operation_center/events.md: xdr/features/investigate/events.md - operation_center/faq.md: xdr/FAQ.md - operation_center/intakes.md: xdr/features/collect/intakes.md - operation_center/intakes_customformat.md: xdr/features/collect/integrations/custom_format.md - operation_center/integration_catalog/application/alsid.md: xdr/features/collect/integrations/application/alsid.md - operation_center/integration_catalog/application/apache.md: xdr/features/collect/integrations/application/apache.md - operation_center/integration_catalog/application/bind.md: xdr/features/collect/integrations/application/bind.md - operation_center/integration_catalog/application/dhcpd.md: xdr/features/collect/integrations/application/dhcpd.md - operation_center/integration_catalog/application/haproxy.md: xdr/features/collect/integrations/application/haproxy.md - operation_center/integration_catalog/application/nginx.md: xdr/features/collect/integrations/application/nginx.md - operation_center/integration_catalog/application/openldap.md: xdr/features/collect/integrations/application/openldap.md - operation_center/integration_catalog/application/openssh.md: xdr/features/collect/integrations/application/openssh.md - operation_center/integration_catalog/application/prove-it.md: xdr/features/collect/integrations/network/rubycat_prove_it.md - operation_center/integration_catalog/application/sekoiaio_activity_logs.md: xdr/features/collect/integrations/application/sekoiaio_activity_logs.md - operation_center/integration_catalog/application/thehive.md: cti/features/integrations/thehive.md - operation_center/integration_catalog/application/unbound.md: xdr/features/collect/integrations/application/unbound.md - operation_center/integration_catalog/cloud_and_saas/aws/aws_cloudtrail.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_cloudtrail.md - operation_center/integration_catalog/cloud_and_saas/aws/aws_flow_logs.md: xdr/features/collect/integrations/cloud_and_saas/aws/aws_flow_logs.md - operation_center/integration_catalog/cloud_and_saas/azure/azure_linux.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_linux.md - operation_center/integration_catalog/cloud_and_saas/azure/azure_mysql.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_mysql.md - operation_center/integration_catalog/cloud_and_saas/azure/azure_network_watcher.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_network_watcher.md - operation_center/integration_catalog/cloud_and_saas/azure/azure_windows.md: xdr/features/collect/integrations/cloud_and_saas/azure/azure_windows.md - operation_center/integration_catalog/cloud_and_saas/azure/intra_id.md: xdr/features/collect/integrations/cloud_and_saas/azure/entra_id.md - operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_dns.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md - operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_ip.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md - operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_proxy.md: xdr/features/collect/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md - operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-dns-logs.md: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-dns-logs.md - operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-firewall-events.md: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-firewall-events.md - operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-http-requests.md: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md - operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare.md: xdr/features/collect/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md - operation_center/integration_catalog/cloud_and_saas/digital_shadows.md: xdr/features/collect/integrations/cloud_and_saas/digital_shadows.md - operation_center/integration_catalog/cloud_and_saas/google/google_drive_reports.md: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - operation_center/integration_catalog/cloud_and_saas/google/google_kubernetes_engine.md: xdr/features/collect/integrations/cloud_and_saas/google/google_kubernetes_engine.md - operation_center/integration_catalog/cloud_and_saas/google/google_vpc_flow_logs.md: xdr/features/collect/integrations/cloud_and_saas/google/google_vpc_flow_logs.md - operation_center/integration_catalog/cloud_and_saas/google/google_workspace.md: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - operation_center/integration_catalog/cloud_and_saas/imperva_waf.md: xdr/features/collect/integrations/cloud_and_saas/imperva_waf.md - operation_center/integration_catalog/cloud_and_saas/o365-message-trace.md: xdr/features/collect/integrations/cloud_and_saas/office365/message_trace.md - operation_center/integration_catalog/cloud_and_saas/o365.md: xdr/features/collect/integrations/cloud_and_saas/office365/o365.md - operation_center/integration_catalog/email/fortimail.md: xdr/features/collect/integrations/email/fortimail.md - operation_center/integration_catalog/email/postfix.md: xdr/features/collect/integrations/email/postfix.md - operation_center/integration_catalog/email/retarus_email_security.md: xdr/features/collect/integrations/email/retarus_email_security.md - operation_center/integration_catalog/email/spamassassin.md: xdr/features/collect/integrations/email/spamassassin.md - operation_center/integration_catalog/email/vade.md: xdr/features/collect/integrations/email/vade.md - operation_center/integration_catalog/endpoint/auditbeat_linux.md: xdr/features/collect/integrations/endpoint/auditbeat_linux.md - operation_center/integration_catalog/endpoint/cybereason_malop_activity.md: xdr/features/collect/integrations/endpoint/cybereason_malop_activity.md - operation_center/integration_catalog/endpoint/harfanglab.md: xdr/features/collect/integrations/endpoint/harfanglab.md - operation_center/integration_catalog/endpoint/linux.md: xdr/features/collect/integrations/endpoint/linux.md - operation_center/integration_catalog/endpoint/log_insight_windows.md: xdr/features/collect/integrations/endpoint/log_insight_windows.md - operation_center/integration_catalog/endpoint/microsoft_defender_for_endpoints.md: xdr/features/collect/integrations/cloud_and_saas/office365/microsoft_365_defender.md - operation_center/integration_catalog/endpoint/panda_security_aether.md: xdr/features/collect/integrations/endpoint/panda_security_aether.md - operation_center/integration_catalog/endpoint/sentinelone.md: xdr/features/collect/integrations/endpoint/sentinelone.md - operation_center/integration_catalog/endpoint/sentinelone_deepvisibility.md: xdr/features/collect/integrations/endpoint/sentinelone_deepvisibility.md - operation_center/integration_catalog/endpoint/sophos_edr.md: xdr/features/collect/integrations/endpoint/sophos_edr.md - operation_center/integration_catalog/endpoint/tanium.md: xdr/features/collect/integrations/endpoint/tanium.md - operation_center/integration_catalog/endpoint/windows.md: xdr/features/collect/integrations/endpoint/windows.md - operation_center/integration_catalog/generic/cef.md: xdr/features/collect/integrations/generic/cef.md - operation_center/integration_catalog/network/checkpoint.md: xdr/features/collect/integrations/network/checkpoint.md - operation_center/integration_catalog/network/cisco_asa.md: xdr/features/collect/integrations/network/cisco/cisco_asa.md - operation_center/integration_catalog/network/cisco_wsa.md: xdr/features/collect/integrations/network/cisco/cisco_wsa.md - operation_center/integration_catalog/network/f5-big-ip.md: xdr/features/collect/integrations/network/f5-big-ip.md - operation_center/integration_catalog/network/forcepoint_web_gateway.md: xdr/features/collect/integrations/network/forcepoint_web_gateway.md - operation_center/integration_catalog/network/fortigate.md: xdr/features/collect/integrations/network/fortigate.md - operation_center/integration_catalog/network/fortiproxy.md: xdr/features/collect/integrations/network/fortiproxy.md - operation_center/integration_catalog/network/fortiweb.md: xdr/features/collect/integrations/network/fortiweb.md - operation_center/integration_catalog/network/mcafee_web_gateway.md: xdr/features/collect/integrations/network/skyhigh_secure_web_gateway.md - operation_center/integration_catalog/network/netfilter.md: xdr/features/collect/integrations/network/netfilter.md - operation_center/integration_catalog/network/paloalto.md: xdr/features/collect/integrations/network/paloalto.md - operation_center/integration_catalog/network/pulse.md: xdr/features/collect/integrations/network/pulse.md - operation_center/integration_catalog/network/skyhigh_secure_web_gateway.md: xdr/features/collect/integrations/network/skyhigh_secure_web_gateway.md - operation_center/integration_catalog/network/sophos_fw.md: xdr/features/collect/integrations/network/sophos_fw.md - operation_center/integration_catalog/network/squid.md: xdr/features/collect/integrations/network/squid.md - operation_center/integration_catalog/network/stormshield_network_security.md: xdr/features/collect/integrations/network/stormshield_network_security.md - operation_center/integration_catalog/network/suricata.md: xdr/features/collect/integrations/network/suricata.md - operation_center/integration_catalog/network/vectra.md: xdr/features/collect/integrations/network/vectra.md - operation_center/integration_catalog/network/wallix.md: xdr/features/collect/integrations/network/wallix.md - operation_center/integration_catalog/network/zeek.md: xdr/features/collect/integrations/network/zeek.md - operation_center/operators.md: xdr/features/automate/operators.md - operation_center/playbook_overview.md: xdr/features/automate/index.md - operation_center/rules.md: xdr/features/detect/rules_catalog.md - operation_center/rules_catalog.md: xdr/features/detect/rules_catalog.md - operation_center/templates.md: xdr/features/detect/rules_catalog.md - operation_center/threat_exposition.md: xdr/features/report/dashboards.md - operation_center/triggers.md: xdr/features/automate/triggers.md - playbooks/actions.md: xdr/features/automate/actions.md - playbooks/library/aws.md: xdr/features/automate/library/aws.md - playbooks/library/binaryedge-s-api.md: xdr/features/automate/library/binaryedge-s-api.md - playbooks/library/censys.md: xdr/features/automate/library/censys.md - playbooks/library/certificate-transparency.md: xdr/features/automate/library/certificate-transparency.md - playbooks/library/detection-rules.md: xdr/features/automate/library/detection-rules.md - playbooks/library/digital-shadows.md: xdr/features/automate/library/digital-shadows.md - playbooks/library/fileutils.md: xdr/features/automate/library/fileutils.md - playbooks/library/fortigate-fw.md: xdr/features/automate/library/fortigate-fw.md - playbooks/library/git.md: xdr/features/automate/library/git.md - playbooks/library/glimps.md: xdr/features/automate/library/glimps.md - playbooks/library/google.md: xdr/features/automate/library/google.md - playbooks/library/harfanglab.md: xdr/features/automate/library/harfanglab.md - playbooks/library/http.md: xdr/features/automate/library/http.md - playbooks/library/iknowwhatyoudownload.md: xdr/features/automate/library/iknowwhatyoudownload.md - playbooks/library/imperva.md: xdr/features/automate/library/imperva.md - playbooks/library/iptoasn.md: xdr/features/automate/library/iptoasn.md - playbooks/library/mandrill.md: xdr/features/automate/library/mandrill.md - playbooks/library/mattermost.md: xdr/features/automate/library/mattermost.md - playbooks/library/misp.md: xdr/features/automate/library/misp.md - playbooks/library/mwdb.md: xdr/features/automate/library/mwdb.md - playbooks/library/onyphe.md: xdr/features/automate/library/onyphe.md - playbooks/library/osint.md: xdr/features/automate/library/osint.md - playbooks/library/pagerduty.md: xdr/features/automate/library/pagerduty.md - playbooks/library/panda-security.md: xdr/features/automate/library/panda-security.md - playbooks/library/public-suffix.md: xdr/features/automate/library/public-suffix.md - playbooks/library/riskiq.md: xdr/features/automate/library/riskiq.md - playbooks/library/rss.md: xdr/features/automate/library/rss.md - playbooks/library/sekoia-io.md: xdr/features/automate/library/sekoia-io.md - playbooks/library/servicenow.md: xdr/features/automate/library/servicenow.md - playbooks/library/shodan.md: xdr/features/automate/library/shodan.md - playbooks/library/stix.md: xdr/features/automate/library/stix.md - playbooks/library/the-hive.md: xdr/features/automate/library/the-hive.md - playbooks/library/tranco.md: xdr/features/automate/library/tranco.md - playbooks/library/triage.md: xdr/features/automate/library/triage.md - playbooks/library/vade-secure.md: xdr/features/automate/library/vade-secure.md - playbooks/library/virustotal.md: xdr/features/automate/library/virustotal.md - playbooks/library/whois.md: xdr/features/automate/library/whois.md - playbooks/operators.md: xdr/features/automate/operators.md - playbooks/overview.md: xdr/features/automate/index.md - playbooks/triggers.md: xdr/features/automate/triggers.md - searching/search_events.md: xdr/features/investigate/events.md - tip/develop/rest_api/identity_and_authentication.md: tip/develop/rest_api/community.md - user_center.md: getting_started/index.md - user_center/apikeys.md: getting_started/manage_api_keys.md - user_center/multi_factor_authentication.md: getting_started/account_security.md - xdr/develop/rest_api/identity_and_authentication.md: xdr/develop/rest_api/community.md - xdr/features/collect/ingestion_methods/sekoiaio.md: xdr/features/collect/integrations/endpoint/sekoiaio.md - xdr/features/collect/integrations/cloud_and_saas/duo_security.md: xdr/features/collect/integrations/cloud_and_saas/cisco_duo_security.md - xdr/features/collect/integrations/cloud_and_saas/google/google_workspace.md: xdr/features/collect/integrations/cloud_and_saas/google/google_reports.md - xdr/features/collect/integrations/cloud_and_saas/netskope_events.md: xdr/features/collect/integrations/cloud_and_saas/netskope/netskope_events.md - xdr/features/collect/integrations/endpoint/checkpoint_harmony.md: xdr/features/collect/integrations/endpoint/checkpoint_harmony_mobile.md - xdr/features/collect/integrations/endpoint/trend_micro_deep_security.md: xdr/features/collect/integrations/endpoint/trend_micro/trend_micro_deep_security.md - xdr/features/investigate/dork_language.md: xdr/features/investigate/events_query_language.md -- redoc -- intakes_by_uuid + - search: null + - redirects: + redirect_maps: + "api/automation: symphony orchestrator": xdr/develop/rest_api/playbooks.md + api/dashboards: xdr/develop/rest_api/dashboard.md + api/identity & authentication: xdr/develop/rest_api/community.md + "api/ingest: manage and test event parsers": xdr/develop/rest_api/parser.md + "api/intelligence center: cyber threat intelligence database": cti/develop/rest_api/intelligence.md + "api/intelligence center: enrichment": cti/develop/rest_api/enrichments.md + "api/operation center: alerts & case management": xdr/develop/rest_api/alert.md + "api/operation center: asset management": xdr/develop/rest_api/assets.md + "api/operation center: rules, entities, intakes, events.md": xdr/develop/rest_api/configuration.md + api/profile & permissions: xdr/develop/rest_api/community.md + cti/develop/rest_api/identity_and_authentication.md: cti/develop/rest_api/community.md + develop/guides/filtering.md: xdr/develop/guides/filtering.md + develop/guides/get_started.md: xdr/develop/guides/get_started.md + develop/rest_api/community.md: xdr/develop/rest_api/community.md + develop/rest_api/dashboard.md: xdr/develop/rest_api/community.md + develop/rest_api/identity_and_authentication.md: xdr/develop/rest_api/community.md + develop/rest_api/intelligence_center/enrichments.md: cti/develop/rest_api/enrichments.md + develop/rest_api/intelligence_center/intelligence.md: cti/develop/rest_api/intelligence.md + develop/rest_api/operation_center/alert.md: xdr/develop/rest_api/alert.md + develop/rest_api/operation_center/assets.md: xdr/develop/rest_api/assets.md + develop/rest_api/operation_center/configuration.md: xdr/develop/rest_api/configuration.md + develop/rest_api/operation_center/parser.md: xdr/develop/rest_api/parser.md + develop/rest_api/playbooks.md: xdr/develop/rest_api/playbooks.md + getting_started/2fa.md: getting_started/account_security.md + getting_started/apikey_creation.md: getting_started/manage_api_keys.md + getting_started/first_steps.md: getting_started/index.md + getting_started/inviting_users_to_join_your_community.md: getting_started/invite_users.md + integrations/alsid.md: integration/integrations/application/alsid.md + integrations/apache.md: integration/integrations/application/apache.md + integrations/auditbeat.md: integration/integrations/endpoint/auditbeat_linux.md + integrations/auditbeat_linux.md: integration/integrations/endpoint/auditbeat_linux.md + integrations/aws-cloudtrail.md: integration/integrations/cloud_and_saas/aws/aws_cloudtrail.md + integrations/aws-flow-logs.md: integration/integrations/cloud_and_saas/aws/aws_flow_logs.md + integrations/aws-s3-logs.md: integration/integrations/cloud_and_saas/aws/aws_s3_logs.md + integrations/aws_cloudtrail.md: integration/integrations/cloud_and_saas/aws/aws_cloudtrail.md + integrations/aws_flow_logs.md: integration/integrations/cloud_and_saas/aws/aws_flow_logs.md + integrations/aws_s3_logs.md: integration/integrations/cloud_and_saas/aws/aws_s3_logs.md + integrations/azure-ad.md: integration/integrations/cloud_and_saas/azure/entra_id.md + integrations/azure-files.md: integration/integrations/cloud_and_saas/azure/azure_files.md + integrations/azure-linux.md: integration/integrations/cloud_and_saas/azure/azure_linux.md + integrations/azure-mysql.md: integration/integrations/cloud_and_saas/azure/azure_mysql.md + integrations/azure-network-watcher.md: integration/integrations/cloud_and_saas/azure/azure_network_watcher.md + integrations/azure-windows.md: integration/integrations/cloud_and_saas/azure/azure_windows.md + integrations/azure_files.md: integration/integrations/cloud_and_saas/azure/azure_files.md + integrations/azure_front_door.md: integration/integrations/cloud_and_saas/azure/azure_front_door.md + integrations/azure_linux.md: integration/integrations/cloud_and_saas/azure/azure_linux.md + integrations/azure_mysql.md: integration/integrations/cloud_and_saas/azure/azure_mysql.md + integrations/azure_network_watcher.md: integration/integrations/cloud_and_saas/azure/azure_network_watcher.md + integrations/azure_windows.md: integration/integrations/cloud_and_saas/azure/azure_windows.md + integrations/bind.md: integration/integrations/application/bind.md + integrations/cef.md: integration/integrations/generic/cef.md + integrations/checkpoint.md: integration/integrations/network/checkpoint.md + integrations/cisco-asa.md: integration/integrations/network/cisco/cisco_asa.md + integrations/cisco_asa.md: integration/integrations/network/cisco/cisco_asa.md + integrations/cyberwatch.md: integration/integrations/application/cyberwatch_detection.md + integrations/dhcpd.md: integration/integrations/application/dhcpd.md + integrations/digital_shadows.md: integration/integrations/cloud_and_saas/digital_shadows.md + integrations/f5-big-ip.md: integration/integrations/network/f5-big-ip.md + integrations/forcepoint-swg.md: integration/integrations/network/forcepoint_web_gateway.md + integrations/fortigate.md: integration/integrations/network/fortigate.md + integrations/fortimail.md: integration/integrations/email/fortimail.md + integrations/fortiproxy.md: integration/integrations/network/fortiproxy.md + integrations/fortiweb.md: integration/integrations/network/fortiweb.md + integrations/freeradius.md: xdr/index.md + integrations/fsecure.md: xdr/index.md + integrations/github_audit_logs.md: integration/integrations/cloud_and_saas/github_audit_logs.md + integrations/google_drive_reports.md: integration/integrations/cloud_and_saas/google/google_reports.md + integrations/google_kubernetes_engine.md: integration/integrations/cloud_and_saas/google/google_kubernetes_engine.md + integrations/google_vpc_flow_logs.md: integration/integrations/cloud_and_saas/google/google_vpc_flow_logs.md + integrations/google_workspace.md: integration/integrations/cloud_and_saas/google/google_reports.md + integrations/haproxy.md: integration/integrations/application/haproxy.md + integrations/harfanglab.md: integration/integrations/endpoint/harfanglab.md + integrations/imperva_waf.md: integration/integrations/cloud_and_saas/imperva_waf.md + integrations/index.md: integration/integrations/index.md + integrations/infoblox-ddi.md: integration/integrations/network/infoblox_ddi.md + integrations/infoblox_ddi.md: integration/integrations/network/infoblox_ddi.md + integrations/intra_id.md: integration/integrations/cloud_and_saas/azure/entra_id.md + integrations/linux.md: integration/integrations/endpoint/linux.md + integrations/log-insight-windows.md: integration/integrations/endpoint/log_insight_windows.md + integrations/log_insight_windows.md: integration/integrations/endpoint/log_insight_windows.md + integrations/netfilter.md: integration/integrations/network/netfilter.md + integrations/nginx.md: integration/integrations/application/nginx.md + integrations/o365-message-trace.md: integration/integrations/cloud_and_saas/office365/message_trace.md + integrations/o365.md: integration/integrations/cloud_and_saas/office365/o365.md + integrations/openldap.md: integration/integrations/application/openldap.md + integrations/openssh.md: integration/integrations/application/openssh.md + integrations/paloalto.md: integration/integrations/network/paloalto.md + integrations/panda-security-aether.md: integration/integrations/endpoint/panda_security_aether.md + integrations/postfix.md: integration/integrations/email/postfix.md + integrations/proofpoint-tap.md: integration/integrations/email/proofpoint_tap.md + integrations/proofpoint_tap.md: integration/integrations/email/proofpoint_tap.md + integrations/prove-it.md: xdr/index.md + integrations/pulse-connect-secure.md: integration/integrations/network/pulse.md + integrations/pulse.md: integration/integrations/network/pulse.md + integrations/raw.md: integration/integrations/generic/raw.md + integrations/retarus-email-security.md: integration/integrations/email/retarus_email_security.md + integrations/salesforce.md: integration/integrations/cloud_and_saas/salesforce.md + integrations/sekoiaio-activity-logs.md: integration/integrations/application/sekoiaio_activity_logs.md + integrations/sekoiaio_activity_logs.md: integration/integrations/application/sekoiaio_activity_logs.md + integrations/sentinelone-deepvisibility.md: integration/integrations/endpoint/sentinelone_deepvisibility.md + integrations/sentinelone.md: integration/integrations/endpoint/sentinelone.md + integrations/sentinelone_deepvisibility.md: integration/integrations/endpoint/sentinelone_deepvisibility.md + integrations/sophos_edr.md: integration/integrations/endpoint/sophos_edr.md + integrations/sophos_fw.md: integration/integrations/network/sophos_fw.md + integrations/spamassassin.md: integration/integrations/email/spamassassin.md + integrations/squid.md: integration/integrations/network/squid.md + integrations/stormshield_endpoint.md: integration/integrations/endpoint/stormshield_endpoint.md + integrations/stormshield_network_security.md: integration/integrations/network/stormshield_network_security.md + integrations/suricata.md: integration/integrations/network/suricata.md + integrations/symantec-endpoint-protection.md: integration/integrations/endpoint/symantec_epp.md + integrations/symantec_endpoint_protection.md: integration/integrations/endpoint/symantec_epp.md + integrations/tanium.md: integration/integrations/endpoint/tanium.md + integrations/thehive.md: tip/features/integrations/thehive.md + integrations/transport.md: integration/ingestion_methods/index.md + integrations/transport/graylog.md: integration/ingestion_methods/graylog.md + integrations/transport/https.md: integration/ingestion_methods/https/format.md + integrations/transport/logstash.md: integration/ingestion_methods/logstash.md + integrations/transport/rsyslog.md: integration/ingestion_methods/rsyslog.md + integrations/transport/syslog-ng.md: integration/ingestion_methods/syslog-ng.md + integrations/umbrella-dns.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md + integrations/umbrella-ip.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md + integrations/umbrella-proxy.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md + integrations/umbrella_dns.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md + integrations/umbrella_ip.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md + integrations/umbrella_proxy.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md + integrations/unbound.md: integration/integrations/application/unbound.md + integrations/vade.md: integration/integrations/email/vade.md + integrations/vectra-cognito-detect.md: integration/integrations/network/vectra.md + integrations/wallix-bastion.md: integration/integrations/network/wallix.md + integrations/wazuh.md: xdr/index.md + integrations/windows.md: integration/integrations/endpoint/windows.md + integrations/zeek.md: integration/integrations/network/zeek.md + intelligence_center.md: cti/index.md + intelligence_center/api.md: cti/develop/index.md + intelligence_center/dashboard.md: cti/features/monitor/dashboard.md + intelligence_center/data_export.md: cti/features/consume/export.md + intelligence_center/data_model.md: cti/features/data_model.md + intelligence_center/enricher.md: cti/features/consume/enrichers.md + intelligence_center/graph_explorations.md: cti/features/consume/graph_explorations.md + intelligence_center/integrations.md: cti/features/integrations/index.md + intelligence_center/integrations/anomali.md: cti/features/integrations/anomali.md + intelligence_center/integrations/microsoft-sentinel.md: cti/features/integrations/microsoft-sentinel.md + intelligence_center/integrations/misp.md: cti/features/integrations/misp.md + intelligence_center/integrations/opencti.md: cti/features/integrations/opencti.md + intelligence_center/integrations/splunk.md: cti/features/integrations/splunk.md + intelligence_center/integrations/thehive.md: cti/features/integrations/thehive.md + intelligence_center/intelligence.md: cti/features/consume/intelligence.md + intelligence_center/observables.md: cti/features/consume/observables.md + operation_center.md: xdr/index.md + operation_center/actions.md: xdr/features/automate/actions.md + operation_center/alerts.md: xdr/features/investigate/alerts.md + operation_center/assets.md: xdr/features/collect/assets.md + operation_center/cases.md: xdr/features/investigate/cases.md + operation_center/data_collection/index.md: integration/ingestion_methods/index.md + operation_center/data_collection/ingestion_methods.md: integration/ingestion_methods/index.md + operation_center/data_collection/ingestion_methods/graylog.md: integration/ingestion_methods/graylog.md + operation_center/data_collection/ingestion_methods/https.md: integration/ingestion_methods/https/format.md + operation_center/data_collection/ingestion_methods/logstash.md: integration/ingestion_methods/logstash.md + operation_center/data_collection/ingestion_methods/rsyslog.md: integration/ingestion_methods/rsyslog.md + operation_center/data_collection/ingestion_methods/sekoiaio.md: integration/integrations/endpoint/sekoiaio.md + operation_center/data_collection/ingestion_methods/syslog-ng.md: integration/ingestion_methods/syslog-ng.md + operation_center/entities.md: xdr/features/collect/entities.md + operation_center/events.md: xdr/features/investigate/events.md + operation_center/faq.md: xdr/FAQ.md + operation_center/intakes.md: xdr/features/collect/intakes.md + operation_center/intakes_customformat.md: integration/integrations/custom_format.md + operation_center/integration_catalog/application/alsid.md: integration/integrations/application/alsid.md + operation_center/integration_catalog/application/apache.md: integration/integrations/application/apache.md + operation_center/integration_catalog/application/bind.md: integration/integrations/application/bind.md + operation_center/integration_catalog/application/dhcpd.md: integration/integrations/application/dhcpd.md + operation_center/integration_catalog/application/haproxy.md: integration/integrations/application/haproxy.md + operation_center/integration_catalog/application/nginx.md: integration/integrations/application/nginx.md + operation_center/integration_catalog/application/openldap.md: integration/integrations/application/openldap.md + operation_center/integration_catalog/application/openssh.md: integration/integrations/application/openssh.md + operation_center/integration_catalog/application/prove-it.md: integration/integrations/network/rubycat_prove_it.md + operation_center/integration_catalog/application/sekoiaio_activity_logs.md: integration/integrations/application/sekoiaio_activity_logs.md + operation_center/integration_catalog/application/thehive.md: cti/features/integrations/thehive.md + operation_center/integration_catalog/application/unbound.md: integration/integrations/application/unbound.md + operation_center/integration_catalog/cloud_and_saas/aws/aws_cloudtrail.md: integration/integrations/cloud_and_saas/aws/aws_cloudtrail.md + operation_center/integration_catalog/cloud_and_saas/aws/aws_flow_logs.md: integration/integrations/cloud_and_saas/aws/aws_flow_logs.md + operation_center/integration_catalog/cloud_and_saas/azure/azure_linux.md: integration/integrations/cloud_and_saas/azure/azure_linux.md + operation_center/integration_catalog/cloud_and_saas/azure/azure_mysql.md: integration/integrations/cloud_and_saas/azure/azure_mysql.md + operation_center/integration_catalog/cloud_and_saas/azure/azure_network_watcher.md: integration/integrations/cloud_and_saas/azure/azure_network_watcher.md + operation_center/integration_catalog/cloud_and_saas/azure/azure_windows.md: integration/integrations/cloud_and_saas/azure/azure_windows.md + operation_center/integration_catalog/cloud_and_saas/azure/intra_id.md: integration/integrations/cloud_and_saas/azure/entra_id.md + operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_dns.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_dns.md + operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_ip.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_ip.md + operation_center/integration_catalog/cloud_and_saas/cisco_umbrella/umbrella_proxy.md: integration/integrations/cloud_and_saas/cisco_umbrella/umbrella_proxy.md + operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-dns-logs.md: integration/integrations/cloud_and_saas/cloudflare/cloudflare-dns-logs.md + operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-firewall-events.md: integration/integrations/cloud_and_saas/cloudflare/cloudflare-firewall-events.md + operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare-http-requests.md: integration/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md + operation_center/integration_catalog/cloud_and_saas/cloudflare/cloudflare.md: integration/integrations/cloud_and_saas/cloudflare/cloudflare-http-requests.md + operation_center/integration_catalog/cloud_and_saas/digital_shadows.md: integration/integrations/cloud_and_saas/digital_shadows.md + operation_center/integration_catalog/cloud_and_saas/google/google_drive_reports.md: integration/integrations/cloud_and_saas/google/google_reports.md + operation_center/integration_catalog/cloud_and_saas/google/google_kubernetes_engine.md: integration/integrations/cloud_and_saas/google/google_kubernetes_engine.md + operation_center/integration_catalog/cloud_and_saas/google/google_vpc_flow_logs.md: integration/integrations/cloud_and_saas/google/google_vpc_flow_logs.md + operation_center/integration_catalog/cloud_and_saas/google/google_workspace.md: integration/integrations/cloud_and_saas/google/google_reports.md + operation_center/integration_catalog/cloud_and_saas/imperva_waf.md: integration/integrations/cloud_and_saas/imperva_waf.md + operation_center/integration_catalog/cloud_and_saas/o365-message-trace.md: integration/integrations/cloud_and_saas/office365/message_trace.md + operation_center/integration_catalog/cloud_and_saas/o365.md: integration/integrations/cloud_and_saas/office365/o365.md + operation_center/integration_catalog/email/fortimail.md: integration/integrations/email/fortimail.md + operation_center/integration_catalog/email/postfix.md: integration/integrations/email/postfix.md + operation_center/integration_catalog/email/retarus_email_security.md: integration/integrations/email/retarus_email_security.md + operation_center/integration_catalog/email/spamassassin.md: integration/integrations/email/spamassassin.md + operation_center/integration_catalog/email/vade.md: integration/integrations/email/vade.md + operation_center/integration_catalog/endpoint/auditbeat_linux.md: integration/integrations/endpoint/auditbeat_linux.md + operation_center/integration_catalog/endpoint/cybereason_malop_activity.md: integration/integrations/endpoint/cybereason_malop_activity.md + operation_center/integration_catalog/endpoint/harfanglab.md: integration/integrations/endpoint/harfanglab.md + operation_center/integration_catalog/endpoint/linux.md: integration/integrations/endpoint/linux.md + operation_center/integration_catalog/endpoint/log_insight_windows.md: integration/integrations/endpoint/log_insight_windows.md + operation_center/integration_catalog/endpoint/microsoft_defender_for_endpoints.md: integration/integrations/cloud_and_saas/office365/microsoft_365_defender.md + operation_center/integration_catalog/endpoint/panda_security_aether.md: integration/integrations/endpoint/panda_security_aether.md + operation_center/integration_catalog/endpoint/sentinelone.md: integration/integrations/endpoint/sentinelone.md + operation_center/integration_catalog/endpoint/sentinelone_deepvisibility.md: integration/integrations/endpoint/sentinelone_deepvisibility.md + operation_center/integration_catalog/endpoint/sophos_edr.md: integration/integrations/endpoint/sophos_edr.md + operation_center/integration_catalog/endpoint/tanium.md: integration/integrations/endpoint/tanium.md + operation_center/integration_catalog/endpoint/windows.md: integration/integrations/endpoint/windows.md + operation_center/integration_catalog/generic/cef.md: integration/integrations/generic/cef.md + operation_center/integration_catalog/network/checkpoint.md: integration/integrations/network/checkpoint.md + operation_center/integration_catalog/network/cisco_asa.md: integration/integrations/network/cisco/cisco_asa.md + operation_center/integration_catalog/network/cisco_wsa.md: integration/integrations/network/cisco/cisco_wsa.md + operation_center/integration_catalog/network/f5-big-ip.md: integration/integrations/network/f5-big-ip.md + operation_center/integration_catalog/network/forcepoint_web_gateway.md: integration/integrations/network/forcepoint_web_gateway.md + operation_center/integration_catalog/network/fortigate.md: integration/integrations/network/fortigate.md + operation_center/integration_catalog/network/fortiproxy.md: integration/integrations/network/fortiproxy.md + operation_center/integration_catalog/network/fortiweb.md: integration/integrations/network/fortiweb.md + operation_center/integration_catalog/network/mcafee_web_gateway.md: integration/integrations/network/skyhigh_secure_web_gateway.md + operation_center/integration_catalog/network/netfilter.md: integration/integrations/network/netfilter.md + operation_center/integration_catalog/network/paloalto.md: integration/integrations/network/paloalto.md + operation_center/integration_catalog/network/pulse.md: integration/integrations/network/pulse.md + operation_center/integration_catalog/network/skyhigh_secure_web_gateway.md: integration/integrations/network/skyhigh_secure_web_gateway.md + operation_center/integration_catalog/network/sophos_fw.md: integration/integrations/network/sophos_fw.md + operation_center/integration_catalog/network/squid.md: integration/integrations/network/squid.md + operation_center/integration_catalog/network/stormshield_network_security.md: integration/integrations/network/stormshield_network_security.md + operation_center/integration_catalog/network/suricata.md: integration/integrations/network/suricata.md + operation_center/integration_catalog/network/vectra.md: integration/integrations/network/vectra.md + operation_center/integration_catalog/network/wallix.md: integration/integrations/network/wallix.md + operation_center/integration_catalog/network/zeek.md: integration/integrations/network/zeek.md + operation_center/operators.md: xdr/features/automate/operators.md + operation_center/playbook_overview.md: xdr/features/automate/index.md + operation_center/rules.md: xdr/features/detect/rules_catalog.md + operation_center/rules_catalog.md: xdr/features/detect/rules_catalog.md + operation_center/templates.md: xdr/features/detect/rules_catalog.md + operation_center/threat_exposition.md: xdr/features/report/dashboards.md + operation_center/triggers.md: xdr/features/automate/triggers.md + playbooks/actions.md: xdr/features/automate/actions.md + playbooks/library/aws.md: xdr/features/automate/library/aws.md + playbooks/library/binaryedge-s-api.md: xdr/features/automate/library/binaryedge-s-api.md + playbooks/library/censys.md: xdr/features/automate/library/censys.md + playbooks/library/certificate-transparency.md: xdr/features/automate/library/certificate-transparency.md + playbooks/library/detection-rules.md: xdr/features/automate/library/detection-rules.md + playbooks/library/digital-shadows.md: xdr/features/automate/library/digital-shadows.md + playbooks/library/fileutils.md: xdr/features/automate/library/fileutils.md + playbooks/library/fortigate-fw.md: xdr/features/automate/library/fortigate-fw.md + playbooks/library/git.md: xdr/features/automate/library/git.md + playbooks/library/glimps.md: xdr/features/automate/library/glimps.md + playbooks/library/google.md: xdr/features/automate/library/google.md + playbooks/library/harfanglab.md: xdr/features/automate/library/harfanglab.md + playbooks/library/http.md: xdr/features/automate/library/http.md + playbooks/library/iknowwhatyoudownload.md: xdr/features/automate/library/iknowwhatyoudownload.md + playbooks/library/imperva.md: xdr/features/automate/library/imperva.md + playbooks/library/iptoasn.md: xdr/features/automate/library/iptoasn.md + playbooks/library/mandrill.md: xdr/features/automate/library/mandrill.md + playbooks/library/mattermost.md: xdr/features/automate/library/mattermost.md + playbooks/library/misp.md: xdr/features/automate/library/misp.md + playbooks/library/mwdb.md: xdr/features/automate/library/mwdb.md + playbooks/library/onyphe.md: xdr/features/automate/library/onyphe.md + playbooks/library/osint.md: xdr/features/automate/library/osint.md + playbooks/library/pagerduty.md: xdr/features/automate/library/pagerduty.md + playbooks/library/panda-security.md: xdr/features/automate/library/panda-security.md + playbooks/library/public-suffix.md: xdr/features/automate/library/public-suffix.md + playbooks/library/riskiq.md: xdr/features/automate/library/riskiq.md + playbooks/library/rss.md: xdr/features/automate/library/rss.md + playbooks/library/sekoia-io.md: xdr/features/automate/library/sekoia-io.md + playbooks/library/servicenow.md: xdr/features/automate/library/servicenow.md + playbooks/library/shodan.md: xdr/features/automate/library/shodan.md + playbooks/library/stix.md: xdr/features/automate/library/stix.md + playbooks/library/the-hive.md: xdr/features/automate/library/the-hive.md + playbooks/library/tranco.md: xdr/features/automate/library/tranco.md + playbooks/library/triage.md: xdr/features/automate/library/triage.md + playbooks/library/vade-secure.md: xdr/features/automate/library/vade-secure.md + playbooks/library/virustotal.md: xdr/features/automate/library/virustotal.md + playbooks/library/whois.md: xdr/features/automate/library/whois.md + playbooks/operators.md: xdr/features/automate/operators.md + playbooks/overview.md: xdr/features/automate/index.md + playbooks/triggers.md: xdr/features/automate/triggers.md + searching/search_events.md: xdr/features/investigate/events.md + tip/develop/rest_api/identity_and_authentication.md: tip/develop/rest_api/community.md + user_center.md: getting_started/index.md + user_center/apikeys.md: getting_started/manage_api_keys.md + user_center/multi_factor_authentication.md: getting_started/account_security.md + xdr/develop/rest_api/identity_and_authentication.md: xdr/develop/rest_api/community.md + integration/ingestion_methods/sekoiaio.md: integration/integrations/endpoint/sekoiaio.md + integration/integrations/cloud_and_saas/duo_security.md: integration/integrations/cloud_and_saas/cisco_duo_security.md + integration/integrations/cloud_and_saas/google/google_workspace.md: integration/integrations/cloud_and_saas/google/google_reports.md + integration/integrations/cloud_and_saas/netskope_events.md: integration/integrations/cloud_and_saas/netskope/netskope_events.md + integration/integrations/endpoint/checkpoint_harmony.md: integration/integrations/endpoint/checkpoint_harmony_mobile.md + integration/integrations/endpoint/trend_micro_deep_security.md: integration/integrations/endpoint/trend_micro/trend_micro_deep_security.md + xdr/features/investigate/dork_language.md: xdr/features/investigate/events_query_language.md + - redoc + - intakes_by_uuid repo_url: https://github.com/SEKOIA-IO/documentation site_name: Sekoia.io Documentation site_url: https://docs.sekoia.io @@ -902,11 +902,11 @@ theme: custom_dir: theme favicon: assets/favicon.png features: - - navigation.tabs - - navigation.top - - navigation.footer - - content.code.annotate - - content.action.edit + - navigation.tabs + - navigation.top + - navigation.footer + - content.code.annotate + - content.action.edit font: false include_search_page: true lang: en diff --git a/plugins/intakes_by_uuid.py b/plugins/intakes_by_uuid.py index 62307fc0d1..a32f386740 100644 --- a/plugins/intakes_by_uuid.py +++ b/plugins/intakes_by_uuid.py @@ -45,7 +45,7 @@ def on_files(self, files: Files, config: Config): with filename.open() as f: _, metadata = get_data(f.read()) - if "uuid" not in metadata or metadata.get("type").lower() != "intake": + if "uuid" not in metadata or metadata.get("type").lower() != "intake": continue dialect_uuid = metadata["uuid"] @@ -67,12 +67,14 @@ def on_files(self, files: Files, config: Config): ) new_files.append(newfile) - new_files.append(File( - path="xdr/features/collect/integrations/index.md", - src_dir="operation_center/integration_catalog/", - dest_dir=config["site_dir"], - use_directory_urls=True, - )) + new_files.append( + File( + path="integration/integrations/index.md", + src_dir="operation_center/integration_catalog/", + dest_dir=config["site_dir"], + use_directory_urls=True, + ) + ) files._files += new_files def on_page_read_source(self, page, config): @@ -82,7 +84,7 @@ def on_page_read_source(self, page, config): destination=self._redirection_table[page.file.name] ) - if page.file.src_path == "xdr/features/collect/integrations/index.md": + if page.file.src_path == "integration/integrations/index.md": filename = Path(config["docs_dir"]) / Path(page.file.src_path) content = filename.open().read()