Skip to content

Commit

Permalink
Merge pull request #1765 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Apr 26, 2024
2 parents 99d187d + d0de308 commit 31fbb7a
Show file tree
Hide file tree
Showing 3 changed files with 4,750 additions and 286 deletions.
238 changes: 227 additions & 11 deletions ...perations_center/integrations/generated/60af2bd6-7ef0-48a7-a6db-90fcdd7236f1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,41 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "esmtp.json"

```json

{
"message": "to=<[email protected]> delay=00:00:06 xdelay=00:00:06 mailer=esmtp pri=165917 relay= [3.4.5.6] dsn=2.0.0 stat=Sent (Ok: queued as 4T9pxY2qZtz2XPBPX)",
"action": {
"properties": {
"mailer": "esmtp"
}
},
"email": {
"to": {
"address": [
"[email protected]"
]
}
},
"log": {
"level": "165917"
},
"related": {
"ip": [
"3.4.5.6"
]
},
"source": {
"address": "3.4.5.6",
"ip": "3.4.5.6"
}
}
```


=== "event.json"

```json
Expand Down Expand Up @@ -307,6 +342,43 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "kevent_1.json"

```json

{
"message": "time=11:19:15.002 device_id=123 log_id=0701031743 type=kevent subtype=admin pri=information scope=o365 user=j.doe ui=GUI(1.2.3.4) action=login status=success reason=none msg=\"User j.doe login successfully from GUI(1.2.3.4)\"",
"event": {
"action": "login",
"category": "admin",
"kind": "kevent",
"message": "User j.doe login successfully from GUI(1.2.3.4)"
},
"action": {
"outcome_reason": "User j.doe login successfully from GUI(1.2.3.4)",
"properties": {
"device_id": "123",
"event_status": "success",
"log_id": "0701031743",
"user_identifier": "GUI(1.2.3.4)"
}
},
"log": {
"level": "information"
},
"related": {
"user": [
"j.doe"
]
},
"user": {
"name": "j.doe"
}
}
```


=== "smtp_event_STARTTLS_client_local_certificate.json"

```json
Expand Down Expand Up @@ -518,15 +590,15 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"device_id": "123",
"event_status": "clean",
"log_id": "123",
"session_id": "00000",
"subject": "D\u00e9tail de votre quarantaine: [ 1 message(s) en quarantaine entre le jeu. 15 avr. 2021 14 h 00 +0200 et le jeu. 15 avr. 2021 16 h 00 +0200 ]"
"session_id": "00000"
}
},
"destination": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
},
"email": {
"subject": "D\u00e9tail de votre quarantaine: [ 1 message(s) en quarantaine entre le jeu. 15 avr. 2021 14 h 00 +0200 et le jeu. 15 avr. 2021 16 h 00 +0200 ]",
"to": {
"address": [
"mail.fr"
Expand Down Expand Up @@ -575,8 +647,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"properties": {
"device_id": "device",
"log_id": "121416",
"session_id": "123456",
"subject": "d\u00e9finitivement aim\u00e9 cette id\u00e9e et a pris la d\u00e9cision de vous la montrer"
"session_id": "123456"
}
},
"destination": {
Expand All @@ -589,6 +660,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"whatever.com"
]
},
"subject": "d\u00e9finitivement aim\u00e9 cette id\u00e9e et a pris la d\u00e9cision de vous la montrer",
"to": {
"address": [
"something.com"
Expand Down Expand Up @@ -637,8 +709,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"device_id": "abc",
"event_status": "detected",
"log_id": "0300025551",
"session_id": "123456",
"subject": "new order to UK"
"session_id": "123456"
}
},
"destination": {
Expand All @@ -651,6 +722,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"nereply.live"
]
},
"subject": "new order to UK",
"to": {
"address": [
"[email protected]"
Expand Down Expand Up @@ -707,8 +779,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"log_id": "0300025171",
"session_id": "15N7xWCW025167-15N7xWCX025167",
"spam_category": "Spam URLs",
"spam_id": 86,
"subject": "Vos impressions de documents au meilleur prix !"
"spam_id": 86
}
},
"destination": {
Expand All @@ -721,6 +792,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"target.fr"
]
},
"subject": "Vos impressions de documents au meilleur prix !",
"to": {
"address": [
"source.com"
Expand Down Expand Up @@ -752,6 +824,74 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "spam_webfilter_url_1.json"

```json

{
"message": "time=14:16:45.427 device_id=123 log_id=0300017253 type=spam subtype=default pri=information session_id=\"15N7xWCW025167-15N7xWCX025167\" client_name=\"mail.example.org\" client_ip=\"1.2.3.4\" dst_ip=\"5.6.7.8\" from=\"[email protected]\" to=\"[email protected]\" subject=\"Ring phone promotion\" msg=\"FortiGuard-WebFilter identified URL(category: Phishing, id: 61): https://www.example.org/emailing/promotion.html\"",
"event": {
"category": "default",
"kind": "spam",
"message": "FortiGuard-WebFilter identified URL(category: Phishing, id: 61): https://www.example.org/emailing/promotion.html"
},
"action": {
"outcome_reason": "FortiGuard-WebFilter identified URL(category: Phishing, id: 61): https://www.example.org/emailing/promotion.html",
"properties": {
"device_id": "123",
"log_id": "0300017253",
"session_id": "15N7xWCW025167-15N7xWCX025167"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"email": {
"from": {
"address": [
"[email protected]"
]
},
"subject": "Ring phone promotion",
"to": {
"address": [
"[email protected]"
]
}
},
"host": {
"name": "12345"
},
"log": {
"hostname": "12345",
"level": "information"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "mail.example.org",
"ip": "1.2.3.4"
},
"url": {
"domain": "www.example.org",
"original": "https://www.example.org/emailing/promotion.html",
"path": "/emailing/promotion.html",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"subdomain": "www",
"top_level_domain": "org"
}
}
```


=== "statistics.json"

```json
Expand All @@ -774,8 +914,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"policy_id": "0:1:1",
"session_id": "123",
"source_country": "FR",
"src_type": "int",
"subject": "confidential subject"
"src_type": "int"
}
},
"destination": {
Expand Down Expand Up @@ -873,6 +1012,82 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "virus_1.json"

```json

{
"message": "time=14:18:20.030 device_id=123 log_id=0103021373 type=virus subtype=fortisandbox pri=information scope=o365 from=\"\" to=\"\" client_name=\"\" client_ip=\"\" session_id=\"15N7xWCW025167-15N7xWCX025167\" msg=\"URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN\"",
"event": {
"category": "fortisandbox",
"kind": "virus",
"message": "URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN"
},
"action": {
"outcome_reason": "URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN",
"properties": {
"device_id": "123",
"log_id": "0103021373",
"session_id": "15N7xWCW025167-15N7xWCX025167"
}
},
"host": {
"name": "hostname"
},
"log": {
"hostname": "hostname",
"level": "information"
},
"url": {
"domain": "example.org",
"original": "https://example.org/path/image.jpg",
"path": "/path/image.jpg",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"top_level_domain": "org"
}
}
```


=== "virus_2.json"

```json

{
"message": "time=14:18:14.805 device_id=123 log_id=0103001910 type=virus subtype=fortisandbox pri=information from=\"\" to=\"\" client_name=\"\" client_ip=\"\" session_id=\"15N7xWCW025167-15N7xWCX025167\" msg=\"URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN\"",
"event": {
"category": "fortisandbox",
"kind": "virus",
"message": "URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN"
},
"action": {
"outcome_reason": "URL https://example.org/path/image.jpg has been scanned by FortiSandbox. Scan result: rating=CLEAN",
"properties": {
"device_id": "123",
"log_id": "0103001910",
"session_id": "15N7xWCW025167-15N7xWCX025167"
}
},
"log": {
"level": "information"
},
"url": {
"domain": "example.org",
"original": "https://example.org/path/image.jpg",
"path": "/path/image.jpg",
"port": 443,
"registered_domain": "example.org",
"scheme": "https",
"top_level_domain": "org"
}
}
```





Expand Down Expand Up @@ -906,7 +1121,6 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.src_type` | `keyword` | |
|`action.properties.start_tls` | `keyword` | |
|`action.properties.stat` | `keyword` | |
|`action.properties.subject` | `keyword` | |
|`action.properties.user_identifier` | `keyword` | |
|`action.properties.verify` | `keyword` | |
|`action.properties.virus` | `keyword` | |
Expand All @@ -916,6 +1130,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.size_in_char` | `number` | |
|`email.from.address` | `array` | |
|`email.subject` | `keyword` | The subject of the email message. |
|`email.to.address` | `array` | |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
Expand All @@ -939,6 +1154,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`tls.server.issuer` | `keyword` | Subject of the issuer of the x.509 certificate presented by the server. |
|`tls.server.subject` | `keyword` | Subject of the x.509 certificate presented by the server. |
|`url.full` | `wildcard` | Full unparsed URL. |
|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
|`user.email` | `keyword` | User email address. |
|`user.name` | `keyword` | Short name or login of the user. |

Loading

0 comments on commit 31fbb7a

Please sign in to comment.