-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1826 from SEKOIA-IO/update-intake-documentation
Refresh intakes documentation
- Loading branch information
Showing
8 changed files
with
1,174 additions
and
3,343 deletions.
There are no files selected for viewing
247 changes: 247 additions & 0 deletions
247
...perations_center/integrations/generated/041e915e-2fb6-4604-9b24-902c9daa2d3c.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,247 @@ | ||
|
|
||
| ## Event Categories | ||
|
|
||
|
|
||
| The following table lists the data source offered by this integration. | ||
|
|
||
| | Data Source | Description | | ||
| | ----------- | ------------------------------------ | | ||
| | `Email gateway` | Inbound, outbound and internal logs for messages | | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| In details, the following table denotes the type of events produced by this integration. | ||
|
|
||
| | Name | Values | | ||
| | ---- | ------ | | ||
| | Kind | `` | | ||
| | Category | `email` | | ||
| | Type | `denied`, `info` | | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ## Event Samples | ||
|
|
||
| Find below few samples of events and how they are normalized by Sekoia.io. | ||
|
|
||
|
|
||
| === "test_journal.json" | ||
|
|
||
| ```json | ||
|
|
||
| { | ||
| "message": "{\"aggregateId\": \"vC80NNxvOWKkBPnzSs04FA_1715699686\", \"processingId\": \"PGZfGuxEAu_kE-nGy1sjThBr5EYbm1ZcDKg-vXbRHLA_1715699686\", \"accountId\": \"CDE22A102\", \"timestamp\": 1715699697146, \"senderEnvelope\": \"[email protected]\", \"recipients\": \"[email protected]\", \"direction\": \"Inbound\", \"type\": \"journal\", \"subtype\": null, \"_offset\": 105760, \"_partition\": 137}", | ||
| "event": { | ||
| "category": [ | ||
| "email" | ||
| ], | ||
| "dataset": "journal", | ||
| "provider": "Mimecast", | ||
| "type": [ | ||
| "info" | ||
| ] | ||
| }, | ||
| "@timestamp": "2024-05-14T15:14:57.146000Z", | ||
| "email": { | ||
| "direction": "Inbound", | ||
| "from": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| }, | ||
| "to": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| } | ||
| }, | ||
| "mimecast": { | ||
| "siem": { | ||
| "aggregate_id": "vC80NNxvOWKkBPnzSs04FA_1715699686", | ||
| "processing_id": "PGZfGuxEAu_kE-nGy1sjThBr5EYbm1ZcDKg-vXbRHLA_1715699686" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| === "test_process.json" | ||
|
|
||
| ```json | ||
|
|
||
| { | ||
| "message": "{\"aggregateId\": \"J5JwSy0HNvG7AvCg1sgDvQ_1715708284\", \"processingId\": \"hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284\", \"accountId\": \"CDE22A102\", \"action\": \"Hld\", \"timestamp\": 1715708287466, \"senderEnvelope\": \"[email protected]\", \"messageId\": \"<CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAEirX4MRZRJX+esw@mail.gmail.com>\", \"subject\": \"Moderate\", \"holdReason\": \"Spm\", \"totalSizeAttachments\": \"0\", \"numberAttachments\": \"0\", \"attachments\": null, \"emailSize\": \"3466\", \"type\": \"process\", \"subtype\": \"Hld\", \"_offset\": 105825, \"_partition\": 137}", | ||
| "event": { | ||
| "action": "Hld", | ||
| "category": [ | ||
| "email" | ||
| ], | ||
| "dataset": "process", | ||
| "provider": "Mimecast", | ||
| "type": [ | ||
| "info" | ||
| ] | ||
| }, | ||
| "@timestamp": "2024-05-14T17:38:07.466000Z", | ||
| "email": { | ||
| "from": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| }, | ||
| "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAEirX4MRZRJX+esw@mail.gmail.com", | ||
| "to": { | ||
| "address": [ | ||
| "null" | ||
| ] | ||
| } | ||
| }, | ||
| "mimecast": { | ||
| "siem": { | ||
| "aggregate_id": "J5JwSy0HNvG7AvCg1sgDvQ_1715708284", | ||
| "hold_reason": "Spm", | ||
| "processing_id": "hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| === "test_process_with_attachment.json" | ||
|
|
||
| ```json | ||
|
|
||
| { | ||
| "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"numberAttachments\": \"2\", \"attachments\": \"tpsreport.doc\", \"subject\": \"siem_process - email subject line\", \"senderEnvelope\": \"[email protected]\", \"messageId\": \"messageId\", \"eventType\": \"process\", \"accountId\": \"C0A0\", \"action\": \"Allow\", \"holdReason\": null, \"subType\": \"Allow\", \"totalSizeAttachments\": \"642\", \"timestamp\": 1689685338609, \"emailSize\": \"56422\"}", | ||
| "event": { | ||
| "action": "Allow", | ||
| "category": [ | ||
| "email" | ||
| ], | ||
| "dataset": "process", | ||
| "provider": "Mimecast", | ||
| "type": [ | ||
| "info" | ||
| ] | ||
| }, | ||
| "@timestamp": "2023-07-18T13:02:18.609000Z", | ||
| "email": { | ||
| "attachments": [ | ||
| { | ||
| "file": { | ||
| "name": "tpsreport.doc" | ||
| } | ||
| } | ||
| ], | ||
| "from": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| }, | ||
| "message_id": "messageId", | ||
| "to": { | ||
| "address": [ | ||
| "null" | ||
| ] | ||
| } | ||
| }, | ||
| "mimecast": { | ||
| "siem": { | ||
| "aggregate_id": "aggregateId", | ||
| "processing_id": "processingId" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
| === "test_receipt.json" | ||
|
|
||
| ```json | ||
|
|
||
| { | ||
| "message": "{\"aggregateId\": \"J5JwSy0HNvG7AvCg1sgDvQ_1715708284\", \"processingId\": \"hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284\", \"accountId\": \"CDE22A102\", \"timestamp\": 1715708286579, \"action\": \"Acc\", \"senderEnvelope\": \"[email protected]\", \"messageId\": \"<CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAAarX4MRZRJX+esw@mail.gmail.com>\", \"subject\": \"Moderate\", \"recipients\": \"[email protected]\", \"senderIp\": \"209.123.123.123\", \"rejectionType\": null, \"rejectionCode\": null, \"direction\": \"Inbound\", \"numberAttachments\": \"0\", \"senderHeader\": \"[email protected]\", \"rejectionInfo\": null, \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"spamInfo\": \"[]\", \"spamProcessingDetail\": \"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\", \"virusFound\": null, \"type\": \"receipt\", \"subtype\": \"Acc\", \"_offset\": 105826, \"_partition\": 137}", | ||
| "event": { | ||
| "action": "Acc", | ||
| "category": [ | ||
| "email" | ||
| ], | ||
| "dataset": "receipt", | ||
| "provider": "Mimecast", | ||
| "type": [ | ||
| "info" | ||
| ] | ||
| }, | ||
| "@timestamp": "2024-05-14T17:38:06.579000Z", | ||
| "email": { | ||
| "direction": "Inbound", | ||
| "from": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| }, | ||
| "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAAarX4MRZRJX+esw@mail.gmail.com", | ||
| "to": { | ||
| "address": [ | ||
| "[email protected]" | ||
| ] | ||
| } | ||
| }, | ||
| "mimecast": { | ||
| "siem": { | ||
| "aggregate_id": "J5JwSy0HNvG7AvCg1sgDvQ_1715708284", | ||
| "processing_id": "hP5f7mBanAVkWJWfh4vYvca3zOi9I3jROBmH3Z_Kysk_1715708284" | ||
| } | ||
| }, | ||
| "related": { | ||
| "ip": [ | ||
| "209.123.123.123" | ||
| ] | ||
| }, | ||
| "source": { | ||
| "address": "209.123.123.123", | ||
| "ip": "209.123.123.123" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| ## Extracted Fields | ||
|
|
||
| The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. | ||
|
|
||
| | Name | Type | Description | | ||
| | ---- | ---- | ---------------------------| | ||
| |`@timestamp` | `date` | Date/time when the event originated. | | ||
| |`destination.ip` | `ip` | IP address of the destination. | | ||
| |`email.attachments` | `nested` | List of objects describing the attachments. | | ||
| |`email.direction` | `keyword` | Direction of the message. | | ||
| |`email.from.address` | `keyword` | The sender's email address. | | ||
| |`email.message_id` | `wildcard` | Value from the Message-ID header. | | ||
| |`email.to.address` | `keyword` | Email address of recipient | | ||
| |`event.action` | `keyword` | The action captured by the event. | | ||
| |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | | ||
| |`event.dataset` | `keyword` | Name of the dataset. | | ||
| |`event.provider` | `keyword` | Source of the event. | | ||
| |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | | ||
| |`mimecast.siem.aggregate_id` | `keyword` | Unique identifier that allows you to correlate/group related events. | | ||
| |`mimecast.siem.delivered` | `boolean` | If the email was delivered successfully or not. | | ||
| |`mimecast.siem.delivery_errors` | `keyword` | Information about any errors that occurred on the delivery attempt. | | ||
| |`mimecast.siem.hold_reason` | `keyword` | The reason the email was held for review (quarantined), if applicable. | | ||
| |`mimecast.siem.processing_id` | `keyword` | Unique identifier that allows you to correlate/group related events. | | ||
| |`mimecast.siem.rejection.code` | `number` | The rejection code issued if the email was rejected at the receipt stage. | | ||
| |`mimecast.siem.rejection.info` | `keyword` | The rejection information if the email was rejected at the receipt stage. | | ||
| |`mimecast.siem.rejection.type` | `keyword` | The rejection type if the email was rejected at the receipt stage. | | ||
| |`mimecast.siem.virus_found` | `keyword` | The name of the virus found on the email, if applicable. | | ||
| |`source.ip` | `ip` | IP address of the source. | | ||
|
|
Oops, something went wrong.