Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app @github-actions
sekoia-io-cross-repo-comm-app[bot] authored and github-actions[bot] committed Oct 16, 2024
1 parent 91cf214 commit 35f8230
Show file tree
Hide file tree
Showing 6 changed files with 7,640 additions and 0 deletions.
47 changes: 47 additions & 0 deletions ...perations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -718,6 +718,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"product": "Thinkst Canary",
"vendor": "Thinkst Canary"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"thinkst_canary": {
"incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212"
}
Expand All @@ -726,6 +735,44 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "test_ip_field.json"

```json

{
"message": "{\"incident_id\":\"incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485\",\"event_type\":\"incident\",\"summary\":\"RDP Login Attempt\",\"timestamp\":\"1111497485\"}",
"event": {
"category": [
"intrusion_detection"
],
"kind": "alert",
"reason": "RDP Login Attempt",
"type": [
"denied"
]
},
"@timestamp": "2005-03-22T13:18:05Z",
"observer": {
"product": "Thinkst Canary",
"vendor": "Thinkst Canary"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"thinkst_canary": {
"incident_id": "incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485"
}
}
```


=== "test_ldap_bind_attempt.json"

```json
Expand Down
14 changes: 14 additions & 0 deletions ...ns_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,20 @@ In this section, you will find examples of raw logs as generated natively by the



=== "test_ip_field"


```json
{
"incident_id": "incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485",
"event_type": "incident",
"summary": "RDP Login Attempt",
"timestamp": "1111497485"
}
```



=== "test_ldap_bind_attempt"


Expand Down
138 changes: 138 additions & 0 deletions ...perations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5420,6 +5420,144 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "process_8002.json"

```json

{
"message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
"event": {
"code": "8002",
"message": "%SYSTEM32%\\TEST\\APP.EXE was allowed to run.",
"provider": "Microsoft-Windows-AppLocker"
},
"action": {
"id": 8002,
"properties": {
"AccountName": "SYSTEM",
"AccountType": "User",
"Domain": "NT AUTHORITY",
"EventType": "INFO",
"Keywords": "-9223372036854775808",
"OpcodeValue": 0,
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Severity": "INFO",
"SourceName": "Microsoft-Windows-AppLocker",
"Task": 0
},
"record_id": 1812526,
"type": "Microsoft-Windows-AppLocker/EXE and DLL"
},
"file": {
"name": "APP.EXE",
"path": "%SYSTEM32%\\TEST\\APP.EXE"
},
"host": {
"hostname": "HOST.test.fr",
"name": "HOST.test.fr"
},
"log": {
"hostname": "HOST.test.fr",
"level": "info"
},
"os": {
"family": "windows",
"platform": "windows"
},
"process": {
"id": 2476,
"pid": 2476,
"thread": {
"id": 2720
}
},
"related": {
"hosts": [
"HOST.test.fr"
],
"user": [
"SYSTEM"
]
},
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-2-34",
"name": "SYSTEM"
}
}

```


=== "process_8005.json"

```json

{
"message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
"event": {
"code": "8005",
"message": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test was allowed to run.",
"provider": "Microsoft-Windows-AppLocker"
},
"action": {
"id": 8005,
"properties": {
"AccountName": "account",
"AccountType": "User",
"Domain": "DOM",
"EventType": "INFO",
"Keywords": "4611686018427388000",
"OpcodeValue": 0,
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Severity": "INFO",
"SourceName": "Microsoft-Windows-AppLocker",
"Task": 0
},
"record_id": 16535331,
"type": "Microsoft-Windows-AppLocker/MSI and Script"
},
"file": {
"name": "file.test",
"path": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test"
},
"host": {
"hostname": "FOOBAR",
"name": "FOOBAR"
},
"log": {
"hostname": "FOOBAR",
"level": "info"
},
"os": {
"family": "windows",
"platform": "windows"
},
"process": {
"id": 5532,
"pid": 5532,
"thread": {
"id": 10772
}
},
"related": {
"hosts": [
"FOOBAR"
],
"user": [
"account"
]
},
"user": {
"domain": "DOM",
"id": "S-1-2-34",
"name": "account"
}
}

```


=== "process_creation.json"

```json
Expand Down
69 changes: 69 additions & 0 deletions ...ns_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2921,6 +2921,75 @@ In this section, you will find examples of raw logs as generated natively by the



=== "process_8002"

```
{
"EventTime": "2024-10-02 10:42:24",
"Hostname": "HOST.test.fr",
"Keywords": -9223372036854775808,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 8002,
"SourceName": "Microsoft-Windows-AppLocker",
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Version": 0,
"Task": 0,
"OpcodeValue": 0,
"RecordNumber": 1812526,
"ProcessID": 2476,
"ThreadID": 2720,
"Channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-2-34",
"AccountType": "User",
"Message": "%SYSTEM32%\\TEST\\APP.EXE was allowed to run.",
"Opcode": "Info",
"EventReceivedTime": "2024-10-02 10:42:25",
"SourceModuleName": "eventlog",
"SourceModuleType": "im_msvistalog"
}
```



=== "process_8005"

```
{
"EventTime": "2024-10-02 10:42:01",
"Hostname": "FOOBAR",
"Keywords": 4611686018427388000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 8005,
"SourceName": "Microsoft-Windows-AppLocker",
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Version": 0,
"Task": 0,
"OpcodeValue": 0,
"RecordNumber": 16535331,
"ActivityID": "{FE138280-0FB7-0002-8AA0-31FEB70FDB01}",
"ProcessID": 5532,
"ThreadID": 10772,
"Channel": "Microsoft-Windows-AppLocker/MSI and Script",
"Domain": "DOM",
"AccountName": "account",
"UserID": "S-1-2-34",
"AccountType": "User",
"Message": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test was allowed to run.",
"Opcode": "Info",
"EventReceivedTime": "2024-10-02 10:42:02",
"SourceModuleName": "eventlog",
"SourceModuleType": "im_msvistalog"
}
```



=== "process_creation"

```
Expand Down
Loading

0 comments on commit 35f8230

Please sign in to comment.