Skip to content

Commit

Permalink
Merge pull request #2060 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Dec 16, 2024
2 parents b39ca21 + 661d752 commit 3e2f0ce
Show file tree
Hide file tree
Showing 26 changed files with 7,019 additions and 148 deletions.
20 changes: 6 additions & 14 deletions ...perations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,12 @@ This section demonstrates how the raw logs will be transformed by our parsers. I

{
"message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"event": {
"category": [
"network"
],
"code": "Message",
"dataset": "audit_aaatm",
"reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"type": [
"connection"
]
},
"@timestamp": "2023-09-29T07:40:56Z",
"observer": {
"name": "ADC"
"sekoiaio": {
"intake": {
"parsing_warnings": [
"No fields extracted from original event"
]
}
}
}
Expand Down
19 changes: 17 additions & 2 deletions ...perations_center/integrations/generated/2ee6048e-8322-4575-8e47-1574946412b6.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"url": [
"http://schemas.microsoft.com/office/2004/12/omml",
"http://www.w3.org/TR/REC-html40"
],
"url_domain": [
"schemas.microsoft.com",
"www.w3.org"
]
}
},
Expand Down Expand Up @@ -351,6 +355,10 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"url": [
"http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506",
"https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002"
],
"url_domain": [
"bce-demo.appc.cisco.com",
"mandrill.appc.cisco.com"
]
}
},
Expand Down Expand Up @@ -680,6 +688,13 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"url": [
"https://facebook.com/u/john.doe",
"https://tiktok.com",
"https://tinyurl.es/tbdra",
"www.twitter.com"
],
"url_domain": [
"facebook.com",
"tiktok.com",
"tinyurl.es",
"www.twitter.com"
]
}
Expand Down Expand Up @@ -914,8 +929,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"domain": {
"age": "30 days (or greater)"
}
},
"url": []
}
}
},
"email": {
Expand Down Expand Up @@ -1205,6 +1219,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`cisco.esa.source.domain.age` | `keyword` | This field indicates the age of the domain associated with the sender of a message. Older domains are generally considered more trustworthy than newer domains, so this field can be used as a factor in determining whether a message is legitimate or spam. |
|`cisco.esa.status` | `keyword` | |
|`cisco.esa.url` | `keyword` | the declaration of the cisco urls |
|`cisco.esa.url_domain` | `keyword` | |
|`destination.domain` | `keyword` | The domain name of the destination. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.mac` | `keyword` | MAC address of the destination. |
Expand Down
54 changes: 54 additions & 0 deletions ...perations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -826,6 +826,60 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "rdp.json"

```json

{
"message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}",
"event": {
"category": [
"network"
],
"type": [
"connection"
]
},
"@timestamp": "2024-11-29T15:08:06.239558Z",
"action": {
"type": "rdp"
},
"destination": {
"address": "10.0.1.4",
"ip": "10.0.1.4",
"port": 3389
},
"host": {
"ip": "14.225.46.243"
},
"network": {
"community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=",
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"10.0.1.4",
"14.225.46.243"
]
},
"source": {
"address": "14.225.46.243",
"ip": "14.225.46.243",
"port": 58953
}
}
```


=== "smb.json"

```json
Expand Down
27 changes: 27 additions & 0 deletions ...ns_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -683,6 +683,33 @@ In this section, you will find examples of raw logs as generated natively by the



=== "rdp"


```json
{
"timestamp": "2024-11-29T15:08:06.239558+0000",
"flow_id": 1822723333770346,
"in_iface": "eth0",
"event_type": "rdp",
"src_ip": "14.225.46.243",
"src_port": 58953,
"dest_ip": "10.0.1.4",
"dest_port": 3389,
"proto": "TCP",
"community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=",
"rdp": {
"tx_id": 2,
"event_type": "tls_handshake",
"x509_serials": [
"773dbe1ea6dc998444b4f9da1f188ba8"
]
}
}
```



=== "smb"


Expand Down
Loading

0 comments on commit 3e2f0ce

Please sign in to comment.