Refresh intakes documentation

SEKOIA-IO · Sep 16, 2024 · 47a84e5 · 47a84e5
1 parent 363abe2
commit 47a84e5
Show file tree

Hide file tree

Showing 21 changed files with 1,335 additions and 137 deletions.
diff --git a/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/...perations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md
@@ -753,6 +753,11 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
         "organization": {
             "id": "123456789831564686"
         },
+        "related": {
+            "user": [
+                "user.name"
+            ]
+        },
         "rule": {
             "id": "-1"
         },
@@ -788,6 +793,9 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             "eventid": 1387019684138751044,
             "siteId": 1083054176741832911,
             "updatedAt": "2022-03-29T17:20:30.998054Z"
+        },
+        "user": {
+            "name": "user.name"
         }
     }
     	
@@ -1310,7 +1318,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "2001:db8:85a3::8a2e:370:7334"
             ],
             "user": [
-                "VM-SENTINELONE\\User"
+                "User"
             ]
         },
         "sentinelone": {
@@ -1459,7 +1467,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             }
         },
         "user": {
-            "name": "VM-SENTINELONE\\User"
+            "domain": "VM-SENTINELONE",
+            "name": "User"
         }
     }
     	
@@ -1531,7 +1540,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "fe80::9ddd:fd78:1f21:f709"
             ],
             "user": [
-                "tdr-vm-template\\tdr"
+                "tdr"
             ]
         },
         "sentinelone": {
@@ -1688,7 +1697,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             }
         },
         "user": {
-            "name": "tdr-vm-template\\tdr"
+            "domain": "tdr-vm-template",
+            "name": "tdr"
         }
     }
     	
@@ -1758,7 +1768,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "fe80::e4a1:7fce:33f3:d50e"
             ],
             "user": [
-                "DOMAIN\\USERNAME"
+                "USERNAME"
             ]
         },
         "sentinelone": {
@@ -2067,7 +2077,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             }
         },
         "user": {
-            "name": "DOMAIN\\USERNAME"
+            "domain": "DOMAIN",
+            "name": "USERNAME"
         }
     }
     	
@@ -2133,7 +2144,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                 "66.66.66.66"
             ],
             "user": [
-                "DOMAIN\\USERNAME"
+                "USERNAME"
             ]
         },
         "sentinelone": {
@@ -2441,7 +2452,8 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
             }
         },
         "user": {
-            "name": "DOMAIN\\USERNAME"
+            "domain": "DOMAIN",
+            "name": "USERNAME"
         }
     }
     	
@@ -2887,6 +2899,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`threat.indicator.file.size` | `long` | File size in bytes. |
 |`threat.software.type` | `keyword` | Software type. |
 |`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
+|`user.domain` | `keyword` | Name of the directory the user is a member of. |
 |`user.id` | `long` |  |
 |`user.name` | `keyword` | Short name or login of the user. |
 

diff --git a/...perations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/...perations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md
@@ -684,6 +684,89 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
 	```
 
 
+=== "mobile_detection_network_connections.json"
+
+    ```json
+
+    {
+        "message": "{\"metadata\":{\"customerIDString\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"offset\":13896542,\"eventType\":\"MobileDetectionSummaryEvent\",\"eventCreationTime\":1722754343000,\"version\":\"1.0\"},\"event\":{\"SensorId\":\"85ae98xxxxxxd9a8f2\",\"MobileDetectionId\":2,\"ComputerName\":\"host\",\"UserName\":\"[email protected]\",\"ContextTimeStamp\":1722754273,\"DetectId\":\"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2\",\"DetectName\":\"CkbSensorDetectDomainHighUI\",\"DetectDescription\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\",\"Tactic\":\"Falcon Intel\",\"TacticId\":\"CSTA0008\",\"Technique\":\"Intelligence Indicator - Domain\",\"TechniqueId\":\"CST0023\",\"Objective\":\"Falcon Detection Method\",\"Severity\":70,\"FalconHostLink\":\"https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\"MobileNetworkConnections\":[{\"AccessTimestamp\":1722754273,\"Protocol\":\"6\",\"ConnectionFlags\":0,\"LocalAddress\":\"\",\"RemoteAddress\":\"1.2.3.4\",\"RemotePort\":1,\"ConnectionDirection\":0,\"Url\":\"https://crowdstrike.test.com/integration\",\"IsIPV6\":false,\"ContextProcessId\":17793441978049446000}],\"ApplicationName\":\".com.google.chrome.ios\",\"NetworkDetectionType\":\"prevented\",\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"Falcon for Mobile\",\"DataDomains\":\"Endpoint\",\"PatternId\":41124,\"CompositeId\":\"7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2\",\"Name\":\"CkbSensorDetectDomainHighUI\",\"Description\":\"A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.\"}}",
+        "event": {
+            "action": "prevented",
+            "category": [
+                "intrusion_detection"
+            ],
+            "dataset": [
+                "MobileDetection"
+            ],
+            "kind": "alert",
+            "severity": 70,
+            "type": "info",
+            "url": "https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV"
+        },
+        "@timestamp": "2024-08-04T06:52:23Z",
+        "agent": {
+            "id": "85ae98xxxxxxd9a8f2"
+        },
+        "crowdstrike": {
+            "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+            "detect_description": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.",
+            "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2",
+            "detect_name": "CkbSensorDetectDomainHighUI",
+            "event_objective": "Falcon Detection Method",
+            "event_type": "MobileDetectionSummaryEvent",
+            "mobile": {
+                "network_connections": [
+                    {
+                        "context": {
+                            "pid": "17793441978049446000"
+                        },
+                        "destination": {
+                            "address": "1.2.3.4",
+                            "port": 1
+                        },
+                        "direction": 0,
+                        "flags": 0,
+                        "is_ipv6": false,
+                        "protocol": 6,
+                        "timestamp": "2024-08-04T06:51:13.000000Z",
+                        "url": "https://crowdstrike.test.com/integration"
+                    }
+                ]
+            }
+        },
+        "host": {
+            "name": "host"
+        },
+        "network": {
+            "application": ".com.google.chrome.ios"
+        },
+        "observer": {
+            "product": "Falcon for Mobile",
+            "vendor": "CrowdStrike"
+        },
+        "related": {
+            "user": [
+                "[email protected]"
+            ]
+        },
+        "threat": {
+            "tactic": {
+                "id": "CSTA0008",
+                "name": "Falcon Intel"
+            },
+            "technique": {
+                "id": "CST0023",
+                "name": "Intelligence Indicator - Domain"
+            }
+        },
+        "user": {
+            "name": "[email protected]"
+        }
+    }
+    	
+	```
+
+
 === "mobile_detection_summary_1.json"
 
     ```json
@@ -1236,6 +1319,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`crowdstrike.incident_id` | `keyword` | The incident ID of the incident |
 |`crowdstrike.incident_start` | `date` | Time of the first activity in the incident |
 |`crowdstrike.incident_type` | `keyword` | Identity-based incident or detection name |
+|`crowdstrike.mobile.network_connections` | `array` | Mobile network connections |
 |`crowdstrike.object_id` | `keyword` | The identifier of a vertex |
 |`crowdstrike.operation_name` | `keyword` | Operation name |
 |`crowdstrike.pattern_id` | `keyword` | Identifies the pattern used for the detection |

diff --git a/...ns_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md b/...ns_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29_sample.md
@@ -1033,6 +1033,63 @@ In this section, you will find examples of raw logs as generated natively by the
 
 
 
+=== "mobile_detection_network_connections"
+
+
+    ```json
+	{
+        "metadata": {
+            "customerIDString": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+            "offset": 13896542,
+            "eventType": "MobileDetectionSummaryEvent",
+            "eventCreationTime": 1722754343000,
+            "version": "1.0"
+        },
+        "event": {
+            "SensorId": "85ae98xxxxxxd9a8f2",
+            "MobileDetectionId": 2,
+            "ComputerName": "host",
+            "UserName": "[email protected]",
+            "ContextTimeStamp": 1722754273,
+            "DetectId": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2",
+            "DetectName": "CkbSensorDetectDomainHighUI",
+            "DetectDescription": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks.",
+            "Tactic": "Falcon Intel",
+            "TacticId": "CSTA0008",
+            "Technique": "Intelligence Indicator - Domain",
+            "TechniqueId": "CST0023",
+            "Objective": "Falcon Detection Method",
+            "Severity": 70,
+            "FalconHostLink": "https://falcon.eu-1.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|2?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV",
+            "MobileNetworkConnections": [
+                {
+                    "AccessTimestamp": 1722754273,
+                    "Protocol": "6",
+                    "ConnectionFlags": 0,
+                    "LocalAddress": "",
+                    "RemoteAddress": "1.2.3.4",
+                    "RemotePort": 1,
+                    "ConnectionDirection": 0,
+                    "Url": "https://crowdstrike.test.com/integration",
+                    "IsIPV6": false,
+                    "ContextProcessId": 17793441978049446000
+                }
+            ],
+            "ApplicationName": ".com.google.chrome.ios",
+            "NetworkDetectionType": "prevented",
+            "SourceVendors": "CrowdStrike",
+            "SourceProducts": "Falcon for Mobile",
+            "DataDomains": "Endpoint",
+            "PatternId": 41124,
+            "CompositeId": "7da61e27e34f4b8394081896af72e2c7:ind:2250689c5d8e43ccad2f5a7b56bced5b:41124|2",
+            "Name": "CkbSensorDetectDomainHighUI",
+            "Description": "A domain lookup matched a CrowdStrike Intelligence indicator that has previously been used in targeted attacks."
+        }
+    }
+    ```
+
+
+
 === "mobile_detection_summary_1"
 
 

diff --git a/...perations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/...perations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md
@@ -257,11 +257,16 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
                         "reference": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
                         "type": "domain-name",
                         "url": {
-                            "domain": "badsite.zz"
+                            "domain": "badsite.zz",
+                            "original": "badsite.zz"
                         }
                     }
                 }
             ]
+        },
+        "url": {
+            "original": "badsite.zz",
+            "path": "badsite.zz"
         }
     }