From c3d27f46ae1fe6c5d3dfe7769d1092a2f9ff0b70 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 10:54:59 +0000 Subject: [PATCH] Refresh intakes documentation --- .../00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md | 9 +- .../02a74ceb-a9b0-467c-97d1-588319e39d71.md | 11 +- .../033cd098-b21b-4c9b-85c4-c8174c307e48.md | 14 +- .../04d36706-ee4a-419b-906d-f92f3a46bcdd.md | 18 +- .../05e6f36d-cee0-4f06-b575-9e43af779f9f.md | 691 +++++++++++++++++- .../0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md | 34 - .../064f7e8b-ce5f-474d-802e-e88fe2193365.md | 13 +- .../07c0cac8-f68f-11ea-adc1-0242ac120002.md | 10 +- .../07c556c0-0675-478c-9803-e7990afe78b6.md | 19 +- .../0ba58f32-7dba-4084-ab17-90c0be6b1f10.md | 5 +- .../10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md | 229 +++++- .../16676d72-463e-4b8a-b13a-f8dd48cddc8c.md | 5 +- .../1df44c62-33d3-41d4-8176-f1fa13589eea.md | 4 + .../22f2afd2-c858-443d-8e06-7b335e439c29.md | 12 +- .../23b75d0c-2026-4d3e-b916-636c27ba4931.md | 12 +- .../250e4095-fa08-4101-bb02-e72f870fcbd1.md | 147 ++++ .../255764ef-eaf6-4964-958e-81b9418e6584.md | 9 +- .../2886cd2d-f686-4e7d-9976-250cba2eaf5b.md | 4 +- .../2b13307b-7439-4973-900a-2b58303cac90.md | 42 +- .../2e9d87ed-6606-445a-90d1-9c7695b28335.md | 7 +- .../325369ba-8515-45b4-b750-5db882ea1266.md | 12 +- .../331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md | 14 +- .../340e3bc7-2b76-48e4-9833-e971451b2979.md | 142 ++-- .../35855de3-0728-4a83-ae19-e38e167432a1.md | 19 +- .../3c7057d3-4689-4fae-8033-6f1f887a70f2.md | 127 +++- .../3f330d19-fdea-48ac-96bd-91a447bb26bd.md | 21 +- .../40bac399-2d8e-40e3-af3b-f73a622c9687.md | 123 +++- .../40deb162-6bb1-4635-9c99-5c2de7e1d340.md | 35 +- .../419bd705-fa61-496c-94fa-28d6c1f2e2a8.md | 14 +- .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 194 ++--- .../469bd3ae-61c9-4c39-9703-7452882e70da.md | 247 ++++++- .../46ca6fc8-3d30-434c-92ff-0e1cde564161.md | 5 +- .../46e45417-187b-45bb-bf81-30df7b1963a0.md | 123 +++- .../46fe3905-9e38-4fb2-be09-44d31626b694.md | 6 +- .../4760d0bc-2194-44e5-a876-85102b18d832.md | 17 +- .../515ed00f-bf70-4fce-96cc-0ca31abd5d24.md | 5 +- .../547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md | 10 +- .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 137 +++- .../588a448b-c08d-4139-a746-b2b9f366e34b.md | 4 +- .../591feb54-1d1f-4453-b780-b225c59e9f99.md | 18 +- .../5a8ef52f-d143-4735-8546-98539fc07725.md | 4 + .../5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md | 2 + .../622999fe-d383-4d41-9f2d-eed5013fe463.md | 48 +- .../63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md | 4 +- .../69b52166-b804-4f47-860f-2d3fd0b46987.md | 7 +- .../6b8cb346-6605-4240-ac15-3828627ba899.md | 111 +-- .../6dbdd199-77ae-4705-a5de-5c2722fa020e.md | 118 ++- .../700f332f-d515-4bc5-8a62-49fa5f2c9206.md | 12 +- .../70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md | 36 +- .../76d767ed-5431-4db1-b893-a48b6903d871.md | 8 +- .../79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md | 12 +- .../7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md | 5 +- .../80b8382e-0667-4469-bbc9-74be1e0ca1c1.md | 7 +- .../80de6ccb-7246-40de-bcbb-bc830118c1f9.md | 7 +- .../838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md | 4 +- .../8461aabe-6eba-4044-ad7f-a0c39a2b2279.md | 5 +- .../8510051d-c7cf-4b0c-a398-031afe91faa0.md | 11 +- .../890207d2-4878-440d-9079-3dd25d472e0a.md | 9 +- .../8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md | 11 +- .../8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md | 4 +- .../8f472113-ba5b-45b9-9a2c-944834396333.md | 3 +- .../90179796-f949-490c-8729-8cbc9c65be55.md | 114 +++ .../903ec1b8-f206-4ba5-8563-db21da09cafd.md | 61 +- .../9044ba46-2b5d-4ebd-878a-51d62e84c8df.md | 7 +- .../9281438c-f7c3-4001-9bcc-45fd108ba1be.md | 75 ++ .../954a6488-6394-4385-8427-621541e881d5.md | 5 +- .../98fa7079-41ae-4033-a93f-bbd70d114188.md | 5 +- .../995d7daf-4e4a-42ec-b90d-9af2f7be7019.md | 27 +- .../99da26fc-bf7b-4e5b-a76c-408472fcfebb.md | 17 - .../9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md | 8 +- .../9f89b634-0531-437b-b060-a9d9f2d270db.md | 8 +- .../a0716ffd-5f9e-4b97-add4-30f1870e3d03.md | 7 +- .../a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md | 25 +- .../a14b1141-2d61-414b-bf79-da99b487b1af.md | 37 +- .../a406a8c1-e1e0-4fe9-835b-3607d01150e6.md | 19 - .../ab25af2e-4916-40ba-955c-34d2301c1f51.md | 16 +- .../aeb7d407-db57-44b2-90b6-7df6738d5d7f.md | 15 +- .../b28db14b-e3a7-463e-8659-9bf0e577944f.md | 35 +- .../b2d961ae-0f7e-400b-879a-f97be24cc02d.md | 13 +- .../ba40ab72-1456-11ee-be56-0242ac120002.md | 4 +- .../bae128bb-98c6-45f7-9763-aad3451821e5.md | 592 ++++++++------- .../bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md | 7 +- .../c20528c1-621e-4959-83ba-652eca2e8ed0.md | 8 +- .../c2faea65-1eb3-4f3f-b895-c8769a749d45.md | 6 +- .../c6a43439-7b9d-4678-804b-ebda6756db60.md | 5 +- .../caa13404-9243-493b-943e-9848cadb1f99.md | 31 +- .../cf5c916e-fa26-11ed-a844-f7f4d7348199.md | 10 +- .../d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md | 6 +- .../d2725f97-0c7b-4942-a847-983f38efb8ff.md | 11 +- .../d3a813ac-f9b5-451c-a602-a5994544d9ed.md | 113 ++- .../d626fec3-473a-44b3-9e3d-587fdd99a421.md | 7 +- .../d6d15297-e977-4584-9bb3-f0290b99f014.md | 18 +- .../d6f69e04-6ab7-40c0-9723-84060aeb5529.md | 14 +- .../d719e8b5-85a1-4dad-bf71-46155af56570.md | 81 +- .../d9f337a4-1303-47d4-b15f-1f83807ff3cc.md | 12 +- .../da3555f9-8213-41b8-8659-4cb814431e29.md | 4 +- .../dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md | 33 - .../dc0f339f-5dbe-4e68-9fa0-c63661820941.md | 14 +- .../e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md | 9 +- .../e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md | 9 +- .../e6bb2404-8fc8-4124-a785-c1276277b5d7.md | 11 +- .../e8ca856f-8a58-490b-bea4-247b12b3d74b.md | 45 +- .../e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md | 93 +-- .../eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md | 23 +- .../ee0b3023-524c-40f6-baf5-b69c7b679887.md | 7 +- .../ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md | 314 ++++++++ .../ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md | 8 +- .../f0f95532-9928-4cde-a399-ddd992d48472.md | 5 +- .../f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md | 5 +- .../f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md | 152 +--- .../fc99c983-3e6c-448c-97e6-7e0948e12415.md | 5 +- 111 files changed, 3077 insertions(+), 2075 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md index 0bc5754a11..c46f296afa 100644 --- a/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md +++ b/_shared_content/operations_center/integrations/generated/00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `process` | | Type | `change` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "StopContainer for \\\"4c2b21624d4488ea8305bec91bb58135e840ab50b779da3db19ddf87864a760e\\\" with timeout 30 (s)", "type": [ "change" @@ -117,7 +116,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Pulling image \"gke.gcr.io/prometheus-to-sd:v0.11.3-gke.0\"", "type": [ "change" @@ -213,7 +211,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Failed to update endpoint kube-system/kube-dns: Operation cannot be fulfilled on endpoints \"kube-dns\": the object has been modified; please apply your changes to the latest version and try again", "type": [ "change" @@ -306,7 +303,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Created container prometheus-to-sd", "type": [ "change" @@ -402,7 +398,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "{\"unmanaged\": {\"net.netfilter.nf_conntrack_buckets\": \"32768\"}}", "type": [ "change" @@ -493,7 +488,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Event exporter started watching. Some events may have been lost up to this point.", "type": [ "change" @@ -540,7 +534,6 @@ The following table lists the fields that are extracted, normalized under the EC |`cloud.project.id` | `keyword` | The cloud project id. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`google_kubernetes_engine.insertId` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 028edddeec..f39d4408f4 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `network` | | Type | `connection` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Message", "dataset": "audit_aaatm", - "kind": "event", "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", "type": [ "connection" @@ -131,7 +130,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "CONN_TERMINATE", "dataset": "audit_connection", - "kind": "event", "type": [ "connection" ] @@ -179,7 +177,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "CONN_TERMINATE", "dataset": "audit_connection", - "kind": "event", "type": [ "connection" ] @@ -227,7 +224,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "CONN_DELINK", "dataset": "audit_connection", - "kind": "event", "type": [ "connection" ] @@ -346,7 +342,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "TRAP_SENT", "dataset": "audit_snmp", - "kind": "event", "reason": "appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"", "type": [ "connection" @@ -373,7 +368,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "SSL_HANDSHAKE_SUCCESS", "dataset": "audit_ssl", - "kind": "event", "type": [ "connection" ] @@ -421,7 +415,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Message", "dataset": "audit_sslvpn", - "kind": "event", "type": [ "connection" ] @@ -475,7 +468,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "NONHTTP_RESOURCEACCESS_DENIED", "dataset": "audit_sslvpn", - "kind": "event", "type": [ "connection" ] @@ -536,7 +528,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Message", "dataset": "audit_sslvpn", - "kind": "event", "type": [ "connection" ] diff --git a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md index 821f804c93..37498ee5bc 100644 --- a/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md +++ b/_shared_content/operations_center/integrations/generated/033cd098-b21b-4c9b-85c4-c8174c307e48.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `intrusion_detection`, `malware`, `network`, `process`, `web` | | Type | `denied`, `info` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "dataset": "AMSI", - "kind": "event", "type": [ "info" ] @@ -113,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "applicationControl", - "kind": "event", "type": [ "info" ] @@ -226,7 +224,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "browsingProtection", - "kind": "event", "reason": "WF_Denied", "type": [ "denied" @@ -282,7 +279,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "reputationBasedBrowsing", - "kind": "event", "reason": "BP_Harmful", "type": [ "denied" @@ -341,7 +337,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "dataset": "deepGuard", - "kind": "event", "reason": "DeepGuard blocks a rare application", "type": [ "info" @@ -409,7 +404,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "dataset": "edr", - "kind": "event", "type": [ "info" ] @@ -467,7 +461,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "dataset": "edr", - "kind": "event", "type": [ "info" ] @@ -513,7 +506,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall", - "kind": "event", "type": [ "denied" ] @@ -587,7 +579,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "reputationBasedBrowsing", - "kind": "event", "reason": "BP_Harmful", "type": [ "denied" @@ -651,7 +642,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "dataset": "manualScanning", - "kind": "event", "type": [ "info" ] @@ -724,7 +714,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "4625", "dataset": "systemEventsLog", - "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", "reason": "An account failed to log on.", "type": [ @@ -807,7 +796,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md index 3877605f42..6448687c8f 100644 --- a/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md +++ b/_shared_content/operations_center/integrations/generated/04d36706-ee4a-419b-906d-f92f3a46bcdd.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `configuration`, `file`, `iam`, `session` | | Type | `access`, `admin`, `connection` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "info" ] @@ -104,7 +103,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "access", "change" @@ -161,7 +159,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "change" ] @@ -220,7 +217,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "change", "creation" @@ -282,7 +278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "connection" ] @@ -339,7 +334,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "connection" ] @@ -393,7 +387,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "audit#activity", - "kind": "event", "type": [ "access", "change" @@ -460,7 +453,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "audit#activity", - "kind": "event", "type": [ "access", "change" @@ -523,7 +515,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "access" ] @@ -589,7 +580,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "admin" ] @@ -641,7 +631,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "connection" ] @@ -700,7 +689,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "connection" ] @@ -755,7 +743,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "access", "change" @@ -824,7 +811,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "access", "connection" @@ -890,7 +876,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "admin#reports#activity", - "kind": "event", "type": [ "access", "connection" @@ -962,7 +947,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.gid` | `keyword` | Primary group ID (GID) of the file. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | diff --git a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md index 96d2238658..3a06f0d6ad 100644 --- a/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md +++ b/_shared_content/operations_center/integrations/generated/05e6f36d-cee0-4f06-b575-9e43af779f9f.md @@ -34,7 +34,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `enrichment`, `event` | +| Kind | `alert`, `enrichment` | | Category | `authentication`, `connection`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `network`, `process`, `threat` | | Type | `indicator`, `info` | @@ -81,6 +81,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "dadca6b5e5-5ab9-4a96-9dbb-ba2f8e7756e3_1", + "severity": "Low", "title": "Executable content from email blocked" }, "entity": { @@ -156,6 +157,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "fa72d6f6a8-39e7-2681-d400-08dbbe90c56e", + "severity": "Informational", "title": "Phish delivered due to an IP allow policy" }, "entity": { @@ -178,6 +180,92 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_alert_evidence_3.json" + + ```json + + { + "message": "{\"time\":\"2024-03-13T12:57:23.9020375Z\",\"tenantId\":\"07313d70-2f20-4c3c-847a-ecbcfc20afd1\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-AlertEvidence\",\"properties\":{\"Timestamp\":\"2024-03-13T12:57:00Z\",\"AlertId\":\"eb85e8e3-670c-43d7-95f3-c57c91b80a1d\",\"EntityType\":\"Mailbox\",\"EvidenceRole\":\"Impacted\",\"SHA1\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"SHA256\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"RemoteIP\":\"5.6.7.8\",\"LocalIP\":\"1.2.3.4\",\"RemoteUrl\":null,\"AccountName\":\"john.doe\",\"AccountDomain\":\"example\",\"AccountSid\":\"S-1-5-21-1111111111-222222222-444444444-333333\",\"AccountObjectId\":\"356eaca4-b5d5-4c9f-9cea-f566e4ec7570\",\"DeviceId\":null,\"ThreatFamily\":null,\"EvidenceDirection\":null,\"AdditionalFields\":\"{\\\"MailboxPrimaryAddress\\\":\\\"john.doe@example.com\\\",\\\"DisplayName\\\":\\\"DOEJohn\\\",\\\"Upn\\\":\\\"john.doe@example.com\\\",\\\"AadId\\\":\\\"cb2b1d48-3c0c-4eeb-bf05-2245a6e7aa38\\\",\\\"RiskLevel\\\":\\\"None\\\",\\\"StartTimeUtc\\\":\\\"2024-03-13T12:55:00Z\\\",\\\"EndTimeUtc\\\":\\\"2024-03-13T12:57:00Z\\\",\\\"EntitySources\\\":[\\\"Alert\\\"],\\\"Type\\\":\\\"mailbox\\\",\\\"Urn\\\":\\\"urn:UserEntity:68b329da9893e34099c7d8ad5cb9c940\\\",\\\"Source\\\":\\\"OATP\\\",\\\"FirstSeen\\\":\\\"0001-01-01T00:00:00\\\",\\\"SourceEntityType\\\":\\\"MalwareFamily\\\",\\\"SourceEntityId\\\":\\\"b8ed97e9-82ed-49b2-bf20-ebc413349655\\\",\\\"SourceThreatType\\\":\\\"Phish,Malicious\\\",\\\"SourceThreatName\\\":\\\"Phish,Malicious\\\",\\\"UserSid\\\":\\\"S-1-5-21-1111111111-222222222-444444444-333333\\\",\\\"AccountName\\\":\\\"john.doe\\\",\\\"DomainName\\\":\\\"example\\\",\\\"Role\\\":0,\\\"MergeByKey\\\":\\\"P/0zPBzZgl+0ob6ZK60I7fmCbPU=\\\",\\\"MergeByKeyHex\\\":\\\"3FFD333C1CD9825FB4A1BE992BAD08EDF9826CF5\\\"}\",\"MachineGroup\":null,\"NetworkMessageId\":null,\"ServiceSource\":\"MicrosoftDefenderforOffice365\",\"FileName\":\"splwow64.exe\",\"FolderPath\":\"C:\\\\Windows\",\"ProcessCommandLine\":null,\"EmailSubject\":null,\"ApplicationId\":null,\"Application\":null,\"DeviceName\":null,\"FileSize\":13,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"AccountUpn\":\"john.doe@example.com\",\"OAuthApplicationId\":null,\"Categories\":\"[\\\"InitialAccess\\\"]\",\"Title\":\"PhishdeliveredduetoanETRoverride\",\"AttackTechniques\":\"[\\\"Phishing(T1566)\\\"]\",\"DetectionSource\":\"MicrosoftDefenderforOffice365\",\"Severity\":\"Informational\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "threat" + ], + "dataset": "alert_evidence", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "@timestamp": "2024-03-13T12:57:00Z", + "action": { + "properties": { + "AccountSid": "S-1-5-21-1111111111-222222222-444444444-333333", + "AccountUPN": "john.doe@example.com", + "ServiceSource": "MicrosoftDefenderforOffice365" + } + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "file": { + "directory": "C:\\Windows", + "hash": { + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "name": "splwow64.exe", + "size": 13 + }, + "microsoft": { + "defender": { + "alert": { + "id": "eb85e8e3-670c-43d7-95f3-c57c91b80a1d", + "severity": "Informational", + "title": "PhishdeliveredduetoanETRoverride" + }, + "entity": { + "type": "Mailbox" + }, + "evidence": { + "role": "Impacted" + }, + "threat": { + "severity": "Informational" + } + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "service": { + "name": "MicrosoftDefenderforOffice365", + "type": "MicrosoftDefenderforOffice365" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "example", + "id": "356eaca4-b5d5-4c9f-9cea-f566e4ec7570", + "name": "john.doe" + } + } + + ``` + + === "test_cloud_app.json" ```json @@ -189,7 +277,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "dataset": "cloud_app_events", - "kind": "event", "type": [ "info" ] @@ -263,7 +350,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "dataset": "cloud_app_events", - "kind": "event", "type": [ "info" ] @@ -340,6 +426,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "defender": { "alert": { "id": "da637977531594995313_968283104", + "severity": "Informational", "title": "'Lodi' unwanted software was prevented" }, "threat": { @@ -368,7 +455,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "device_events", - "kind": "event", "type": [ "info" ] @@ -467,7 +553,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "device_file_certificate_info", - "kind": "event", "type": [ "info" ] @@ -535,7 +620,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "device_file_events", - "kind": "event", "type": [ "info" ] @@ -632,7 +716,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "device_image_load_events", - "kind": "event", "type": [ "info" ] @@ -725,7 +808,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "device_info_events", - "kind": "event", "type": [ "info" ] @@ -794,7 +876,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "device_info_events", - "kind": "event", "type": [ "info" ] @@ -853,7 +934,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "device_logon_events", - "kind": "event", "type": [ "info" ] @@ -933,7 +1013,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "device_network_events", - "kind": "event", "type": [ "info" ] @@ -1035,7 +1114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "device_network_info", - "kind": "event", "type": [ "info" ] @@ -1087,7 +1165,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "device_process_events", - "kind": "event", "type": [ "info" ] @@ -1207,7 +1284,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "device_registry_events", - "kind": "event", "type": [ "info" ] @@ -1283,6 +1359,591 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_email_events.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "email" + ], + "dataset": "email_events", + "type": [ + "denied", + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_email_url_info.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailUrlInfo\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "email" + ], + "dataset": "email_url_info", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_directory.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityDirectoryEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "iam" + ], + "dataset": "identity_directory_events", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_info.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityInfo\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_logon.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityLogonEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "authentication" + ], + "dataset": "identity_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + +=== "test_identity_query.json" + + ```json + + { + "message": "{\"time\":\"2022-09-01T07:28:59.5127177Z\",\"tenantId\":\"5ac3ff49-0e19-4600-9ad1-333e64e3b5cc\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-IdentityQueryEvents\",\"properties\":{\"AccountSid\":null,\"AccountDomain\":null,\"AccountName\":null,\"LogonId\":null,\"FileName\":null,\"FolderPath\":null,\"MD5\":null,\"SHA1\":null,\"FileSize\":null,\"SHA256\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"RemoteUrl\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"RemoteDeviceName\":null,\"FileOriginIP\":null,\"FileOriginUrl\":null,\"LocalIP\":\"1.2.3.4\",\"LocalPort\":null,\"RemoteIP\":\"5.6.7.8\",\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"AdditionalFields\":\"{\\\"BaseAddress\\\":2098738167808,\\\"RegionSize\\\":262144,\\\"ProtectionMask\\\":64}\",\"ActionType\":\"NtAllocateVirtualMemoryApiCall\",\"InitiatingProcessVersionInfoCompanyName\":\"Google\",\"InitiatingProcessVersionInfoProductName\":\"Software Reporter Tool\",\"InitiatingProcessVersionInfoProductVersion\":\"102.286.200\",\"InitiatingProcessVersionInfoInternalFileName\":\"software_reporter_tool_exe\",\"InitiatingProcessVersionInfoOriginalFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Software Reporter Tool\",\"InitiatingProcessFolderPath\":\"c:\\\\users\\\\USER\\\\appdata\\\\local\\\\google\\\\chrome\\\\user data\\\\swreporter\\\\102.286.200\\\\software_reporter_tool.exe\",\"InitiatingProcessFileName\":\"software_reporter_tool.exe\",\"InitiatingProcessFileSize\":14687048,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessLogonId\":121834210,\"InitiatingProcessAccountSid\":\"S-1-00-1-1111111-2222222222-3333333333-4444444444\",\"InitiatingProcessAccountDomain\":\"intranet\",\"InitiatingProcessAccountName\":\"group1\",\"InitiatingProcessAccountUpn\":\"user@example.org\",\"InitiatingProcessAccountObjectId\":\"9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2\",\"InitiatingProcessCreationTime\":\"2022-09-01T06:56:23.7887846Z\",\"InitiatingProcessId\":1664,\"InitiatingProcessCommandLine\":\"\\\"software_reporter_tool.exe\\\" --use-crash-handler-with-id=\\\"\\\\\\\\.\\\\pipe\\\\crashpad_11111_XXXXXXXXXXXXXXXX\\\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2\",\"InitiatingProcessParentCreationTime\":\"2022-09-01T06:56:23.595229Z\",\"InitiatingProcessParentId\":15532,\"InitiatingProcessParentFileName\":\"software_reporter_tool.exe\",\"DeviceId\":\"1111111111111111111111111111111111111111\",\"AppGuardContainerId\":\"\",\"MachineGroup\":\"UnassignedGroup\",\"Timestamp\":\"2022-09-01T07:09:47.4980566Z\",\"DeviceName\":\"test.lab\",\"ReportId\":104061}}", + "event": { + "category": [ + "iam" + ], + "dataset": "identity_query_events", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-01T07:09:47.498056Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" + }, + "type": "NtAllocateVirtualMemoryApiCall" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "test.lab" + }, + "microsoft": { + "defender": { + "report": { + "id": "104061" + } + } + }, + "process": { + "args": [ + "--engine=2", + "--init-done-notifier=804", + "--mojo-platform-channel-handle=780", + "--sandbox-mojo-pipe-token=**********", + "--sandboxed-process-id=2", + "--use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\"" + ], + "command_line": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "executable": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200\\software_reporter_tool.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "software_reporter_tool.exe", + "parent": { + "name": "software_reporter_tool.exe", + "pid": 15532, + "start": "2022-09-01T06:56:23.595229Z" + }, + "pid": 1664, + "start": "2022-09-01T06:56:23.788784Z", + "user": { + "domain": "intranet", + "email": "user@example.org", + "id": "S-1-00-1-1111111-2222222222-3333333333-4444444444", + "name": "group1" + }, + "working_directory": "c:\\users\\USER\\appdata\\local\\google\\chrome\\user data\\swreporter\\102.286.200" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } + + ``` + + === "test_local_ip.json" ```json @@ -1294,7 +1955,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "device_events", - "kind": "event", "type": [ "info" ] @@ -1510,6 +2170,7 @@ The following table lists the fields that are extracted, normalized under the EC |`microsoft.defender.activity.objects` | `list` | List of objects, such as files or folders, that were involved in the recorded activity | |`microsoft.defender.activity.type` | `keyword` | Type of activity that triggered the event | |`microsoft.defender.alert.id` | `keyword` | Unique identifier for the alert | +|`microsoft.defender.alert.severity` | `keyword` | The severity of the alert | |`microsoft.defender.alert.title` | `keyword` | The title of the alert | |`microsoft.defender.certificate.counter_signed_at` | `keyword` | Date and time the certificate was countersigned | |`microsoft.defender.certificate.created_at` | `keyword` | Date and time the certificate was created | diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md index ee3d99d8bb..55c9faee23 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md @@ -16,14 +16,6 @@ The following table lists the data source offered by this integration. -In details, the following table denotes the type of events produced by this integration. - -| Name | Values | -| ---- | ------ | -| Kind | `event` | -| Category | `` | -| Type | `` | - @@ -43,7 +35,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.HostConnectedEvent", - "kind": "event", "type": [ "start" ] @@ -81,7 +72,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "vim.fault.InvalidLogin", - "kind": "event", "reason": "VMOMI activation LRO failed", "type": [ "connection" @@ -115,7 +105,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "vim.fault.InvalidLogin", - "kind": "event", "reason": "[VpxLRO] -- ERROR lro-1926720284 -- SessionManager -- vim.SessionManager.login", "type": [ "connection" @@ -161,7 +150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -236,7 +224,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -292,7 +279,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "FINISH lro--1111111111", "type": [ "connection" @@ -325,7 +311,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "BEGIN lro--1111111111 -- ServiceInstance -- vim.ServiceInstance.retrieveContent -- 47f5e298-9aee-4e21-b69b-abc3efd9cd4e(54b2ae59-1b21-4de8-bab0-0d9a415debce)", "type": [ "connection" @@ -358,7 +343,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Calling bulkUpdate with datastore=ds:///vmfs/volumes/1111111-22222222/ fullSync=false changed size: 0 tidyVClock=0 serverLastVClock=-1", "type": [ "connection" @@ -394,7 +378,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "GC (Allocation Failure)", "type": [ "connection" @@ -420,7 +403,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Desired survivor size 1572864 bytes, new threshold 1 (max 15)", "type": [ "connection" @@ -445,7 +427,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "PI-client-connection-monitor c.v.v.a.vapi.runtime.thread.ApacheBioHttpClientBuilderAspect vAPI-client-connection-monitor thread started...", "type": [ "connection" @@ -475,7 +456,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "vim.event.VmAcquiredTicketEvent", - "kind": "event", "type": [ "connection" ] @@ -521,7 +501,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "vim.event.VmAcquiredTicketEvent", - "kind": "event", "type": [ "connection" ] @@ -566,7 +545,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "WeakReference, 0 refs, 0.0000061 secs]", "type": [ "connection" @@ -592,7 +570,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "FinalReference, 150 refs, 0.0004388 secs]", "type": [ "connection" @@ -618,7 +595,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "PhantomReference, 0 refs, 0 refs, 0.0000065 secs]", "type": [ "connection" @@ -644,7 +620,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "JNI Weak Reference, 0.0000149 secs]", "type": [ "connection" @@ -670,7 +645,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "SoftReference, 0 refs, 0.0000457 secs]", "type": [ "connection" @@ -697,7 +671,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.BadUsernameSessionEvent", - "kind": "event", "type": [ "end" ] @@ -749,7 +722,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.UserLoginSessionEvent", - "kind": "event", "type": [ "start" ] @@ -795,7 +767,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.UserLoginSessionEvent", - "kind": "event", "type": [ "start" ] @@ -841,7 +812,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.UserLogoutSessionEvent", - "kind": "event", "type": [ "end" ] @@ -894,7 +864,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.EventEx", - "kind": "event", "type": [ "info" ] @@ -941,7 +910,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.EventEx", - "kind": "event", "type": [ "info" ] @@ -988,7 +956,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "vim.event.AlreadyAuthenticatedSessionEvent", - "kind": "event", "reason": "already logged on", "type": [ "end" @@ -1027,7 +994,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`host.ip` | `ip` | Host ip addresses. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md index 26bfb1e41f..02baa38b44 100644 --- a/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md +++ b/_shared_content/operations_center/integrations/generated/064f7e8b-ce5f-474d-802e-e88fe2193365.md @@ -20,7 +20,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `configuration`, `email`, `file`, `intrusion_detection`, `malware`, `network`, `process` | | Type | `change`, `info` | @@ -89,7 +89,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "Behavior Monitoring", - "kind": "event", "severity": 3, "type": [ "end" @@ -144,7 +143,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "CnC Callback", - "kind": "event", "severity": 3, "type": "info" }, @@ -265,7 +263,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "Device Access Control", - "kind": "event", "severity": 3, "type": [ "info" @@ -322,7 +319,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "Endpoint Application Control Violation Information", - "kind": "event", "severity": 3, "type": [ "info" @@ -384,7 +380,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "Engine Update Status", - "kind": "event", "severity": 3, "type": [ "change" @@ -433,7 +428,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "Managed Product Logon/Logoff Events", - "kind": "event", "reason": "A user withthe Administrator role(s) has logged on. Detail Information :UserName:TEST2013\\\\administrator,IP address:10.204.166.127,EventType:Log in/out,SourceType:SMEX UI.", "severity": 3, "type": [ @@ -472,7 +466,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "1756", "dataset": "Suspicious Connection", - "kind": "event", "severity": 3, "type": [ "allowed" @@ -527,7 +520,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "Pattern Update Status", - "kind": "event", "severity": 3, "type": [ "change" @@ -707,7 +699,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "20", "dataset": "This is a policy name", - "kind": "event", "severity": 3, "type": [ "info" @@ -948,7 +939,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "20", "dataset": "This is a policy name", - "kind": "event", "severity": 3, "type": [ "info" @@ -1123,7 +1113,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "7", - "kind": "event", "severity": 3, "type": [ "allowed" diff --git a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md index a758194c73..7dc84e82e3 100644 --- a/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `["network"]` | | Type | `` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2020-09-09T15:31:28Z", - "kind": "event", "outcome": "ok", "start": "2020-09-09T15:26:33Z", "type": [ @@ -115,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2022-08-31T12:59:06Z", - "kind": "event", "outcome": "ok", "start": "2022-08-31T12:58:55Z", "type": [ @@ -187,7 +185,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2022-07-18T08:00:16Z", - "kind": "event", "outcome": "ok", "start": "2022-07-18T07:59:46Z", "type": [ @@ -259,7 +256,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2016-10-31T11:37:00Z", - "kind": "event", "outcome": "ok", "start": "2016-10-31T11:35:08Z", "type": [ @@ -330,7 +326,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2015-05-10T18:02:14Z", - "kind": "event", "outcome": "nodata", "start": "2015-05-10T18:01:16Z" }, @@ -375,7 +370,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2020-09-09T15:30:28Z", - "kind": "event", "outcome": "ok", "start": "2020-09-09T15:29:34Z", "type": [ @@ -447,7 +441,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2022-08-31T12:59:06Z", - "kind": "event", "outcome": "ok", "start": "2022-08-31T12:58:55Z", "type": [ @@ -529,7 +522,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`network.iana_number` | `keyword` | IANA Protocol Number. | |`observer.ingress.interface.name` | `keyword` | Interface name | diff --git a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md index 1ea47e0213..20127b900a 100644 --- a/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md +++ b/_shared_content/operations_center/integrations/generated/07c556c0-0675-478c-9803-e7990afe78b6.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `host`, `intrusion_detection`, `malware` | | Type | `allowed`, `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Agent debian-SentinelOne started full disk scan at Thu, 11 Mar 2021, 12:42:56 UTC.", "type": [ "info" @@ -97,7 +96,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The CL002793 Agent is enabled due to time expiration.", "type": [ "info" @@ -161,7 +159,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Functionality of the SentinelOne Agent on a01pwrbi005 is limited, due to a database corruption. Contact Support.", "type": [ "info" @@ -225,7 +222,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The agent CL001234 successfully killed the threat: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" @@ -297,7 +293,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The agent CL001234 successfully quarantined the threat: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" @@ -372,7 +367,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The management user Jean Dupont deleted the user Foo User.", "type": [ "info" @@ -429,7 +423,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The Management user Jean DUPONT deleted the Path Exclusion C:\\Windows\\system32\\diskshadow.exe for Windows from the Group Env. 99 - Admin", "type": [ "info" @@ -494,7 +487,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Threat with confidence level suspicious detected: Run SwitchThemeColor.ps1.lnk.", "type": [ "info" @@ -562,7 +554,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Status of threat Run SwitchThemeColor.ps1.lnk on agent CL001234 changed from Not mitigated to Mitigated.", "type": [ "info" @@ -633,7 +624,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Agent CL-ABCEDFG automatically decommissioned.", "type": [ "info" @@ -688,7 +678,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The Agent CL001234 moved dynamically from Group DSI to Group Default Group", "type": [ "info" @@ -744,7 +733,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Device Control Approved Event", "category": "host", - "kind": "event", "reason": "USB device was connected on CORP123.", "type": [ "allowed" @@ -817,7 +805,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Firewall Control blocked traffic on the Endpoint CORP1234 because of rule Block all in site CORP-workstations (CORP).", "type": [ "info" @@ -906,7 +893,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "System initiated a full disk scan to the agent: CORP-12347 (11.22.33.44).", "type": [ "info" @@ -971,7 +957,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Alert created for powershell.exe from Custom Rule: PowershellExecutionPolicyChanged Indicator Monito in Group LAPTOP in Site DEFAULT of Account CORP, detected on CORP-LAP-4075.", "type": [ "info" @@ -1119,7 +1104,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Alert created for WebexHost_old.exe from Custom Rule: Webex.Meetings.Atucfobj.dll Monitoring in Group LAPTOP in Site DEFAULT of Account CORP, detected on USR-LAP-4141.", "type": [ "info" @@ -2475,7 +2459,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "The management user Jean DUPONT logged in to the management console with IP Address 11.22.33.44.", "type": [ "info" diff --git a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md index 561497c023..9156ee039c 100644 --- a/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md +++ b/_shared_content/operations_center/integrations/generated/0ba58f32-7dba-4084-ab17-90c0be6b1f10.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `access` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "http_requests", "end": "2022-07-20T01:48:22.371000Z", - "kind": "event", "start": "2022-07-20T01:47:51.671000Z", "type": [ "access" @@ -102,7 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "http_requests", - "kind": "event", "type": [ "access" ] @@ -143,7 +141,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | diff --git a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md index 84bd3d18f3..21af5d625d 100644 --- a/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md +++ b/_shared_content/operations_center/integrations/generated/10999b99-9a8d-4b92-9fbd-01e3fac01cd5.md @@ -69,7 +69,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", "parent": { - "executable": "services.exe", + "name": "services.exe", "pid": 11768266 }, "pid": 4164, @@ -138,6 +138,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "win" } }, + "network": { + "iana_number": "6" + }, "observer": { "ip": [ "1.2.3.4" @@ -253,6 +256,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "platform": "mac" } }, + "network": { + "iana_number": "17" + }, "related": { "ip": [ "2001:cafe:37:ed:6f:51:7d:67", @@ -314,7 +320,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "\"gpupdate.exe\" /target:computer", "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\gpupdate.exe", "parent": { - "executable": "svchost.exe", + "name": "svchost.exe", "pid": 158964342720 }, "pid": 8960, @@ -883,7 +889,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", "executable": "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient", "parent": { - "executable": "launchd", + "name": "launchd", "pid": 494714991831837524 }, "pid": 6812, @@ -1222,7 +1228,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "command_line": "\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe\" --type=gpu-process --log-severity=disable --user-agent-product=\"ReaderServices/23.1.20174 Chrome/105.0.0.0\" --lang=en-US --user-data-dir=\"C:\\Users\\p.gregoire\\AppData\\Local\\CEF\\User Data\" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file=\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\debug.log\" --mojo-platform-channel-handle=2680 --field-trial-handle=1620,i,11497596256796242755,3026965967799273852,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2", "executable": "\\Device\\HarddiskVolume4\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\acrocef_1\\AcroCEF.exe", "parent": { - "executable": "AcroCEF.exe", + "name": "AcroCEF.exe", "pid": 1084277996656 }, "pid": 18184, @@ -1733,6 +1739,215 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "telemetry_event_37.json" + + ```json + + { + "message": "{\"ProcessCreateFlags\":\"4\",\"IntegrityLevel\":\"8192\",\"ParentProcessId\":\"288633815511\",\"SourceProcessId\":\"288633815511\",\"aip\":\"89.251.59.206\",\"SHA1HashData\":\"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc\",\"UserSid\":\"S-1-5-21-XXXX-XXXXX-9457\",\"event_platform\":\"Win\",\"TokenType\":\"1\",\"ProcessEndTime\":\"\",\"AuthenticodeHashData\":\"e72acf26e8ca12c48d2697e849fd68887515956a\",\"ParentBaseFileName\":\"setup.exe\",\"EventOrigin\":\"1\",\"ImageSubsystem\":\"2\",\"id\":\"93a1f830-c5a3-41f3-a5c0-df8cdd61295f\",\"EffectiveTransmissionClass\":\"3\",\"SessionId\":\"4\",\"Tags\":\"25,27,41,268,874,924,10445360464024,10445360464025,10445360464026,10445360464258,10445360464273,10445360464274,12094627905582,12094627906234,219902325555779\",\"timestamp\":\"1705915256602\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"17600\",\"ConfigStateHash\":\"2529887863\",\"MD5HashData\":\"68b329da9893e34099c7d8ad5cb9c940\",\"SHA256HashData\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"ProcessSxsFlags\":\"64\",\"AuthenticationId\":\"610129406\",\"ConfigBuild\":\"1007.3.0017706.10\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\rundll32.exe\",\"ParentAuthenticationId\":\"610129406\",\"TargetProcessId\":\"288727090872\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\rundll32.exe\",\"SourceThreadId\":\"11362082185143\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2V19\",\"ProcessStartTime\":\"1705915253.929\",\"ProcessParameterFlags\":\"24577\",\"aid\":\"36a2337df811411eb6abeac136945a6c\",\"SignInfoFlags\":\"8683538\",\"cid\":\"7da61e27e34f4b8394081896af72e2c7\"}", + "event": { + "action": "ProcessRollup2", + "category": [ + "process" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-01-22T09:20:56.602000Z", + "agent": { + "id": "36a2337df811411eb6abeac136945a6c" + }, + "crowdstrike": { + "customer_id": "7da61e27e34f4b8394081896af72e2c7" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940", + "sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + } + }, + "host": { + "ip": [ + "89.251.59.206" + ], + "os": { + "platform": "win" + } + }, + "process": { + "command_line": "C:\\WINDOWS\\System32\\rundll32.exe", + "executable": "\\Device\\HarddiskVolume3\\Windows\\System32\\rundll32.exe", + "parent": { + "name": "setup.exe", + "pid": 288633815511 + }, + "pid": 17600, + "start": "2024-01-22T09:20:53.929000Z", + "thread": { + "id": 11362082185143 + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "68b329da9893e34099c7d8ad5cb9c940", + "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "ip": [ + "89.251.59.206" + ] + }, + "source": { + "nat": { + "ip": "89.251.59.206" + } + }, + "user": { + "id": "S-1-5-21-XXXX-XXXXX-9457" + } + } + + ``` + + +=== "telemetry_event_38.json" + + ```json + + { + "message": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014477.367\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"10406654690112427952\",\"RemotePort\":\"443\",\"OriginatingURL\":\"chat.cdn.whatsapp.net\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"0\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"71d72ce3-8355-4e3e-94e9-eb638c361d56\",\"Protocol\":\"6\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014478084\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}", + "event": { + "action": "NetworkConnectIP4", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-21T09:47:58.084000Z", + "agent": { + "id": "1ad825a8bc954a90bc5557c95740795c" + }, + "crowdstrike": { + "customer_id": "5a2f76b2897e4170bebccda80c903eb4" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "port": 443 + } + }, + "host": { + "ip": [ + "4.5.6.7" + ], + "os": { + "platform": "ios" + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "ip": [ + "0.0.0.0" + ] + }, + "related": { + "ip": [ + "0.0.0.0", + "4.5.6.7", + "5.6.7.8" + ] + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0", + "nat": { + "ip": "4.5.6.7", + "port": 0 + } + }, + "url": { + "full": "chat.cdn.whatsapp.net" + } + } + + ``` + + +=== "telemetry_event_39.json" + + ```json + + { + "message": "{\"LocalAddressIP4\":\"1.2.3.4\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1711014491.759\",\"ConfigStateHash\":\"4129765047\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"4179223508173316025\",\"RemotePort\":\"443\",\"OriginatingURL\":\"https://outlook.office365.com/Microsoft-Server-ActiveSync\",\"aip\":\"4.5.6.7\",\"ConfigBuild\":\"1007.32.20240201.1\",\"event_platform\":\"iOS\",\"LocalPort\":\"50309\",\"name\":\"NetworkConnectIP4IOSV3\",\"id\":\"c1169837-5261-45a4-a1da-1102816304d0\",\"Protocol\":\"17\",\"aid\":\"1ad825a8bc954a90bc5557c95740795c\",\"RemoteAddressIP4\":\"5.6.7.8\",\"ConnectionDirection\":\"0\",\"timestamp\":\"1711014491954\",\"cid\":\"5a2f76b2897e4170bebccda80c903eb4\"}", + "event": { + "action": "NetworkConnectIP4", + "category": [ + "network" + ], + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-21T09:48:11.954000Z", + "agent": { + "id": "1ad825a8bc954a90bc5557c95740795c" + }, + "crowdstrike": { + "customer_id": "5a2f76b2897e4170bebccda80c903eb4" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "port": 443 + } + }, + "host": { + "ip": [ + "4.5.6.7" + ], + "os": { + "platform": "ios" + } + }, + "network": { + "iana_number": "17" + }, + "observer": { + "ip": [ + "1.2.3.4" + ] + }, + "related": { + "ip": [ + "1.2.3.4", + "4.5.6.7", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.5.6.7", + "port": 50309 + } + }, + "url": { + "full": "https://outlook.office365.com/Microsoft-Server-ActiveSync" + } + } + + ``` + + === "telemetry_event_4.json" ```json @@ -2069,7 +2284,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-08-20T19:06:18.014000Z", "executable": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe", "parent": { - "executable": "services.exe", + "name": "services.exe", "pid": 11768266 }, "pid": 4164, @@ -2132,6 +2347,7 @@ The following table lists the fields that are extracted, normalized under the EC |`host.mac` | `keyword` | Host MAC addresses. | |`host.name` | `keyword` | Name of the host. | |`host.os.platform` | `keyword` | Operating system platform (such centos, ubuntu, windows). | +|`network.iana_number` | `keyword` | IANA Protocol Number. | |`observer.egress.interface.alias` | `keyword` | Interface alias | |`observer.ip` | `ip` | IP addresses of the observer. | |`observer.mac` | `keyword` | MAC addresses of the observer. | @@ -2139,7 +2355,7 @@ The following table lists the fields that are extracted, normalized under the EC |`process.command_line` | `wildcard` | Full command line that started the process. | |`process.end` | `date` | The time the process ended. | |`process.executable` | `keyword` | Absolute path to the process executable. | -|`process.parent.executable` | `keyword` | Absolute path to the process executable. | +|`process.parent.name` | `keyword` | Process name. | |`process.parent.pid` | `long` | Process id. | |`process.pid` | `long` | Process id. | |`process.start` | `date` | The time the process started. | @@ -2154,6 +2370,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.nat.ip` | `ip` | Source NAT ip | |`source.nat.port` | `long` | Source NAT port | |`url.domain` | `keyword` | Domain of the url. | +|`url.full` | `wildcard` | Full unparsed URL. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md index 8678f97ef3..b0211ccbd2 100644 --- a/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md +++ b/_shared_content/operations_center/integrations/generated/16676d72-463e-4b8a-b13a-f8dd48cddc8c.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall-events", - "kind": "event", "type": [ "denied" ] @@ -103,7 +102,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall-events", - "kind": "event", "module": "cloudflare.waf", "type": [ "denied" @@ -214,7 +212,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md index 03adecc237..2ebd3fcaa4 100644 --- a/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md +++ b/_shared_content/operations_center/integrations/generated/1df44c62-33d3-41d4-8176-f1fa13589eea.md @@ -41,6 +41,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "deprecated_ssl_tls_individual", "kind": "alert", "reason": "db1\\.example\\.org established an SSL/TLS connection with a deprecated version of SSL/TLS. SSL 2.0, SSL 3.0, and TLS 1.0 are deprecated because they are vulnerable to attacks.", + "risk_score": 30, "start": "2023-11-30T21:30:23.296000Z", "type": [ "info" @@ -94,6 +95,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "llmnr_activity_individual", "kind": "alert", "reason": "[db3\\.example\\.org](#/metrics/devices/6e0cd9a20b0e46e39ce0eca0b71f195c.0e3faba10b8b0000/overview?from=1701270240&interval_type=DT&until=1706720940) sent Link-Local Multicast Name Resolution (LLMNR) requests that are part of an internal broadcast query to resolve a hostname. The LLMNR protocol is known to be vulnerable to attacks.", + "risk_score": 30, "start": "2023-11-29T15:04:00Z", "type": [ "info" @@ -135,6 +137,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "weak_cipher_individual", "kind": "alert", "reason": "[db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) negotiated an SSL/TLS session with a cipher suite that includes a weak encryption algorithm such as CBC, 3DES, RC4, null, anonymous, or export. Remove this cipher suite from [db1\\.example\\.org](#/metrics/devices/bcaa64bcd3c5440ea94d1b73c75979ae.0ed41b93cf2f0000/overview?from=1701379823&interval_type=DT&until=1706720940) and replace with stronger cipher suites.", + "risk_score": 30, "start": "2023-11-30T21:30:23.296000Z", "type": [ "info" @@ -189,6 +192,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.risk_score` | `float` | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | |`event.risk_score_norm` | `float` | Normalized risk score or priority of the event (0-100). | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md index 10d1c671e4..50ef30d14f 100644 --- a/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md +++ b/_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `configuration`, `intrusion_detection` | | Type | `change`, `info` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -236,7 +235,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -274,7 +272,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"metadata\":{\"detectionIdString\":\"ldt:9ed90be65f99456c9361141f8cfa39ab:17212155109\",\"eventType\":\"Vertex\",\"edge\":{\"sourceVertexId\":\"pid:9ed90be65f99456c9361141f8cfa39ab:17326818154\",\"type\":\"device\"},\"severity\":{\"name\":\"Critical\",\"code\":5}},\"event\":{\"id\":\"aid:9ed90be65f99456c9361141f8cfa39ab:9ed90be65f99456c9361141f8cfa39ab\",\"customer_id\":\"5d505aca55a145b3bd234c399201f082\",\"scope\":\"device\",\"object_id\":\"9ed90be65f99456c9361141f8cfa39ab\",\"device_id\":\"9ed90be65f99456c9361141f8cfa39ab\",\"vertex_type\":\"device\",\"timestamp\":\"2022-07-28T15:09:51Z\",\"properties\":{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"2022-07-24T20:09:35.793Z\",\"AgentVersion\":\"6.39.15316.0\",\"BaseTime\":\"663896169\",\"BiosManufacturer\":\"American Megatrends Inc.\",\"BiosReleaseDate\":\"12/07/2018\",\"BiosVersion\":\"090008 \",\"BootArgs\":\" NOEXECUTE=OPTIN REDIRECT\",\"BootId\":\"7\",\"BootStatusDataAabEnabled\":\"0\",\"BootStatusDataBootAttemptCount\":\"1\",\"BootStatusDataBootGood\":\"1\",\"BootStatusDataBootShutdown\":\"0\",\"BuildNumber\":\"19042\",\"BuildType\":\"3\",\"ChasisManufacturer\":\"Microsoft Corporation\",\"ChassisType\":\"3\",\"CheckedBuild\":\"0\",\"ComputerName\":\"mycomputer\",\"ConfigBuild\":\"1007.3.0015316.10\",\"ConfigIDBase\":\"65994762\",\"ConfigIDBuild\":\"15316\",\"ConfigIDPlatform\":\"3\",\"ConfigStateHash\":\"2445437569\",\"ConfigurationVersion\":\"10\",\"ConnectTime\":\"2022-07-18T09:47:48.602Z\",\"ConnectType\":\"8\",\"ConnectionCipher\":\"26126\",\"ConnectionCipherStrength\":\"128\",\"ConnectionExchange\":\"44550\",\"ConnectionExchangeStrength\":\"255\",\"ConnectionHash\":\"32780\",\"ConnectionHashStrength\":\"0\",\"ConnectionProtocol\":\"2048\",\"ContextTimeStamp\":\"2022-07-24T20:09:35.793Z\",\"CpuFeaturesMask\":\"7037767758369539\",\"CpuSignature\":\"263921\",\"CpuVendor\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"FailedConnectCount\":\"0\",\"InstanceMetadataProvider\":\"2\",\"LocalAddressIP4\":\"1.2.3.4\",\"MachineDomain\":\"\",\"MajorVersion\":\"10\",\"MicrocodeSignature\":\"18446744069414584320\",\"MinorVersion\":\"0\",\"MoboManufacturer\":\"Microsoft Corporation\",\"MoboProductName\":\"Virtual Machine\",\"NetworkContainmentState\":\"0\",\"PhysicalAddress\":\"3a-c7-6c-b1-81-38\",\"PlatformId\":\"2\",\"PlatformSecuritySettings\":\"0\",\"PlatformSecurityStatus\":\"4294967296\",\"PointerSize\":\"8\",\"PreviousConnectTime\":\"1601-01-01T00:00:00.000Z\",\"ProductSku\":\"48\",\"ProductType\":\"1\",\"ProvisionState\":\"1\",\"RFMState\":\"0\",\"ServicePackMajor\":\"0\",\"ServicePackMinor\":\"0\",\"SideChannelMitigationFlags\":\"29444\",\"SubBuildNumber\":\"1706\",\"SuiteMask\":\"272\",\"SystemManufacturer\":\"Microsoft Corporation\",\"SystemProductName\":\"Virtual Machine\",\"SystemSerialNumber\":\"0000-0010-2562-7523-7070-7191-32\",\"SystemSku\":\"\",\"TargetFileName\":\"Config.sys\",\"accountId\":\"35f882a7-80ce-4e98-9efb-56f2382b6856\",\"eventPlatformId\":\"0\",\"externalIpAddress\":\"4.3.2.1\",\"instanceId\":\"9ed90be6-5f99-456c-9361-141f8cfa39ab\",\"zone_group\":\"rdp-east-us\"},\"edges\":{\"assigned_ipv4_address\":[{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/ipv4/summary/v1?ids=ip4%3A10.0.4.4%3A10.0.4.4&scope=device\",\"id\":\"ip4:10.0.4.4:10.0.4.4\",\"device_id\":\"10.0.4.4\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"10.0.4.4\",\"direction\":\"out\",\"edge_id\":\"KZZ\\\"V__;Kgi>WZVP5\\\\Ro9MfM']Tc5[VP:C5\\\\od;.hXFhKNnO.RVWpq2h-EaR=a8J)%**N1p(udPF_<1'[/;7\\\\Xnd4%Ia%E3,C4j![?=r-0%.O=l!%&[$5=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>'_r\\\"+3`-a]]Rj_09,,cO],pXWF.4E@m!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:35:03.448Z\",\"LogonType\":\"5\",\"UserIsAdmin\":\"0\",\"UserName\":\"hbmwcsfghmml-vm$\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-1%7C83212&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-1|83212\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-90-0-1|83212\",\"direction\":\"out\",\"edge_id\":\"KZm:#_CuCKi=crhVJ-[Hi;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%'\\\";HWE\\\\hK)TKK@Ja0+LFZCI_&!(eo>-LOP/PtAeWZBOJ1Y0U*]5Pk6ra*Gdk3JG6dZI]\\\\K%f-i6<7Z\\\\![>1Y0U*]5Pk6ra*Gdk3JE`gl\\\\rW5um]HO@mLoXRZ`!!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:35:03.015Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"UMFD-1\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-90-0-3%7C8097548&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-90-0-3|8097548\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-90-0-3|8097548\",\"direction\":\"out\",\"edge_id\":\"KZm:#_CuCKi=crh->=-si;lF2!Z\\\"2?31i[c/pMsGcTg;'O\\\"n,%Ot`@k^R;>+rfg&K$2nq\\\"456ipPR,LVK2FM\\\",e'D/,>KA*-AH?W)cMZ8D@\\\\!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T09:50:33Z\",\"properties\":{\"LogonTime\":\"2022-07-18T09:46:32.280Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"UMFD-3\",\"UserPrincipal\":\"\"}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/user-sessions/summary/v1?ids=uses%3A835449907c99453085a924a16e967be5%3AS-1-5-21-2334176487-1093172873-1803758148-1000%7C27181909&scope=device\",\"id\":\"uses:835449907c99453085a924a16e967be5:S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"S-1-5-21-2334176487-1093172873-1803758148-1000|27181909\",\"direction\":\"out\",\"edge_id\":\"KZmXm^d&;ti=ug_cXi9L%2VjrCr9H#76G(l^ruhDMrs;W&NI%7/thctFPrRiR'U>dJn!rc-Nd4LV=*ri;lF2!Z\\\"2?31i[d/pMsGcTg;'O$:\\\"1OYFD\\\"hV;6>9Y+\\\\(U:Z!%aA6.b,O_lhHcCESa;hDH`$U42@\\\\cE]Do+ncd#)<1$NL2,rr\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"established_user_session\",\"timestamp\":\"2022-07-18T19:46:23Z\",\"properties\":{\"LogonTime\":\"2022-07-18T19:46:21.198Z\",\"LogonType\":\"2\",\"UserIsAdmin\":\"0\",\"UserName\":\"DWM-4\",\"UserPrincipal\":\"\"}}],\"implicated_by_incident\":[{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Ac46079f88e0643f3a7a1a75897d193f7&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:c46079f88e0643f3a7a1a75897d193f7\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"c46079f88e0643f3a7a1a75897d193f7\",\"direction\":\"out\",\"edge_id\":\"KZr8O__;KaiK^5&s\\\"4s!gB#-mksHj5MJ\\\"SaJXko@pVK^,s)Sh8#d>)\\\\6K\\\"$3EMAIi4,2N#X(JtF)Cnp[mK8^Vlb8-s/Y6=qL6*OR]ZFRf0U3B<<3FrppFLH!j[XcIKKQMs8N\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-18T17:48:23Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3Adaf413dba4ef43148167ee6d244ad364&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:daf413dba4ef43148167ee6d244ad364\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"daf413dba4ef43148167ee6d244ad364\",\"direction\":\"out\",\"edge_id\":\"KZr8O__;KaiKY\\\\Sa4=NC.$apdgX(^P-kt!6kQ3cjL[Tp=YP9%^b\\\\#5\\\")%47l\\\\&OGsVL;7N*EJa&?3rh5.)S'V]b;PA\\\"/!!*'!\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-23T21:05:32Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A1c61fb60a33a4fecb65adcf8e96bbca3&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:1c61fb60a33a4fecb65adcf8e96bbca3\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"1c61fb60a33a4fecb65adcf8e96bbca3\",\"direction\":\"out\",\"edge_id\":\"KZm;n_a\\\"Jmd4K&PSagPDW+/);%K-Qd6CG4t\\\\q/Z*bB`'eCAn\\\\%el8>uC1Dk3VHYj@<9^!%401L'?GR18>el/s*>pJG1QISImUoC8hpGuqUT%AS>dZG,,V>XS7!T4MeeFj=O!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-24T04:01:51Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A068b5e72e5624d39b71e03aa0c385c02&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:068b5e72e5624d39b71e03aa0c385c02\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"068b5e72e5624d39b71e03aa0c385c02\",\"direction\":\"out\",\"edge_id\":\"KZq\\\\t\\\"#13LiKbbDqV,Td=k5mC)0-PqJ`,5aBjffnn\\\\+GP[JmP^(hOn!2Q27k>8rTm`\\\\N`qLL\\\"QJ/&41pV'U+#X4n=^kjB!f.A6'S4T?r0b&tr&;.nD$o@h9]bTK0$!l$Y[`Zda*b231!!<<'\",\"source_vertex_id\":\"aid:835449907c99453085a924a16e967be5:835449907c99453085a924a16e967be5\",\"scope\":\"device\",\"edge_type\":\"implicated_by_incident\",\"timestamp\":\"2022-07-24T11:05:05Z\",\"properties\":{}},{\"path\":\"http://falconapi.crowdstrike.com/threatgraph/combined/incidents/summary/v1?ids=inc%3A835449907c99453085a924a16e967be5%3A3ba3560a57994112a66c91e4e4e66f13&scope=device\",\"id\":\"inc:835449907c99453085a924a16e967be5:3ba3560a57994112a66c91e4e4e66f13\",\"device_id\":\"835449907c99453085a924a16e967be5\",\"customer_id\":\"46de5283260647ec8f28def00bffd094\",\"object_id\":\"3ba3560a57994112a66c91e4e4e66f13\",\"direction\":\"out\",\"edge_id\":\"KZl^h!\\\\k*Qi@?5AT=\\\",D6`(M?TZ+km#h$&kn,W(2O71>#cf\\r\\n\\r\\n \\r\\n EXAMPLE\\\\master\\r\\n d\u00e9ploiement de l'agent SYSMON sur les PC\\r\\n \\\\Agent Sysmon\\r\\n \\r\\n \\r\\n \\r\\n 2024-03-27T10:58:36\\r\\n 2024-03-27T10:59:31\\r\\n true\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n HighestAvailable\\r\\n NT AUTHORITY\\\\System\\r\\n S4U\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n false\\r\\n false\\r\\n false\\r\\n true\\r\\n false\\r\\n \\r\\n PT5M\\r\\n PT1H\\r\\n false\\r\\n false\\r\\n \\r\\n true\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n PT0S\\r\\n PT0S\\r\\n 7\\r\\n \\r\\n \\r\\n \\r\\n \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmon.exe\\r\\n -accepteula -i \\\\\\\\exm-atl-01\\\\netlogon\\\\agent-sysmon\\\\sysmonconfig-export.xml\\r\\n \\r\\n \\r\\n\",\n \"TaskName\": \"\\\\Agent Sysmon\"\n },\n \"id\": 4698\n },\n \"event\": {\n \"provider\": \"Microsoft-Windows-Security-Auditing\",\n \"code\": 4698\n },\n \"agent\": {\n \"id\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\n \"version\": \"v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db\"\n },\n \"host\": {\n \"os\": {\n \"type\": \"windows\"\n },\n \"hostname\": \"EXPL111\",\n \"ip\": [\n \"1.2.3.4\"\n ]\n },\n \"process\": {\n \"parent\": {\n \"pid\": 1188\n }\n },\n \"@timestamp\": \"2024-03-27T09:58:31.8443945Z\"\n}", + "event": { + "code": "4698", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-03-27T09:58:31.844394Z", + "action": { + "id": 4698, + "properties": { + "ClientProcessId": "10704", + "ClientProcessStartKey": "14918173765668009", + "EventType": "AUDIT_SUCCESS", + "FQDN": "EXPL111.example.org", + "Keywords": "0x8020000000000000", + "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "RpcCallClientLocality": "0", + "Severity": "LOG_ALWAYS", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x3E7", + "SubjectUserName": "EXPL111$", + "SubjectUserSid": "S-1-5-18", + "TaskContent": "\r\n\r\n \r\n EXAMPLE\\master\r\n d\u00e9ploiement de l'agent SYSMON sur les PC\r\n \\Agent Sysmon\r\n \r\n \r\n \r\n 2024-03-27T10:58:36\r\n 2024-03-27T10:59:31\r\n true\r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n NT AUTHORITY\\System\r\n S4U\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n false\r\n true\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n true\r\n true\r\n false\r\n false\r\n false\r\n PT0S\r\n PT0S\r\n 7\r\n \r\n \r\n \r\n \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmon.exe\r\n -accepteula -i \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmonconfig-export.xml\r\n \r\n \r\n", + "TaskContentNew_Args": "-accepteula -i \\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmonconfig-export.xml", + "TaskContentNew_Command": "\\\\exm-atl-01\\netlogon\\agent-sysmon\\sysmon.exe", + "TaskName": "\\Agent Sysmon" + } + }, + "agent": { + "id": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "version": "v1.5.0+909fc425bc21557bcd09cdd599f43eaeab13b9db" + }, + "host": { + "hostname": "EXPL111", + "ip": [ + "1.2.3.4" + ], + "name": "EXPL111", + "os": { + "type": "windows" + } + }, + "process": { + "parent": { + "pid": 1188 + } + }, + "related": { + "hosts": [ + "EXPL111" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "EXPL111$" + ] + }, + "user": { + "domain": "EXAMPLE", + "id": "S-1-5-18", + "name": "EXPL111$" + } + } + + ``` + + === "dns_results.json" ```json @@ -1141,6 +1286,8 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | +|`action.properties.TaskContentNew_Args` | `keyword` | | +|`action.properties.TaskContentNew_Command` | `keyword` | | |`auditd.data.a1` | `keyword` | argument 1 of syscall | |`auditd.data.a2` | `keyword` | argument 2 of syscall | |`auditd.data.a3` | `keyword` | argument 3 of syscall | diff --git a/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md b/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md index 4ae8f637af..b09c01a8f3 100644 --- a/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md +++ b/_shared_content/operations_center/integrations/generated/255764ef-eaf6-4964-958e-81b9418e6584.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `malware`, `process` | | Type | `info` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Error verifying application databases and modules", "type": [ "info" @@ -84,7 +83,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Not all components were updated", "type": [ "info" @@ -124,7 +122,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "Expert analysis", "type": [ "info" @@ -178,7 +175,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "Already processed", "type": [ "info" @@ -232,7 +228,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "type": [ "info" ] @@ -285,7 +280,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "module": "File Threat Protection", "reason": "Object not processed because of Size", "type": [ @@ -332,7 +326,6 @@ The following table lists the fields that are extracted, normalized under the EC |`error.message` | `match_only_text` | Error message. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md index 986c0e8fb6..5d5b86f55a 100644 --- a/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md +++ b/_shared_content/operations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `access` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "access_log", "duration": 17000000, - "kind": "event", "type": [ "access" ] @@ -128,7 +127,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.os.full` | `keyword` | Operating system name, including the version or code name. | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md index 4b4a2097c9..c94f22fe3e 100644 --- a/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md +++ b/_shared_content/operations_center/integrations/generated/2b13307b-7439-4973-900a-2b58303cac90.md @@ -22,7 +22,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `["authentication"]`, `["configuration"]`, `["file"]`, `["network"]`, `["process"]`, `["session"]`, `session` | | Type | `["info"]`, `end`, `start` | @@ -44,7 +44,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "end" ] @@ -84,7 +83,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "end" ] @@ -124,7 +122,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "end" ] @@ -158,7 +155,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -198,7 +194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "info" ] @@ -241,7 +236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "info" ] @@ -294,7 +288,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "end" ] @@ -326,7 +319,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "start" ] @@ -358,7 +350,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "info" ] @@ -390,7 +381,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -429,7 +419,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "end" ] @@ -468,7 +457,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "start" ] @@ -507,7 +495,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -547,7 +534,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "end" ] @@ -586,7 +572,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "type": [ "start" ] @@ -625,7 +610,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -659,7 +643,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -693,7 +676,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -720,7 +702,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -756,7 +737,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -791,7 +771,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -818,7 +797,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -859,7 +837,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -900,7 +877,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "outcome": "failed", "reason": "Permission denied", "type": [ @@ -929,7 +905,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "file" ], - "kind": "event", "reason": "Unlocked", "type": [ "info" @@ -957,7 +932,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "file" ], - "kind": "event", "type": [ "info" ] @@ -984,7 +958,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "encrypt", "type": [ "info" @@ -1016,7 +989,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "iScsi connection 0 stopped for vmhba64:C0:T3", "type": [ "info" @@ -1041,7 +1013,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "type": [ "info" @@ -1066,7 +1037,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "has recovered (2 attempts)", "type": [ "info" @@ -1091,7 +1061,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Event 974626 : User vpxuser@10.79.50.22 logged out (login time: Tuesday, 18 April, 2023 07:14:36 AM, number of API invocations: 3, user agent: pyvmomi)", "type": [ "info" @@ -1116,7 +1085,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Failed to shutdown socket; , >, e: 104(shutdown: Connection reset by peer)", "type": [ "info" @@ -1141,7 +1109,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Connected to localhost:8307 (/sdk) over , >", "type": [ "info" @@ -1166,7 +1133,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Trust Authority Components not configured.", "type": [ "info" @@ -1191,7 +1157,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Healthstatus of VM /vmfs/volumes/0ced57f7-f5da65c8/ntpnim02/ntpnim02.vmx on live hostId host-103 : true", "type": [ "info" @@ -1216,7 +1181,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "NetstackInstanceImpl: congestion control algorithm: newreno", "type": [ "info" @@ -1241,7 +1205,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Unset _accessible for datastore (/vmfs/volumes/aaaaaaaa-bbbbbbbb)", "type": [ "info" @@ -1266,7 +1229,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -1297,7 +1259,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "info" ] @@ -1328,7 +1289,6 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md index 3a057d0621..68abf5a251 100644 --- a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md +++ b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -77,7 +76,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -133,7 +131,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -179,7 +176,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -233,7 +229,6 @@ The following table lists the fields that are extracted, normalized under the EC |`email.to.address` | `keyword` | Email address of recipient | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`trendmicro.email.embedded_urls` | `array` | | diff --git a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md index a6a9972023..64d1360323 100644 --- a/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md +++ b/_shared_content/operations_center/integrations/generated/325369ba-8515-45b4-b750-5db882ea1266.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Firewall", - "kind": "event", "module": "Invalid Traffic", "reason": "Could not associate packet to any connection.", "type": [ @@ -115,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -177,7 +175,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Content Filtering", - "kind": "event", "module": "SSL", "type": [ "info" @@ -235,7 +232,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "SD-WAN", - "kind": "event", "module": "SLA", "type": [ "info" @@ -267,7 +263,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Content Filtering", - "kind": "event", "module": "HTTP", "type": [ "info" @@ -348,7 +343,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -393,7 +387,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -438,7 +431,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -484,7 +476,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Firewall", - "kind": "event", "module": "Firewall Rule", "type": [ "info" @@ -563,7 +554,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`host.ip` | `ip` | Host ip addresses. | diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index 2c882c5603..bf311501dc 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -21,7 +21,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `network` | | Type | `connection`, `info` | @@ -199,7 +199,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -246,7 +245,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -272,7 +270,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -331,7 +328,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -412,7 +408,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -474,7 +469,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -536,7 +530,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -584,7 +577,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -715,7 +707,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -762,7 +753,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection" ] @@ -809,7 +799,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -833,7 +822,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "severity": 3, "type": [ "connection" diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 019901077f..9df7663af9 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -38,54 +38,53 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"begin\",\"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1493763938,1.2.3.4,5.6.7.8,35370,23,T,I,A,B,,,,\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowVnetOutBound" - }, "action": { - "type": "DefaultRule_AllowVnetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents", "Version": "2" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowVnetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 23 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "inbound" - }, - "source": { - "ip": "1.2.3.4", - "port": 35370, - "mac": "DB831EFEC376", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 23, - "address": "5.6.7.8" + "direction": "inbound", + "transport": "tcp" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "DB831EFEC376", + "port": 35370 } } @@ -99,58 +98,57 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"end\", \"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1607984156,1.2.3.4,5.6.7.8,36422,8086,T,O,A,E,1,74,1,74\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowVnetOutBound" - }, "action": { - "type": "DefaultRule_AllowVnetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", "FlowState": "end", + "OperationName": "NetworkSecurityGroupFlowEvents", "Version": "2" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowVnetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 74, + "ip": "5.6.7.8", + "packets": 1, + "port": 8086 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "outbound" - }, - "source": { - "ip": "1.2.3.4", - "port": 36422, - "packets": 1, - "bytes": 74, - "mac": "DB831EFEC376", - "address": "1.2.3.4" - }, - "destination": { - "ip": "5.6.7.8", - "port": 8086, - "packets": 1, - "bytes": 74, - "address": "5.6.7.8" + "direction": "outbound", + "transport": "tcp" }, "related": { "ip": [ "1.2.3.4", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowVnetOutBound" + }, + "source": { + "address": "1.2.3.4", + "bytes": 74, + "ip": "1.2.3.4", + "mac": "DB831EFEC376", + "packets": 1, + "port": 36422 } } @@ -164,53 +162,52 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"flow_state\": \"begin\", \"source_addr\": \"1.3.4.2\", \"macAddress\": \"DB831EFEC376\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\", \"time\": \"2021-03-24T10:55:03.0680749Z\", \"rule\": \"DefaultRule_AllowInternetOutBound\", \"flow.0\": \"1616583277,1.2.3.4,5.6.7.8,55486,443,T,O,A\"}", "event": { - "kind": "event", + "action": "accept", "category": [ "network" ], "code": "NetworkSecurityGroupFlowEvents", - "action": "accept", "type": [ "allowed" ] }, - "rule": { - "name": "DefaultRule_AllowInternetOutBound" - }, "action": { - "type": "DefaultRule_AllowInternetOutBound", - "target": "network-traffic", + "name": "accept", "properties": [ { - "OperationName": "NetworkSecurityGroupFlowEvents", - "FlowState": "begin" + "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents" } ], - "name": "accept" + "target": "network-traffic", + "type": "DefaultRule_AllowInternetOutBound" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 }, "host": { "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "transport": "tcp", - "direction": "inbound" - }, - "source": { - "ip": "1.3.4.2", - "port": 55486, - "mac": "DB831EFEC376", - "address": "1.3.4.2" - }, - "destination": { - "ip": "5.6.7.8", - "port": 443, - "address": "5.6.7.8" + "direction": "inbound", + "transport": "tcp" }, "related": { "ip": [ "1.3.4.2", "5.6.7.8" ] + }, + "rule": { + "name": "DefaultRule_AllowInternetOutBound" + }, + "source": { + "address": "1.3.4.2", + "ip": "1.3.4.2", + "mac": "DB831EFEC376", + "port": 55486 } } @@ -235,7 +232,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | |`rule.name` | `keyword` | Rule name | |`source.bytes` | `long` | Bytes sent from the source to the destination. | diff --git a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md index e3f5e4d66e..de6d44960e 100644 --- a/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md +++ b/_shared_content/operations_center/integrations/generated/35855de3-0728-4a83-ae19-e38e167432a1.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `configuration`, `network` | | Type | `change`, `connection`, `end`, `info`, `start` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "connection", "info" @@ -77,7 +76,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "start" ] @@ -107,7 +105,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "start" ] @@ -137,7 +134,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -158,7 +154,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -179,7 +174,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -200,7 +194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -221,7 +214,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "end" ] @@ -242,7 +234,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -263,7 +254,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -293,7 +283,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -317,7 +306,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -341,7 +329,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -365,7 +352,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -389,7 +375,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -413,7 +398,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -439,7 +423,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`openldap.attribute` | `keyword` | OpenLDAP attribute | |`source.ip` | `ip` | IP address of the source. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 8d63e95328..6cbeed8aff 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -30,7 +30,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `driver`, `network`, `process`, `web` | | Type | `access`, `connection`, `info`, `start` | @@ -50,7 +50,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"message\": \"Cannot convert \\\\Device\\\\BootPartition\\\\Windows\\\\System32\\\\ntdll.dll - \\\\device\\\\bootpartition\", \"date\": \"2023-11-21T07:38:02.978Z\", \"@version\": \"1\", \"level\": \"ERROR\", \"worker\": false, \"@timestamp\": \"2023-11-21T07:38:25.190667Z\", \"tenant\": \"1111111111111111\", \"@event_create_date\": \"2023-11-21T07:38:02.978Z\", \"hostname\": \"example\", \"object_type\": \"agentlog\", \"log_type\": \"agentlog\", \"agent_id\": \"5028ff9e-d536-4e91-9d5f-1e30c3765672\"}", "event": { "dataset": "agentlog", - "kind": "event", "reason": "Cannot convert \\Device\\BootPartition\\Windows\\System32\\ntdll.dll - \\device\\bootpartition", "type": [ "info" @@ -366,6 +365,110 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "alert_3.json" + + ```json + + { + "message": "{\"@version\":\"1\",\"maturity\":\"stable\",\"log_type\":\"alert\",\"rule_name\":\"PowerShellInvoke-CommandExecutedonRemoteHost\",\"status\":\"new\",\"alert_type\":\"sigma\",\"level\":\"low\",\"quarantine\":4,\"threat_type\":\"commandline\",\"groups\":[{\"name\":\"Servers\",\"id\":\"19d20ee5-e12a-4f61-9321-edee5887ae1f\"}],\"rule_id\":\"59182ccc-f0e2-44a7-8531-4c586aea8c50\",\"msg\":\"DetectstheexecutionofPowerShellcommandInvoke-Commandonremotehost.\\nAttackerscanusethistechniquetoexecuteremotecommandsonatargethost,aspartoflateralmovement.\",\"alert_time\":\"2024-03-15T16:36:41.300+00:00\",\"alert_subtype\":\"process\",\"@event_create_date\":\"2024-03-15T16:36:41.300Z\",\"tags\":[\"attack.execution\",\"attack.lateral_movement\",\"attack.t1021.006\",\"attack.t1059.001\"],\"agent\":{\"domainname\":\"Example\",\"ostype\":\"windows\",\"hostname\":\"SRV001\",\"osproducttype\":\"WindowsServer2016Standard\",\"osversion\":\"10.0.14393\",\"additional_info\":{},\"version\":\"3.2.9\",\"distroid\":null,\"agentid\":\"8ba078ee-320f-406f-aa22-1ae08c94a699\",\"dnsdomainname\":\"example.org\",\"domain\":null},\"level_int\":20,\"type\":\"rtlogs\",\"detection_origin\":\"agent\",\"threat_values\":[\":\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell_ise.exe\"],\"details_powershell\":{\"PowershellCommand\":\"\\nfunctionGetWindowsServers{\\n$servers=Get-ADComputer-Filter{OperatingSystem-like\\\"*WindowsServer*\\\"}|Select-Object-ExpandPropertyName-First10\\nreturn$servers\\n}\\n\\n\\nfunctionGetWindowsRoles{\\nparam(\\n[string]$server\\n)\\n\\n$roles=Get-WindowsFeature-ComputerName$server|Where-Object{$_.Installed-eq$true}|Select-Object-ExpandPropertyName\\nreturn$roles\\n}\\n\\n\\nfunctionGetInstalledApplications{\\nparam(\\n[string]$server\\n)\\n\\n$applications=Get-WmiObject-ClassWin32_Product-ComputerName$server|Select-ObjectName,Version\\nreturn$applications\\n}\\n\\n\\nfunctionGetServices{\\nparam(\\n[string]$server\\n)\\n\\n$services=Get-Service-ComputerName$server\\nreturn$services\\n}\\n\\nfunctionGetOpenFlows{\\nparam(\\n[string]$server\\n)\\n\\n$flows=Invoke-Command-ComputerName$server-ScriptBlock{Get-NetTCPConnection|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort}\\nreturn$flows\\n}\\n\\n\\nfunctionSortFlows{\\nparam(\\n[array]$flows\\n)\\n\\n$sortedFlows=$flows|Group-ObjectLocalPort,RemoteAddress|Sort-ObjectCount,Name\\nreturn$sortedFlows\\n}\\n\\n\\nfunctionEstablishLink{\\nparam(\\n[array]$flows,\\n[array]$servers\\n)\\n\\n$link=@{}\\n\\nforeach($flowin$flows){\\n$link[$flow]=$servers|Where-Object{$_-ne$flow}\\n}\\n\\nreturn$link\\n}\\n\\n\\nfunctionExportResults{\\nparam(\\n[hashtable]$results,\\n[string]$outputPath\\n)\\n\\n$results.GetEnumerator()|ForEach-Object{\\n$server=$_.Key\\n$flows=$_.Value\\n\\n$table=$flows|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort\\n$table|Export-Csv-Path\\\"$outputPath\\\\$server.csv\\\"-NoTypeInformation-Delimiter\\\";\\\"-EncodingDefault\\n}\\n}\\n\\n\\n$servers=GetWindowsServers\\n\\nforeach($serverin$servers){\\n$roles=GetWindowsRoles-server$server\\n\\n$applications=GetInstalledApplications-server$server\\n\\n$services=GetServices-server$server\\n\\n$flows=GetOpenFlows-server$server\\n\\n$sortedFlows=SortFlows-flows$flows\\n\\n$link=EstablishLink-flows$sortedFlows-servers$servers\\n\\nExportResults-results$link-outputPath\\\"C:\\\\Scripts\\\\JIV\\\\Network\\\\Get-FaInterco\\\\Result\\\"\\n}\",\"PowershellScriptPath\":\"C:\\\\Scripts\\\\SomeWhere\\\\Get-FaInterco\\\\Get-FaNetworkFlowV2.ps1\"},\"threat_key\":16364,\"tenant\":\"\",\"alert_unique_id\":\"7202cdc8-0db4-49b6-809b-f5ebca7e55c7\",\"execution\":0,\"mitre_cells\":[\"execution__t1059.001\",\"lateral-movement__t1021.006\"],\"process\":{\"pid\":88872,\"size\":212992,\"usersid\":\"S-1-5-21-111111111-2222222222-333333333-44444\",\"fake_parent_commandline\":\"\",\"pe_timestamp\":\"2020-10-29T03:43:18.000Z\",\"hashes\":{\"md5\":\"8a2122e8162dbef04620b9c3e0b6cdee\",\"sha1\":\"f1efb0fddc156e4c61c5f89a54700e4e7984d55d\",\"sha256\":\"b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\"},\"log_type\":\"process\",\"status\":0,\"log_platform_flag\":0,\"parent_unique_id\":\"cd7f1659-df4d-4c65-9d64-5b865a6e6ffc\",\"signature_info\":{\"signer_info\":{\"thumbprint_sha256\":\"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1\",\"issuer_name\":\"MicrosoftWindowsProductionPCA2011\",\"display_name\":\"MicrosoftWindows\",\"thumbprint\":\"8870483e0e833965a53f422494f1614f79286851\",\"serial_number\":\"33000004158295a1a3d82e2857000000000415\"},\"root_info\":{\"thumbprint_sha256\":\"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e\",\"issuer_name\":\"MicrosoftRootCertificateAuthority2010\",\"display_name\":\"MicrosoftRootCertificateAuthority2010\",\"thumbprint\":\"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\"serial_number\":\"28cc3a25bfba44ac449a9b586b4339aa\"},\"signed_authenticode\":false,\"signed_catalog\":true},\"integrity_level\":\"High\",\"current_directory\":\"C:\\\\Windows\\\\system32\\\\\",\"parent_commandline\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe-Embedding\",\"parent_integrity_level\":\"Medium\",\"process_unique_id\":\"12b26748-e6af-46ff-9f16-994a7e3b6948\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"pe_info\":{\"pe_timestamp\":\"2020-10-29T03:43:18.000Z\",\"company_name\":\"MicrosoftCorporation\",\"original_filename\":\"powershell_ise.EXE\",\"legal_copyright\":\"\u00a9MicrosoftCorporation.Allrightsreserved.\",\"product_version\":\"10.0.14393.4046\",\"product_name\":\"Microsoft\u00aeWindows\u00aeOperatingSystem\",\"internal_name\":\"POWERSHELL_ISE\",\"file_description\":\"WindowsPowerShellISE\",\"file_version\":\"10.0.14393.4046(rs1_release.201028-1803)\"},\"ancestors\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe|C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"signed\":true,\"ppid\":502776,\"ioc_matches\":[],\"commandline\":\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\",\"logonid\":14859541118,\"fake_parent_image\":\"\",\"grandparent_commandline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe-kDcomLaunch\",\"dont_create_process\":true,\"grandparent_unique_id\":\"6b6af4c3-490c-4abf-81e0-33e914084c53\",\"fake_ppid\":0,\"create_time\":\"2024-03-15T15:22:56.982Z\",\"username\":\"EXAMPLE\\\\j.doe\",\"grandparent_integrity_level\":\"System\",\"pe_timestamp_int\":1603942998,\"parent_image\":\"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",\"session\":123,\"process_name\":\"powershell_ise.exe\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\"},\"aggregation_key\":\"40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1\",\"@timestamp\":\"2024-03-15T16:35:28.973874124Z\",\"image_name\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\"}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-03-15T16:36:41.300000Z", + "agent": { + "id": "8ba078ee-320f-406f-aa22-1ae08c94a699", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "8a2122e8162dbef04620b9c3e0b6cdee", + "sha1": "f1efb0fddc156e4c61c5f89a54700e4e7984d55d", + "sha256": "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" + } + }, + "harfanglab": { + "aggregation_key": "40fd5973a79d4e0f21e689938e5f269d20a3be780949eb6f408d5cb65c6974d1", + "alert_subtype": "process", + "alert_time": "2024-03-15T16:36:41.300+00:00", + "alert_unique_id": "7202cdc8-0db4-49b6-809b-f5ebca7e55c7", + "execution": 0, + "groups": [ + "{\"id\": \"19d20ee5-e12a-4f61-9321-edee5887ae1f\", \"name\": \"Servers\"}" + ], + "level": "low", + "process": { + "powershell": { + "command": "\nfunctionGetWindowsServers{\n$servers=Get-ADComputer-Filter{OperatingSystem-like\"*WindowsServer*\"}|Select-Object-ExpandPropertyName-First10\nreturn$servers\n}\n\n\nfunctionGetWindowsRoles{\nparam(\n[string]$server\n)\n\n$roles=Get-WindowsFeature-ComputerName$server|Where-Object{$_.Installed-eq$true}|Select-Object-ExpandPropertyName\nreturn$roles\n}\n\n\nfunctionGetInstalledApplications{\nparam(\n[string]$server\n)\n\n$applications=Get-WmiObject-ClassWin32_Product-ComputerName$server|Select-ObjectName,Version\nreturn$applications\n}\n\n\nfunctionGetServices{\nparam(\n[string]$server\n)\n\n$services=Get-Service-ComputerName$server\nreturn$services\n}\n\nfunctionGetOpenFlows{\nparam(\n[string]$server\n)\n\n$flows=Invoke-Command-ComputerName$server-ScriptBlock{Get-NetTCPConnection|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort}\nreturn$flows\n}\n\n\nfunctionSortFlows{\nparam(\n[array]$flows\n)\n\n$sortedFlows=$flows|Group-ObjectLocalPort,RemoteAddress|Sort-ObjectCount,Name\nreturn$sortedFlows\n}\n\n\nfunctionEstablishLink{\nparam(\n[array]$flows,\n[array]$servers\n)\n\n$link=@{}\n\nforeach($flowin$flows){\n$link[$flow]=$servers|Where-Object{$_-ne$flow}\n}\n\nreturn$link\n}\n\n\nfunctionExportResults{\nparam(\n[hashtable]$results,\n[string]$outputPath\n)\n\n$results.GetEnumerator()|ForEach-Object{\n$server=$_.Key\n$flows=$_.Value\n\n$table=$flows|Select-ObjectLocalAddress,LocalPort,RemoteAddress,RemotePort\n$table|Export-Csv-Path\"$outputPath\\$server.csv\"-NoTypeInformation-Delimiter\";\"-EncodingDefault\n}\n}\n\n\n$servers=GetWindowsServers\n\nforeach($serverin$servers){\n$roles=GetWindowsRoles-server$server\n\n$applications=GetInstalledApplications-server$server\n\n$services=GetServices-server$server\n\n$flows=GetOpenFlows-server$server\n\n$sortedFlows=SortFlows-flows$flows\n\n$link=EstablishLink-flows$sortedFlows-servers$servers\n\nExportResults-results$link-outputPath\"C:\\Scripts\\JIV\\Network\\Get-FaInterco\\Result\"\n}", + "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" + } + }, + "status": "new" + }, + "host": { + "domain": "Example", + "hostname": "SRV001", + "name": "SRV001", + "os": { + "full": "WindowsServer2016Standard", + "version": "10.0.14393" + } + }, + "log": { + "hostname": "SRV001" + }, + "process": { + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "name": "powershell_ise.exe", + "parent": { + "command_line": "C:\\Windows\\System32\\RuntimeBroker.exe-Embedding", + "executable": "C:\\Windows\\System32\\RuntimeBroker.exe" + }, + "pe": { + "company": "MicrosoftCorporation", + "description": "WindowsPowerShellISE", + "file_version": "10.0.14393.4046(rs1_release.201028-1803)", + "original_file_name": "powershell_ise.EXE", + "product": "Microsoft\u00aeWindows\u00aeOperatingSystem" + }, + "pid": 88872, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "8a2122e8162dbef04620b9c3e0b6cdee", + "b99d74d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "f1efb0fddc156e4c61c5f89a54700e4e7984d55d" + ], + "hosts": [ + "SRV001" + ], + "user": [ + "EXAMPLE\\j.doe" + ] + }, + "rule": { + "category": "sigma", + "description": "DetectstheexecutionofPowerShellcommandInvoke-Commandonremotehost.\nAttackerscanusethistechniquetoexecuteremotecommandsonatargethost,aspartoflateralmovement.", + "id": "59182ccc-f0e2-44a7-8531-4c586aea8c50", + "name": "PowerShellInvoke-CommandExecutedonRemoteHost" + }, + "user": { + "name": "EXAMPLE\\j.doe", + "roles": "Servers" + } + } + + ``` + + === "alert_false_positive.json" ```json @@ -473,7 +576,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "auditlog", - "kind": "event", "reason": "User User logged in", "type": [ "access" @@ -541,7 +643,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "4625", "dataset": "authentication", - "kind": "event", "reason": "An account failed to log on", "type": [ "end", @@ -633,7 +734,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "connectionlog", - "kind": "event", "type": [ "info" ] @@ -664,7 +764,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns_resolution", - "kind": "event", "type": [ "info" ] @@ -736,7 +835,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "dataset": "driverload", - "kind": "event", "type": [ "info" ] @@ -809,7 +907,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "injectedthread", - "kind": "event", "type": [ "info" ] @@ -862,7 +959,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k wusvcs -p\",\"session\":0,\"pid\":3092,\"job_id\":\"c0cbd87c-c793-4af9-9ecf-53739f3f27a5\",\"process_bits\":64,\"@timestamp\":\"2021-05-01T07:49:08.043Z\",\"username\":\"NT AUTHORITY\\\\SYSTEM\",\"@version\":\"1\",\"log_type\":\"investigation\",\"binaryinfo\":{\"filename\":\"svchost.exe\",\"fullpath\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"binaryinfo\":{\"root_thumbprint\":\"3b1efd3a66ea28b16697394703a72ca340a05bd5\",\"pe_file_version\":\"10.0.17763.1 (WinBuild.160101.0800)\",\"filesize\":51696,\"signer_serial_number\":\"33000001a90f2d80c9a929387c0000000001a9\",\"pe_timestamp_int\":3103846143,\"pe_legal_copyright\":\"\u00a9 Microsoft Corporation. All rights reserved.\",\"signed_catalog\":false,\"signer_display_name\":\"Microsoft Windows Publisher\",\"sha1\":\"a1385ce20ad79f55df235effd9780c31442aa234\",\"signer_issuer_name\":\"Microsoft Windows Production PCA 2011\",\"signed_authenticode\":true,\"pe_company_name\":\"Microsoft Corporation\",\"md5\":\"8a0a29438052faed8a2532da50455756\",\"pe_product_version\":\"10.0.17763.1\",\"pe_internal_name\":\"svchost.exe\",\"pe_timestamp\":\"2068-05-10 03:29:03.000\",\"root_serial_number\":\"28cc3a25bfba44ac449a9b586b4339aa\",\"pe_imphash\":\"247B9220E5D9B720A82B2C8B5069AD69\",\"sha256\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"root_display_name\":\"Microsoft Root Certificate Authority 2010\",\"pe_file_description\":\"Host Process for Windows Services\",\"root_issuer_name\":\"Microsoft Root Certificate Authority 2010\",\"pe_original_filename\":\"svchost.exe\",\"pe_product_name\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"signed\":true,\"signer_thumbprint\":\"458d803a5cf470dd3f01a475214938d97a5051e8\"},\"fullpath_cmdline\":null},\"job_instance_id\":\"c580fa86-4d9c-4cf0-bebf-24d31fc2ff56\",\"integrity_level\":\"Unknown\",\"item_status\":0,\"agent\":{\"osversion\":\"10.0.17763\",\"domainname\":\"WORKGROUP\",\"agentid\":\"77af54c8-910f-455d-b887-87cbc87430a4\",\"osproducttype\":\"Windows Server 2019 Datacenter\",\"hostname\":\"REDACTED\",\"domain\":null},\"object_type\":\"process\",\"mem_working_set\":7553024,\"critical\":true,\"signature_requested\":true,\"create_time\":\"2021-05-01T07:45:59.848Z\",\"name\":\"svchost.exe\",\"maybe_hollow\":false,\"mem_private_bytes\":1777664,\"ppid\":752,\"status\":\"running\",\"exe\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"}", "event": { "dataset": "investigation", - "kind": "event", "type": [ "info" ] @@ -926,7 +1022,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "network", - "kind": "event", "type": [ "connection" ] @@ -995,7 +1090,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "network", - "kind": "event", "type": [ "connection" ] @@ -1065,7 +1159,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "process", - "kind": "event", "type": [ "start" ] @@ -1158,7 +1251,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "process", - "kind": "event", "type": [ "start" ] @@ -1341,7 +1433,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "process", - "kind": "event", "type": [ "start" ] @@ -1429,7 +1520,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "process", - "kind": "event", "type": [ "start" ] @@ -1526,7 +1616,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "1001", "dataset": "eventlog", - "kind": "event", "provider": "Windows Error Reporting", "type": [ "info" @@ -1641,7 +1730,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "4624", "dataset": "eventlog", - "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", "type": [ "info", @@ -1757,7 +1845,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "53504", "dataset": "eventlog", - "kind": "event", "provider": "Microsoft-Windows-PowerShell", "type": [ "info" @@ -1810,7 +1897,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "4625", "dataset": "eventlog", - "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", "reason": "bad_password", "type": [ @@ -1912,7 +1998,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "1116", "dataset": "eventlog", - "kind": "event", "provider": "Microsoft-Windows-Windows Defender", "type": [ "info" @@ -2001,7 +2086,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "5145", "dataset": "eventlog", - "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", "type": [ "info" @@ -2112,6 +2196,7 @@ The following table lists the fields that are extracted, normalized under the EC |`harfanglab.groups` | `keyword` | harfanglab groups | |`harfanglab.level` | `keyword` | The risk level associated to the event | |`harfanglab.process.powershell.command` | `keyword` | The powershell command executed | +|`harfanglab.process.powershell.script_path` | `keyword` | The powershell script path | |`harfanglab.status` | `keyword` | The status of the event | |`harfanglab.threat_id` | `keyword` | Id of the threat | |`host.domain` | `keyword` | Name of the directory the group is a member of. | diff --git a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md index 61eef77d8e..019357c6b5 100644 --- a/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md +++ b/_shared_content/operations_center/integrations/generated/3f330d19-fdea-48ac-96bd-91a447bb26bd.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `file`, `iam`, `network`, `process` | | Type | `info` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Application::Blocked", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "Controlled application blocked: Google Software Reporter Tool (Security tool)", "type": [ "denied" @@ -100,7 +99,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Enc::DiskNotEncryptedEvent", "end": "2022-04-27T13:23:07.981000Z", - "kind": "event", "reason": "Device is not encrypted.", "type": [ "info" @@ -162,7 +160,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4", "type": [ "allowed" @@ -226,7 +223,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::DataLossPreventionAutomaticallyAllowed", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "An \u2033allow file transfer\u2033 action was taken. Username: DDDDD\\XXXXXXXXXX Rule names: \u2032Multimedia file\u2032 User action: File open Application Name: Firefox (V7 and higher) Data Control action: Allow File type: Media Container (TFT\u2215MPEG-4) File size: 559316722 Source path: C:\\Users\\XXXXXXXX\\Downloads\\YYYYYYYYYYYYYYYYY.mp4 Destination path: D:\\XXXXXXXXXXXXXXX\\Documents\\Videos\\YYYYY.mp4 Destination type: Removable storage", "type": [ "allowed" @@ -296,7 +292,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Enc::DiskEncryptionInformation", "end": "2022-04-27T08:48:48.808000Z", - "kind": "event", "reason": "Device Encryption information for volume with id: 63E6153A-3663-44E1-A200-F1CD4CB9EBCE. Message: Encryption has been postponed.", "type": [ "info" @@ -359,7 +354,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Denc::EncryptionSuspendedEvent", "end": "2022-04-27T08:47:16.490000Z", - "kind": "event", "reason": "Device Encryption is suspended", "type": [ "info" @@ -421,7 +415,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::HmpaExploitPrevented", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "'CodeCave' exploit prevented in Essential Objects Worker Process", "type": [ "info" @@ -479,7 +472,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Enc::Recovery::KeyReceived", "end": "2022-04-27T13:22:08.749000Z", - "kind": "event", "reason": "A BitLocker recovery key has been received from: DESKTOP-1234.", "type": [ "info" @@ -541,7 +533,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Denc::OutlookPluginEnabledEvent", "end": "2022-04-27T13:22:06.909000Z", - "kind": "event", "reason": "Outlook add-in is enabled", "type": [ "info" @@ -603,7 +594,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::CorePuaDetection", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "PUA detected: 'Rule Generic PUA' at 'C:\\Users\\XXXXXXXXXX\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempc'", "type": [ "info" @@ -666,7 +656,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::CorePuaDetection", "end": "2023-08-07T21:55:27.508000Z", - "kind": "event", "reason": "PUA detected: 'Generic Reputation PUA' at 'C:\\Users\\John Doe\\Documents\\suspicious.zip'", "type": [ "info" @@ -742,7 +731,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::Registered", "end": "2022-04-27T13:17:10.188000Z", - "kind": "event", "reason": "New computer registered: DESKTOP-1234", "type": [ "info" @@ -803,7 +791,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::SavScanComplete", "end": "2022-04-27T08:59:59Z", - "kind": "event", "reason": "Scan 'Sophos Cloud Scheduled Scan' completed", "type": [ "info" @@ -865,7 +852,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::UpdateFailure", "end": "2022-04-25T07:41:03.101000Z", - "kind": "event", "reason": "Download of WindowsCloudServer failed from server http:\u2215\u2215dci.sophosupd.com.", "type": [ "info" @@ -920,7 +906,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::UpdateRebootRequired", "end": "2022-04-25T03:15:31.760000Z", - "kind": "event", "reason": "Reboot to complete update; computer stays protected in the meantime", "type": [ "info" @@ -975,7 +960,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::UpdateSuccess", "end": "2022-04-25T04:57:09.886000Z", - "kind": "event", "reason": "Update succeeded", "type": [ "info" @@ -1029,7 +1013,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::UserAutoCreated", "end": "2022-04-27T08:48:19.449000Z", - "kind": "event", "reason": "New user added automatically: TESLA\\e.musk", "type": [ "creation" @@ -1091,7 +1074,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Event::Endpoint::WebFilteringBlocked", "end": "2022-04-25T09:35:54Z", - "kind": "event", "reason": "Access was blocked to \"www.malicious-site.com\" because of \"Rulename\".", "type": [ "denied" @@ -1161,7 +1143,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.sha256` | `keyword` | SHA256 hash. | diff --git a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md index 51d1684e4c..dd591f8415 100644 --- a/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md +++ b/_shared_content/operations_center/integrations/generated/40bac399-2d8e-40e3-af3b-f73a622c9687.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `access`, `allowed`, `connection`, `denied` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "10", - "kind": "event", "reason": "Blocked by URL filtering", "start": "2022-03-11T10:39:16.390000Z" }, @@ -148,7 +147,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "81", - "kind": "event", "reason": "Authentication Required", "start": "2022-03-17T13:14:39.134000Z" }, @@ -241,7 +239,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "10", - "kind": "event", "reason": "Blocked by URL filtering", "start": "2022-03-24T13:54:02.740000Z" }, @@ -327,7 +324,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "0", - "kind": "event", "start": "2022-03-11T09:50:47.399000Z", "type": [ "access", @@ -441,7 +437,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "access", "allowed", @@ -518,7 +513,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "url": { + "full": "https://ping-edge.smartscreen.microsoft.com/", + "original": "/", "path": "/", + "port": 443, "scheme": "https" }, "user": { @@ -529,6 +527,113 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "skyhigh_swg_1.json" + + ```json + + { + "message": "user_id=-1 username=user source_ip=1.2.3.4 http_action=PUT server_to_client_bytes=7976 client_to_server_bytes=860 requested_host=wetransfer.com requested_path=/api/v4/transfers/azerty123/finalize result=OBSERVED virus= request_timestamp_epoch=1699464228 request_timestamp=2023-11-08 17:23:48 uri_scheme=https category=Personal Network Storage media_type=text/plain application_type=WeTransfer Channel reputation=Minimal Risk last_rule=Block URLs Whose Category Is in Category Blocklist http_status_code=200 client_ip=4.3.2.1 location= block_reason= user_agent_product=Chrome user_agent_version=119.0.0.0 user_agent_comment=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 process_name=chrome.exe destination_ip=5.6.7.8 destination_port=443 pop_country_code=FR referer=https://wetransfer.com/ ssl_scanned=t av_scanned_up=t av_scanned_down=t rbi=f dlp=f client_system_name=por-005003 filename=finalize pop_egress_ip=4.5.6.7 pop_ingress_ip=4.5.6.7 proxy_port=8080", + "event": { + "action": "allowed", + "category": [ + "network" + ], + "type": [ + "access", + "allowed", + "connection" + ] + }, + "@timestamp": "2023-11-08T17:23:48Z", + "destination": { + "address": "wetransfer.com", + "bytes": 7976, + "domain": "wetransfer.com", + "ip": "5.6.7.8", + "port": 443, + "registered_domain": "wetransfer.com", + "top_level_domain": "com" + }, + "file": { + "name": "finalize" + }, + "host": { + "name": "por-005003" + }, + "http": { + "request": { + "method": "PUT", + "mime_type": "text/plain" + }, + "response": { + "mime_type": "text/plain", + "status_code": 200 + } + }, + "network": { + "direction": "egress" + }, + "observer": { + "product": "McAfee Web Gateway", + "type": "proxy", + "vendor": "McAfee Corp." + }, + "process": { + "name": "chrome.exe" + }, + "related": { + "hosts": [ + "wetransfer.com" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8" + ], + "user": [ + "user" + ] + }, + "rule": { + "category": "Personal Network Storage", + "name": "Block URLs Whose Category Is in Category Blocklist" + }, + "skyhighsecurity": { + "application_type": "WeTransfer Channel", + "av_scanned_down": "true", + "av_scanned_up": "true", + "dlp": "false", + "proxy_port": 8080, + "rbi": "false", + "referer": "https://wetransfer.com/", + "reputation": "Minimal Risk", + "ssl_scanned": "true", + "user_agent_comment": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "user_agent_version": "119.0.0.0" + }, + "source": { + "address": "4.3.2.1", + "bytes": 860, + "ip": "4.3.2.1", + "nat": { + "ip": "1.2.3.4" + } + }, + "url": { + "full": "https://wetransfer.com/api/v4/transfers/azerty123/finalize", + "original": "/api/v4/transfers/azerty123/finalize", + "path": "/api/v4/transfers/azerty123/finalize", + "port": 443, + "scheme": "https" + }, + "user": { + "name": "user" + } + } + + ``` + + === "skyhigh_swg_block.json" ```json @@ -540,7 +645,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Authentication Required", "type": [ "access", @@ -614,7 +718,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "url": { + "full": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "original": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", "path": "/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "port": 80, "scheme": "http" }, "user": { @@ -642,7 +749,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | @@ -676,6 +782,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.nat.ip` | `ip` | Source NAT ip | |`url.domain` | `keyword` | Domain of the url. | +|`url.full` | `wildcard` | Full unparsed URL. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.port` | `long` | Port of the request, such as 443. | diff --git a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md index 85edaae24a..634e9705aa 100644 --- a/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md +++ b/_shared_content/operations_center/integrations/generated/40deb162-6bb1-4635-9c99-5c2de7e1d340.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `driver`, `file`, `network`, `process`, `registry`, `threat`, `web` | | Type | `change`, `creation`, `deletion`, `end`, `error`, `indicator`, `info`, `start` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -249,7 +248,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -497,7 +495,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -664,7 +661,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "creation" ] @@ -826,7 +822,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "deletion" ] @@ -1046,7 +1041,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "change" ] @@ -1205,8 +1199,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"group\",\"src.process.parent.image.sha1\":\"08a3589a9016172702c75f16fe3c694b90942514\",\"site.id\":\"1640744535583677559\",\"src.process.parent.displayName\":\"Windows Explorer\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":66,\"src.process.parent.name\":\"explorer.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"sca:atlantisIngestTime\":1680190602792,\"src.process.image.md5\":\"999a30979f6195bf562068639ffc4426\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"8EE6E6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"GROUPCREATION\",\"src.process.parent.integrityLevel\":\"HIGH\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"96BFE6E7AB538ED5\",\"src.process.integrityLevel\":\"HIGH\",\"i.scheme\":\"edr\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680190543346,\"timestamp\":\"2023-03-30T15:35:43.346Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"d4f2663aabc03478975382b3c69f24b3c6bd2aa9\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\explorer.exe\",\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":7400,\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"\\\"regedit.exe\\\" \\\"C:\\\\Users\\\\john.doe\\\\Desktop\\\\test.reg\\\"\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"sca:ingestTime\":1680190608,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"event.id\":\"01GWSJKYK06EX50CNYW0M34QBF_18\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\Explorer.EXE\",\"src.process.image.path\":\"C:\\\\Windows\\\\regedit.exe\",\"src.process.tgtFileModificationCount\":0,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1680190543341,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.activeContent.id\":\"72E6E6E7AB538ED5\",\"src.process.displayName\":\"Registry Editor\",\"src.process.activeContent.path\":\"C:\\\\Users\\\\john.doe\\\\Desktop\\\\test.reg\",\"src.process.parent.sessionId\":2,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"8DE6E6E7AB538ED5\",\"src.process.parent.image.md5\":\"b5da026b38c9e98a6f6d4061b6c3b4f3\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"8DE6E6E7AB538ED5\",\"src.process.parent.uid\":\"95BFE6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.image.sha256\":\"5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"8EE6E6E7AB538ED5\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1680183557249,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSJKYK06EX50CNYW0M34QBF\",\"src.process.name\":\"regedit.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.activeContent.hash\":\"8b3d7f4397dd79d66b753745a676da89439ed38e\",\"src.process.image.sha256\":\"92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170\",\"src.process.indicatorGeneralCount\":2,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":3,\"packet.id\":\"635ACC7D4F504B698769ED4A8E380CEF\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"event.type\":\"Group Creation\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":4492}", "event": { "action": "Group Creation", - "dataset": "cloud-funnel-2.0", - "kind": "event" + "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-30T15:35:43.346000Z", "agent": { @@ -1356,8 +1349,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"indicators\",\"src.process.parent.image.sha1\":\"a87dd7a7ad343205aac883c18fb55fc7bba54093\",\"site.id\":\"1640744535583677559\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Microsoft Edge\",\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"indicator.category\":\"Evasion\",\"src.process.indicatorRansomwareCount\":0,\"indicator.metadata\":\"To Process[ Name: \\\"msedge.exe\\\", Pid: \\\"8064\\\", UID: \\\"F328E6E7AB538ED5\\\", TrueContextID: \\\"2D1EE6E7AB538ED5\\\", IntegrityLevel: \\\"Low\\\", RelationToSource: \\\"Child\\\" ], File Path: \\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\"\",\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"indicator.description\":\"Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {T1055.012<\\/a>}, Privilege Escalation {T1055.012<\\/a>}\",\"src.process.moduleCount\":84,\"src.process.parent.name\":\"msedge.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"sca:atlantisIngestTime\":1679651845743,\"src.process.image.md5\":\"44d867f6684855e16738b65a446937c5\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"2D1EE6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"BEHAVIORALINDICATORS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"2D1EE6E7AB538ED5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"LOW\",\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679651799952,\"timestamp\":\"2023-03-24T09:56:39.952Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"a87dd7a7ad343205aac883c18fb55fc7bba54093\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"src.process.tid\":0,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":8064,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679651851,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4272 --field-trial-handle=1904,i,13954562701905874655,10086179210364072054,131072 \\/prefetch:8\",\"src.process.publisher\":\"MICROSOFT CORPORATION\",\"src.process.parent.activeContentType\":\"FILE\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GW9GTD03G3KP42RNTBE4KYSR_5\",\"src.process.parent.cmdline\":\"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start \\/prefetch:5\",\"src.process.image.path\":\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\"src.process.tgtFileModificationCount\":3,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679651799947,\"mgmt.id\":\"16964\",\"os.name\":\"Windows 10 Pro\",\"src.process.displayName\":\"Microsoft Edge\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"src.process.uid\":\"F328E6E7AB538ED5\",\"src.process.parent.image.md5\":\"44d867f6684855e16738b65a446937c5\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"F328E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"2C1EE6E7AB538ED5\",\"src.process.parent.image.sha256\":\"d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"group.id\":\"2D1EE6E7AB538ED5\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT CORPORATION\",\"src.process.parent.startTime\":1679651174169,\"src.process.dnsCount\":0,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GW9GTD03G3KP42RNTBE4KYSR\",\"src.process.name\":\"msedge.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.image.sha256\":\"d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693\",\"src.process.indicatorGeneralCount\":7,\"indicator.name\":\"PreloadInjection\",\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":1,\"packet.id\":\"A53019B8AC7E4786BC77B654E737149B\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"event.type\":\"Behavioral Indicators\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.activeContent.signedStatus\":\"unsigned\",\"src.process.parent.pid\":6728}", "event": { "action": "Behavioral Indicators", - "dataset": "cloud-funnel-2.0", - "kind": "event" + "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-24T09:56:39.952000Z", "agent": { @@ -1516,7 +1508,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -1681,7 +1672,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -1846,7 +1836,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -2010,7 +1999,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "outcome": "success", "type": [ "start" @@ -2174,7 +2162,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "outcome": "success", "type": [ "end" @@ -2323,7 +2310,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -2500,7 +2486,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "outcome": "failure", "type": [ "error" @@ -2702,7 +2687,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "outcome": "success", "type": [ "start" @@ -2921,7 +2905,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -3176,7 +3159,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "change" ] @@ -3350,7 +3332,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "creation" ] @@ -3503,7 +3484,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "change" ] @@ -3702,7 +3682,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "change" ] @@ -3867,8 +3846,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"scheduled_task\",\"src.process.parent.image.sha1\":\"08a3589a9016172702c75f16fe3c694b90942514\",\"site.id\":\"1640744535583677559\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Windows Explorer\",\"osSrc.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"osSrc.process.crossProcessOpenProcessCount\":219,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.crossProcessDupThreadHandleCount\":4,\"src.process.user\":\"desktop-jdoe\\\\john.doe\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":232,\"osSrc.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.tgtFileCreationCount\":0,\"osSrc.process.childProcCount\":73,\"src.process.indicatorInjectionCount\":2,\"osSrc.process.indicatorReconnaissanceCount\":15044,\"src.process.moduleCount\":397,\"src.process.parent.name\":\"explorer.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1679668709665,\"src.process.image.md5\":\"cdbae87d50068565cf2ed20e99246a2e\",\"src.process.indicatorReconnaissanceCount\":3,\"src.process.storyline.id\":\"5084E6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":44431,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":53,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"SCHEDTASKREGISTER\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.image.binaryIsExecutable\":true,\"task.name\":\"\\\\Task John\",\"osSrc.process.tgtFileModificationCount\":16,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"FA1CE6E7AB538ED5\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"osSrc.process.indicatorInjectionCount\":1,\"osSrc.process.pid\":796,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1679668702878,\"timestamp\":\"2023-03-24T14:38:22.878Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":232,\"endpoint.name\":\"desktop-jdoe\",\"src.process.image.sha1\":\"4a8b68a1ad588175d018944aacca6151e2cb4e3c\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\explorer.exe\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":5228,\"osSrc.process.uid\":\"4D1AE6E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1679668715,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Windows\\\\system32\\\\mmc.exe\\\" \\\"C:\\\\Windows\\\\system32\\\\taskschd.msc\\\" \\/s\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GWA0X1G6W27RX89K1YWD3SB8_10\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":9,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\Explorer.EXE\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\mmc.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":2,\"src.process.netConnOutCount\":0,\"osSrc.process.startTime\":1679651050062,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":86,\"osSrc.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679668633169,\"mgmt.id\":\"16964\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":86,\"os.name\":\"Windows 10 Pro\",\"osSrc.process.indicatorGeneral.count\":1041,\"src.process.displayName\":\"Microsoft Management Console\",\"osSrc.process.dnsCount\":28,\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":2,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"4F84E6E7AB538ED5\",\"src.process.parent.image.md5\":\"b5da026b38c9e98a6f6d4061b6c3b4f3\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"4F84E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"F91CE6E7AB538ED5\",\"src.process.parent.image.sha256\":\"5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8\",\"src.process.sessionId\":2,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"group.id\":\"5084E6E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651150108,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":0,\"osSrc.process.tgtFileDeletionCount\":0,\"osSrc.process.indicatorEvasionCount\":3,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWA0X1G6W27RX89K1YWD3SB8\",\"src.process.name\":\"mmc.exe\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"osSrc.process.displayName\":\"Host Process for Windows Services\",\"src.process.image.sha256\":\"3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e\",\"src.process.indicatorGeneralCount\":36,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"47785FD0B1924C13905B7665CF4053FA\",\"src.process.indicatorPersistenceCount\":1,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"desktop-jdoe\\\\john.doe\",\"osSrc.process.storyline.id\":\"4E1AE6E7AB538ED5\",\"event.type\":\"Task Register\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":5044}", "event": { "action": "Task Register", - "dataset": "cloud-funnel-2.0", - "kind": "event" + "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-24T14:38:22.878000Z", "agent": { @@ -4057,8 +4035,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"scheduled_task\",\"tgt.file.modificationTime\":-11644473600000,\"src.process.parent.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"site.id\":\"1640744535583677559\",\"tgt.file.location\":\"Local\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"Host Process for Windows Services\",\"osSrc.process.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"osSrc.process.crossProcessOpenProcessCount\":157,\"osSrc.process.publisher\":\"MICROSOFT WINDOWS\",\"osSrc.process.crossProcessDupThreadHandleCount\":5,\"src.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":172,\"osSrc.process.image.sha1\":\"1bc5066ddf693fc034d6514618854e26a84fd0d1\",\"src.process.activeContent.signedStatus\":\"signed\",\"src.process.tgtFileCreationCount\":1,\"osSrc.process.childProcCount\":80,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":5902,\"src.process.moduleCount\":53,\"src.process.parent.name\":\"svchost.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1680188502213,\"src.process.image.md5\":\"ef3179d498793bf4234f708d3be28633\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"7322E6E7AB538ED5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"euce1-105.sentinelone.net\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":38352,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":115,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"SCHEDTASKSTART\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"osSrc.process.user\":\"NT AUTHORITY\\\\SYSTEM\",\"osSrc.process.image.binaryIsExecutable\":true,\"task.name\":\"\\\\Microsoft\\\\Windows\\\\Application Experience\\\\PcaPatchDbTask\",\"osSrc.process.tgtFileModificationCount\":59,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"4E1AE6E7AB538ED5\",\"tgt.file.creationTime\":-11644473600000,\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":544,\"site.name\":\"Default site\",\"src.process.netConnInCount\":0,\"event.time\":1680188461660,\"timestamp\":\"2023-03-30T15:01:01.660Z\",\"account.id\":\"1640744534476381289\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":172,\"endpoint.name\":\"desktop-jdoe\",\"tgt.file.size\":71680,\"src.process.image.sha1\":\"dd399ae46303343f9f0da189aee11c67bd868222\",\"src.process.isStorylineRoot\":true,\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"tgt.file.sha1\":\"dd399ae46303343f9f0da189aee11c67bd868222\",\"osSrc.process.isNative64Bit\":false,\"dataSource.vendor\":\"SentinelOne\",\"src.process.pid\":5304,\"osSrc.process.uid\":\"1E91E6E7AB538ED5\",\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1680188507,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"\\\"C:\\\\Windows\\\\system32\\\\rundll32.exe\\\" C:\\\\Windows\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\"src.process.publisher\":\"MICROSOFT WINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"tgt.file.description\":\"Windows host process (Rundll32)\",\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"tgt.file.isExecutable\":true,\"event.id\":\"01GWSGKVAAKE9CKCSVVN8QVWA2_7\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":10,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\",\"src.process.tgtFileModificationCount\":0,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"tgt.file.path\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\",\"tgt.file.extension\":\"exe\",\"osSrc.process.startTime\":1680169388191,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":99,\"osSrc.process.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1679651234837,\"mgmt.id\":\"16964\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":99,\"os.name\":\"Windows 10 Pro\",\"tgt.file.type\":\"PE\",\"osSrc.process.indicatorGeneral.count\":591,\"src.process.activeContent.id\":\"B928E3E7AB538ED5\",\"src.process.displayName\":\"Windows host process (Rundll32)\",\"osSrc.process.dnsCount\":51,\"tgt.file.sha256\":\"b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa\",\"src.process.activeContent.path\":\"C:\\\\Windows\\\\System32\\\\pcasvc.dll\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"7222E6E7AB538ED5\",\"src.process.parent.image.md5\":\"b7f884c1b74a263f746ee12a5f7c9f6a\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"7222E6E7AB538ED5\",\"agent.version\":\"22.3.2.373\",\"src.process.parent.uid\":\"4D1AE6E7AB538ED5\",\"src.process.parent.image.sha256\":\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"19044\",\"osSrc.process.image.path\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"group.id\":\"7322E6E7AB538ED5\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFT WINDOWS\",\"src.process.parent.startTime\":1679651050062,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":0,\"osSrc.process.tgtFileDeletionCount\":0,\"osSrc.process.indicatorEvasionCount\":3,\"endpoint.type\":\"desktop\",\"trace.id\":\"01GWSGKVAAKE9CKCSVVN8QVWA2\",\"src.process.name\":\"rundll32.exe\",\"tgt.file.md5\":\"ef3179d498793bf4234f708d3be28633\",\"agent.uuid\":\"9a25d24fd1e4418dab8e358865fa1e29\",\"src.process.activeContent.hash\":\"4baee77d42bd0b2fa2660852eeac7962aa27a2f1\",\"osSrc.process.displayName\":\"Host Process for Windows Services\",\"src.process.image.sha256\":\"b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa\",\"src.process.indicatorGeneralCount\":3,\"tgt.file.internalName\":\"rundll\",\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":2,\"packet.id\":\"2343644B9C0D4EBFA0956CF728E11DDC\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NT AUTHORITY\\\\SYSTEM\",\"tgt.file.id\":\"F58AE3E7AB538ED5\",\"osSrc.process.storyline.id\":\"1F91E6E7AB538ED5\",\"event.type\":\"Task Start\",\"task.path\":\"C:\\\\Windows\\\\System32\\\\rundll32.exe\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":796}", "event": { "action": "Task Start", - "dataset": "cloud-funnel-2.0", - "kind": "event" + "dataset": "cloud-funnel-2.0" }, "@timestamp": "2023-03-30T15:01:01.660000Z", "agent": { @@ -4282,7 +4259,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "cloud-funnel-2.0", - "kind": "event", "type": [ "info" ] @@ -4658,7 +4634,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.code_signature.exists` | `boolean` | Boolean to capture if a signature is present. | |`file.code_signature.status` | `keyword` | Additional information about the certificate status. | diff --git a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md index 07df424168..772c630d8d 100644 --- a/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md +++ b/_shared_content/operations_center/integrations/generated/419bd705-fa61-496c-94fa-28d6c1f2e2a8.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `intrusion_detection`, `malware`, `network`, `process` | | Type | `` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "The client has downloaded the content package successfully", "type": [ "info" @@ -88,7 +87,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "end": "2022-08-29T11:58:20Z", - "kind": "event", "start": "2022-08-29T11:58:20Z", "type": [ "denied" @@ -140,7 +138,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "end": "2022-10-19T06:45:39Z", - "kind": "event", "reason": "Le contr\u00f4le des applications et des p\u00e9riph\u00e9riques est pr\u00eat.", "start": "2022-10-19T06:45:39Z", "type": [ @@ -199,7 +196,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "L\u2019installation d\u2019une mise \u00e0 jour de Revocation Data a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).", "start": "2022-10-18T18:09:26Z", "type": [ @@ -243,7 +239,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "L\u2019installation d\u2019une mise \u00e0 jour de Virus and Spyware Definitions SDS Win64 (Reduced) a \u00e9chou\u00e9. Erreur : Echec de la correction de contenu (0xE0010005), DuResult: Succ\u00e8s (0).", "start": "2022-10-19T07:32:25Z", "type": [ @@ -288,7 +283,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "end": "2022-10-19T09:25:40Z", - "kind": "event", "reason": "attaque de Audit: Malicious Scan Attempt 2 d\u00e9tect\u00e9e mais pas bloqu\u00e9e. Chemin d\u2019application\u00a0: SYSTEM", "start": "2022-10-19T09:25:40Z", "type": [ @@ -375,7 +369,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "end": "2022-10-04T17:44:22Z", - "kind": "event", "reason": "Analyse lanc\u00e9e sur lecteurs et dossiers s\u00e9lectionn\u00e9s et toutes les extensions.", "start": "2022-10-04T17:42:10Z", "type": [ @@ -448,7 +441,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "SONAR detection now allowed", "type": [ "info" @@ -566,7 +558,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Impossible d\u2019assigner un jeton d\u2019authentification client. Une erreur de communication g\u00e9n\u00e9rale est survenue.", "start": "2022-08-29T11:35:29Z", "type": [ @@ -611,7 +602,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "Virus found", "type": [ "info" @@ -717,7 +707,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "Virus found", "type": [ "info" @@ -864,7 +853,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`file.hash.md5` | `keyword` | MD5 hash. | diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index 6d2f9c1571..dbfe3a24bd 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -20,8 +20,8 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | -| Category | `file`, `intrusion_detection`, `malware`, `network` | +| Kind | `alert` | +| Category | `authentication`, `file`, `intrusion_detection`, `malware`, `network` | | Type | `change`, `connection`, `end`, `info`, `start` | @@ -42,8 +42,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "106001", - "kind": "event" + "code": "106001" }, "action": { "name": "denied", @@ -88,8 +87,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "106006", - "kind": "event" + "code": "106006" }, "action": { "name": "deny", @@ -136,7 +134,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430002", - "kind": "event", "type": [ "connection", "start" @@ -202,7 +199,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430003", - "kind": "event", "type": [ "connection", "end" @@ -357,7 +353,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "106012", - "kind": "event", "reason": "IP options: \"Router Alert\"" }, "action": { @@ -398,7 +393,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "106015", - "kind": "event", "reason": "no connection" }, "action": { @@ -444,7 +438,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "106023", - "kind": "event", "reason": "ACME_group" }, "action": { @@ -490,7 +483,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "106100", - "kind": "event", "reason": "ACME_INFRA" }, "action": { @@ -535,8 +527,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "110003", - "kind": "event" + "code": "110003" }, "action": { "name": "routing failed to locate next hop for icmp", @@ -575,8 +566,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "111007", - "kind": "event" + "code": "111007" }, "action": { "name": "begin configuration", @@ -603,6 +593,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_ASA_113004.json" + + ```json + + { + "message": "%ASA-6-113004: AAA user authentication Successful : server = 10.79.48.28 : user = jdoe001566", + "event": { + "category": [ + "authentication" + ], + "code": "113004", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "destination": { + "address": "10.79.48.28", + "ip": "10.79.48.28" + }, + "observer": { + "product": "Adaptive Security Appliance", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.79.48.28" + ], + "user": [ + "jdoe001566" + ] + }, + "user": { + "name": "jdoe001566" + } + } + + ``` + + === "test_ASA_199019.json" ```json @@ -614,8 +647,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "199019", - "kind": "event" + "code": "199019" }, "action": { "target": "network-traffic" @@ -646,8 +678,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302013", - "kind": "event" + "code": "302013" }, "action": { "name": "built", @@ -700,8 +731,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302014", - "kind": "event" + "code": "302014" }, "action": { "name": "teardown", @@ -746,8 +776,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302020", - "kind": "event" + "code": "302020" }, "action": { "name": "built", @@ -791,8 +820,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302020", - "kind": "event" + "code": "302020" }, "action": { "name": "built", @@ -849,8 +877,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302021", - "kind": "event" + "code": "302021" }, "action": { "name": "teardown", @@ -899,8 +926,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "302021", - "kind": "event" + "code": "302021" }, "action": { "name": "teardown", @@ -949,8 +975,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "305011", - "kind": "event" + "code": "305011" }, "action": { "name": "built", @@ -994,8 +1019,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "305012", - "kind": "event" + "code": "305012" }, "action": { "name": "teardown", @@ -1040,7 +1064,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "313005", - "kind": "event", "reason": "icmp" }, "action": { @@ -1106,8 +1129,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "313008", - "kind": "event" + "code": "313008" }, "action": { "name": "denied", @@ -1150,8 +1172,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "609002", - "kind": "event" + "code": "609002" }, "action": { "name": "teardown", @@ -1198,7 +1219,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "716058", - "kind": "event", "type": [ "connection" ] @@ -1243,7 +1263,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "716059", - "kind": "event", "type": [ "connection" ] @@ -1288,7 +1307,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722011", - "kind": "event", "type": [ "connection" ] @@ -1333,7 +1351,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722012", - "kind": "event", "type": [ "connection" ] @@ -1378,7 +1395,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722023", - "kind": "event", "type": [ "connection" ] @@ -1423,7 +1439,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722023", - "kind": "event", "type": [ "connection" ] @@ -1468,7 +1483,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722028", - "kind": "event", "type": [ "connection" ] @@ -1513,7 +1527,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722032", - "kind": "event", "type": [ "connection" ] @@ -1558,7 +1571,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722033", - "kind": "event", "type": [ "connection" ] @@ -1603,7 +1615,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722034", - "kind": "event", "type": [ "connection" ] @@ -1648,7 +1659,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "722037", - "kind": "event", "reason": "Transport closing", "type": [ "connection" @@ -1693,8 +1703,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "725001", - "kind": "event" + "code": "725001" }, "action": { "name": "starting ssl handshake", @@ -1729,8 +1738,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "725002", - "kind": "event" + "code": "725002" }, "action": { "name": "device completed ssl handshake", @@ -1765,8 +1773,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "725006", - "kind": "event" + "code": "725006" }, "action": { "name": "device failed ssl handshake", @@ -1802,7 +1809,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "725007", - "kind": "event", "reason": "terminated" }, "action": { @@ -1838,8 +1844,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "733100", - "kind": "event" + "code": "733100" }, "action": { "name": "scanning", @@ -1864,8 +1869,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "737016", - "kind": "event" + "code": "737016" }, "action": { "name": "freeing local pool address", @@ -1899,8 +1903,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "code": "852001", - "kind": "event" + "code": "852001" }, "action": { "target": "network-traffic" @@ -1934,6 +1937,49 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_FTD_113004.json" + + ```json + + { + "message": "%FTD-6-113004: AAA user authentication Successful : server = 10.10.48.61 : user = jdoe", + "event": { + "category": [ + "authentication" + ], + "code": "113004", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "destination": { + "address": "10.10.48.61", + "ip": "10.10.48.61" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.10.48.61" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "name": "jdoe" + } + } + + ``` + + === "test_FTD_430002_1.json" ```json @@ -1946,7 +1992,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430002", - "kind": "event", "type": [ "connection", "start" @@ -2012,7 +2057,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430003", - "kind": "event", "type": [ "connection", "end" @@ -2102,7 +2146,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430003", - "kind": "event", "type": [ "connection", "end" @@ -2186,7 +2229,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "430003", - "kind": "event", "type": [ "connection", "end" @@ -2279,7 +2321,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "AnyConnect session lost connection. Waiting to resume." }, "action": { @@ -2320,7 +2361,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Task ran for 100 msec" }, "action": { @@ -2358,7 +2398,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session" }, "action": { @@ -2402,7 +2441,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "IPv4 Address <> IPv6 address <3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6> assigned to session" }, "action": { @@ -2446,7 +2484,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "DPD failure" }, "action": { @@ -2485,8 +2522,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "category": [ "network" - ], - "kind": "event" + ] }, "action": { "target": "network-traffic" @@ -2527,8 +2563,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "category": [ "network" - ], - "kind": "event" + ] }, "action": { "target": "network-traffic" @@ -2570,7 +2605,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Idle Timeout" }, "action": { @@ -2610,7 +2644,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Task ran for 109 msec" }, "action": { @@ -2648,7 +2681,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "No IPv6 address available for SVC connection" }, "action": { @@ -2691,7 +2723,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "AnyConnect session lost connection. Waiting to resume." }, "action": { @@ -2732,7 +2763,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "No IPv6 address available for SVC connection" }, "action": { @@ -2775,7 +2805,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Tunnel group search using certificate maps failed for peer certificate" }, "action": { @@ -2850,6 +2879,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.extension` | `keyword` | File extension, excluding the leading dot. | diff --git a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md index 43a4a54d0f..6c7d80635e 100644 --- a/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md +++ b/_shared_content/operations_center/integrations/generated/469bd3ae-61c9-4c39-9703-7452882e70da.md @@ -20,7 +20,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `intrusion_detection`, `malware`, `network` | | Type | `allowed`, `denied`, `info`, `start` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "type": [ "denied" ] @@ -87,6 +86,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": "61.177.173.13", "port": 47046 + }, + "threat": { + "indicator": { + "description": "IP reputation based signature - Network Scanner", + "ip": "61.177.173.13", + "name": "61.177.173.13", + "reference": "61.177.173.13", + "type": "ip" + } } } @@ -104,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "start" ] @@ -150,7 +157,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "start" ] @@ -206,7 +212,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -274,7 +279,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "type": [ "denied" ] @@ -317,6 +321,211 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ip": "61.177.173.13", "port": 47046 + }, + "threat": { + "indicator": { + "description": "IP reputation based signature - Network Scanner", + "ip": "61.177.173.13", + "name": "61.177.173.13", + "reference": "61.177.173.13", + "type": "ip" + } + } + } + + ``` + + +=== "cato_sase_ips_events_2.json" + + ```json + + { + "message": "{\"event_time\": \"2023-10-12T09:48:09Z\", \"ISP_name\": \"Vodafone\", \"account_id\": \"8517\", \"action\": \"Block\", \"cato_app\": \"http\", \"dest_country\": \"United States\", \"dest_country_code\": \"US\", \"dest_ip\": \"5.6.7.8\", \"dest_is_site_or_vpn\": \"Site\", \"dest_port\": \"443\", \"dest_site\": \"-1\", \"domain_name\": \"www.example.org\", \"event_count\": \"1\", \"event_sub_type\": \"IPS\", \"event_type\": \"Security\", \"full_path_url\": \"\", \"internalId\": \"bW49YVhZqg\", \"ip_protocol\": \"TCP\", \"mitre_attack_subtechniques\": \"\", \"mitre_attack_tactics\": \"Initial Access (TA0001), Reconnaissance (TA0043)\", \"mitre_attack_techniques\": \"Phishing (T1566), Phishing for Information (T1598)\", \"os_type\": \"OS_WINDOWS\", \"pop_name\": \"Paris\", \"risk_level\": \"Medium\", \"rule\": \"39711\", \"rule_id\": \"39711\", \"signature_id\": \"feed_vt_url_phishing\", \"src_country\": \"France\", \"src_country_code\": \"FR\", \"src_ip\": \"1.2.3.4\", \"src_is_site_or_vpn\": \"Site\", \"src_isp_ip\": \"90.83.111.11\", \"src_port\": \"58672\", \"src_site\": \"EXAMPLE-DC\", \"threat_name\": \"Domain reputation based signature - Phishing\", \"threat_reference\": \"https://support.catonetworks.com/hc/en-us/articles/360011568478\", \"threat_type\": \"Reputation\", \"time\": \"1697104089849\", \"traffic_direction\": \"OUTBOUND\"}", + "event": { + "action": "block", + "category": [ + "intrusion_detection" + ], + "type": [ + "denied" + ] + }, + "@timestamp": "2023-10-12T09:48:09Z", + "cato": { + "sase": { + "event_sub_type": "IPS", + "event_type": "Security", + "risk_level": "Medium", + "threat_type": "Reputation" + } + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_name": "United States" + }, + "ip": "5.6.7.8", + "port": 443 + }, + "host": { + "os": { + "type": "windows" + } + }, + "network": { + "direction": "OUTBOUND", + "transport": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8", + "90.83.111.11" + ] + }, + "rule": { + "id": "39711" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_name": "France" + }, + "ip": "1.2.3.4", + "nat": { + "ip": "90.83.111.11" + }, + "port": 58672 + }, + "threat": { + "indicator": { + "description": "Domain reputation based signature - Phishing", + "ip": "1.2.3.4", + "name": "1.2.3.4", + "reference": "1.2.3.4", + "type": "ip" + }, + "tactic": { + "id": [ + "TA0001", + "TA0043" + ], + "name": [ + "Initial Access", + "Reconnaissance" + ] + }, + "technique": { + "id": [ + "T1566", + "T1598" + ], + "name": [ + "Phishing", + "Phishing for Information" + ] + } + } + } + + ``` + + +=== "cato_sase_ips_events_3.json" + + ```json + + { + "message": "{\"event_time\": \"2023-10-12T09:48:09Z\", \"ISP_name\": \"Vodafone\", \"account_id\": \"8517\", \"action\": \"Block\", \"cato_app\": \"http\", \"dest_country\": \"United States\", \"dest_country_code\": \"US\", \"dest_ip\": \"5.6.7.8\", \"dest_is_site_or_vpn\": \"Site\", \"dest_port\": \"443\", \"dest_site\": \"-1\", \"domain_name\": \"www.example.org\", \"event_count\": \"1\", \"event_sub_type\": \"IPS\", \"event_type\": \"Security\", \"full_path_url\": \"\", \"internalId\": \"RElf2tix4X\", \"ip_protocol\": \"TCP\", \"mitre_attack_subtechniques\": \"\", \"mitre_attack_tactics\": \"Initial Access (TA0001), Reconnaissance (TA0043)\", \"mitre_attack_techniques\": \"Phishing (T1566), Phishing for Information (T1598)\", \"os_type\": \"OS_WINDOWS\", \"pop_name\": \"Paris\", \"risk_level\": \"Medium\", \"rule\": \"39711\", \"rule_id\": \"39711\", \"signature_id\": \"feed_vt_url_phishing\", \"src_country\": \"France\", \"src_country_code\": \"FR\", \"src_ip\": \"1.2.3.4\", \"src_is_site_or_vpn\": \"Site\", \"src_isp_ip\": \"90.83.111.11\", \"src_port\": \"58672\", \"src_site\": \"EXAMPLE-DC\", \"threat_name\": \"Domain reputation based signature - Phishing\", \"threat_reference\": \"https://support.catonetworks.com/hc/en-us/articles/360011568478\", \"threat_type\": \"Reputation\", \"time\": \"1697104089898\", \"traffic_direction\": \"OUTBOUND\", \"url\": \"/url/2023/34802/08/27055081/twitter.png\"}", + "event": { + "action": "block", + "category": [ + "intrusion_detection" + ], + "type": [ + "denied" + ] + }, + "@timestamp": "2023-10-12T09:48:09Z", + "cato": { + "sase": { + "event_sub_type": "IPS", + "event_type": "Security", + "risk_level": "Medium", + "threat_type": "Reputation" + } + }, + "destination": { + "address": "5.6.7.8", + "geo": { + "country_name": "United States" + }, + "ip": "5.6.7.8", + "port": 443 + }, + "host": { + "os": { + "type": "windows" + } + }, + "network": { + "direction": "OUTBOUND", + "transport": "TCP" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8", + "90.83.111.11" + ] + }, + "rule": { + "id": "39711" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_name": "France" + }, + "ip": "1.2.3.4", + "nat": { + "ip": "90.83.111.11" + }, + "port": 58672 + }, + "threat": { + "indicator": { + "description": "Domain reputation based signature - Phishing", + "ip": "1.2.3.4", + "name": "1.2.3.4", + "reference": "1.2.3.4", + "type": "ip" + }, + "tactic": { + "id": [ + "TA0001", + "TA0043" + ], + "name": [ + "Initial Access", + "Reconnaissance" + ] + }, + "technique": { + "id": [ + "T1566", + "T1598" + ], + "name": [ + "Phishing", + "Phishing for Information" + ] + } + }, + "url": { + "original": "/url/2023/34802/08/27055081/twitter.png", + "path": "/url/2023/34802/08/27055081/twitter.png" } } @@ -334,7 +543,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "type": [ "info" ] @@ -342,7 +550,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cato": { "sase": { "event_sub_type": "NG Anti Malware", - "event_type": "Security" + "event_type": "Security", + "threat_verdict": "virus_found" } }, "destination": { @@ -382,6 +591,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "address": "10.41.173.156", "ip": "10.41.173.156" }, + "threat": { + "indicator": { + "description": "malware", + "file": { + "name": "eicar.exe" + }, + "name": "EICAR-SENTINEL-ANTIVIRUS-TEST-FILE", + "type": "file" + } + }, "url": { "domain": "reflec.xxx.com ", "original": "https://reflec.xxx.com /eicar.exe", @@ -411,7 +630,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "allowed" ] @@ -473,12 +691,12 @@ The following table lists the fields that are extracted, normalized under the EC |`cato.sase.event_type` | `keyword` | Cato SASE event type | |`cato.sase.risk_level` | `keyword` | Cato SASE risk level | |`cato.sase.threat_type` | `keyword` | Cato SASE threat type | +|`cato.sase.threat_verdict` | `keyword` | Cato SASES threat verdict | |`destination.geo.country_name` | `keyword` | Country name. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.sha256` | `keyword` | SHA256 hash. | @@ -496,6 +714,15 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.nat.ip` | `ip` | Source NAT ip | |`source.port` | `long` | Port of the source. | +|`threat.indicator.description` | `keyword` | Indicator description | +|`threat.indicator.file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`threat.indicator.ip` | `ip` | Indicator IP address | +|`threat.indicator.reference` | `keyword` | Indicator reference URL | +|`threat.indicator.type` | `keyword` | Type of indicator | +|`threat.tactic.id` | `keyword` | Threat tactic id. | +|`threat.tactic.name` | `keyword` | Threat tactic. | +|`threat.technique.id` | `keyword` | Threat technique id. | +|`threat.technique.name` | `keyword` | Threat technique name. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`user.email` | `keyword` | User email address. | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md index 34cbea804e..3b4773ed88 100644 --- a/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md +++ b/_shared_content/operations_center/integrations/generated/46ca6fc8-3d30-434c-92ff-0e1cde564161.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email`, `network` | | Type | `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "click", - "kind": "event", "type": [ "allowed" ] @@ -134,7 +133,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "dataset": "message", - "kind": "event", "type": [ "info" ] @@ -293,7 +291,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md index 0a77e0fa68..ec731405e5 100644 --- a/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md +++ b/_shared_content/operations_center/integrations/generated/46e45417-187b-45bb-bf81-30df7b1963a0.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `access` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "reason": [ "XSS" @@ -104,7 +103,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/config/postProcessing/testNaming", - "path": "/config/postProcessing/testNaming" + "path": "/config/postProcessing/testNaming", + "query": "REDACTED" }, "user_agent": { "device": { @@ -123,6 +123,97 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Block2.json" + + ```json + + { + "message": "{\"timestamp\":1709166517900,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:eu-east-1:111111111111:regional/webacl/web-acl-corp/2f718aae-1809-4772-a5c6-e82327f6012f\",\"terminatingRuleId\":\"block-wheel-calls\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[],\"httpSourceName\":\"lb\",\"httpSourceId\":\"1111111111-app/dom-example-lb/68b329da9893e34\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"1.2.3.4\",\"country\":\"US\",\"headers\":[{\"name\":\"Host\",\"value\":\"dom.example.com\"},{\"name\":\"User-Agent\",\"value\":\"Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/69.0.3497.12Safari/537.36\"},{\"name\":\"Connection\",\"value\":\"close\"},{\"name\":\"Accept\",\"value\":\"*/*\"},{\"name\":\"Accept-Language\",\"value\":\"en\"},{\"name\":\"Accept-Encoding\",\"value\":\"gzip\"}],\"uri\":\"/console/\",\"args\":\"_param1=true&_pageLabel\u00b6m2=value1\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"GET\",\"requestId\":\"1-65dfcfb5-68b329da9893e34099c7d8ad\"},\"ja3Fingerprint\":\"68b329da9893e34099c7d8ad5cb9c940\",\"labels\":[{\"name\":\"awswaf:111111111111:webacl:web-acl-corp:wheel\"}]}", + "event": { + "action": "BLOCK", + "category": [ + "network" + ], + "module": "aws.waf", + "type": [ + "access" + ] + }, + "@timestamp": "2024-02-29T00:28:37.900000Z", + "action": { + "target": "network-traffic" + }, + "aws": { + "waf": { + "rule": { + "arn": "arn:aws:wafv2:eu-east-1:111111111111:regional/webacl/web-acl-corp/2f718aae-1809-4772-a5c6-e82327f6012f" + } + } + }, + "cloud": { + "provider": "aws", + "region": "eu-east-1", + "service": { + "name": "waf" + } + }, + "destination": { + "address": "dom.example.com", + "domain": "dom.example.com", + "registered_domain": "example.com", + "subdomain": "dom", + "top_level_domain": "com" + }, + "http": { + "request": { + "id": "1-65dfcfb5-68b329da9893e34099c7d8ad", + "method": "GET" + }, + "version": "HTTP/1.1" + }, + "observer": { + "type": "waf" + }, + "related": { + "hosts": [ + "dom.example.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "rule": { + "category": "REGULAR", + "name": "block-wheel-calls" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "country_iso_code": "US" + }, + "ip": "1.2.3.4" + }, + "url": { + "original": "/console/", + "path": "/console/", + "query": "_param1=true&_pageLabel\u00b6m2=value1" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0(X11;Linuxx86_64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/69.0.3497.12Safari/537.36", + "os": { + "name": "Linux" + }, + "version": "69.0.3497" + } + } + + ``` + + === "SQL_injection.json" ```json @@ -134,7 +225,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "reason": [ "SQL_INJECTION" @@ -203,7 +293,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/login.php", - "path": "/login.php" + "path": "/login.php", + "query": "REDACTED" }, "user_agent": { "device": { @@ -233,7 +324,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "reason": [ "XSS" @@ -298,7 +388,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/wp-admin/options-general.php", - "path": "/wp-admin/options-general.php" + "path": "/wp-admin/options-general.php", + "query": "REDACTED" }, "user_agent": { "device": { @@ -328,7 +419,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "type": [ "access" @@ -395,7 +485,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/graphql", - "path": "/graphql" + "path": "/graphql", + "query": "REDACTED" }, "user_agent": { "device": { @@ -423,7 +514,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "type": [ "access" @@ -488,7 +578,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/subscriptions", - "path": "/subscriptions" + "path": "/subscriptions", + "query": "REDACTED" }, "user_agent": { "device": { @@ -518,7 +609,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "type": [ "access" @@ -585,7 +675,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/graphql", - "path": "/graphql" + "path": "/graphql", + "query": "REDACTED" }, "user_agent": { "device": { @@ -615,7 +706,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "module": "aws.waf", "type": [ "access" @@ -677,7 +767,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "url": { "original": "/subscriptions", - "path": "/subscriptions" + "path": "/subscriptions", + "query": "REDACTED" }, "user_agent": { "device": { @@ -714,7 +805,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.domain` | `keyword` | The domain name of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | @@ -732,5 +822,6 @@ The following table lists the fields that are extracted, normalized under the EC |`source.geo.country_iso_code` | `keyword` | Country ISO code. | |`source.ip` | `ip` | IP address of the source. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`url.query` | `keyword` | Query string of the request. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md index e00d3dd1f3..f9f4c3c9c7 100644 --- a/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md +++ b/_shared_content/operations_center/integrations/generated/46fe3905-9e38-4fb2-be09-44d31626b694.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `malware`, `web` | | Type | `info` | @@ -35,7 +35,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"direction\": \"OUTBOUND\", \"class\": \"EVENT\", \"version\": \"1.0\", \"type\": \"MTA\", \"ts\": \"2021-05-18 16:50:30 +0200\", \"host\": \"events.retarus.com\", \"customer\": \"45987FR\", \"metaData\": {}, \"sender\": \"utilisateur@mail.fr\", \"status\": \"ACCEPTED\", \"mimeId\": \"\", \"rmxId\": \"20210518-32464-yvrfukcZEcd-0@out33.fg\", \"sourceIp\": \"255.255.255.1\", \"recipient\": \"recepient@mail.com\"}", "event": { - "kind": "event", "outcome": "success" }, "action": { @@ -96,7 +95,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\",\"metaData\": {\"authentication\": {\"dkim\": {\"status\": \"dkim=none\",\"details\": \"dkim=none reason=\\\"no signature\\\"\"}},\"transportEncryption\": {\"requested\": false,\"established\": false},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"},\"contentEncryption\": false},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"xxx.xxx.xxx.xxx\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"INBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}", "event": { - "kind": "event", "outcome": "success" }, "action": { @@ -153,7 +151,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"version\":\"1.0\",\"rmxId\":\"20220912-000000-111111111111-0@example\",\"sender\":\"\",\"ts\":\"2022-09-12 16:30:58 +0200\",\"metaData\":{\"transportEncryption\":{\"protocol\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)\",\"established\":true,\"requested\":true},\"authentication\":{\"dkim\":{\"status\":\"dkim=none\",\"details\":\"dkim=none reason=\\\"no signature\\\"\"},\"spf\":{\"status\":\"spf=none\",\"details\":\"spf=none smtp.helo=mailer.com\"}},\"header\":{\"from\":\"MAILER-DAEMON (Mail Delivery System)\",\"subject\":\"Undelivered Mail Returned to Sender\"},\"contentEncryption\":false},\"recipient\":\"user@example.org\",\"sourceIp\":\"1.2.3.4\",\"type\":\"MTA\",\"subtype\":\"INCOMING\",\"host\":\"events.retarus.com\",\"direction\":\"INBOUND\",\"status\":\"ACCEPTED\",\"customer\":\"15752FR\",\"class\":\"EVENT\",\"mimeId\":\"<00000000@mailer.com>\"}\n", "event": { - "kind": "event", "outcome": "success" }, "action": { @@ -209,7 +206,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"customer\": \"CuNo\",\"metaData\": {\"transportEncryption\": {\"requested\": true,\"established\": true,\"protocol\": \"TLSv1.2\",\"cipherSuite\": \"ECDHE-RSA-AES128-SHA256(128/128bits)\"},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"}},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"255.255.255.1\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"OUTBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}", "event": { - "kind": "event", "outcome": "success" }, "action": { diff --git a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md index b6c402e5d8..4f0d6bc53f 100644 --- a/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md +++ b/_shared_content/operations_center/integrations/generated/4760d0bc-2194-44e5-a876-85102b18d832.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `configuration`, `host`, `network`, `process` | | Type | `change`, `end`, `info`, `start` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Use of 'save running-config'", "type": [ "change" @@ -77,7 +76,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Configuration modified", "type": [ "change" @@ -114,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Enabled \"logging syslog filter all\"", "type": [ "change" @@ -151,7 +148,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": " New RSA Crypto Key Pair Generated", "type": [ "change" @@ -188,7 +184,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "SSH 2.0 server has been enabled", "type": [ "change" @@ -231,7 +226,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "type": [ "change" ] @@ -265,7 +259,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "type": [ "change" ] @@ -298,7 +291,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "LOGIN_SUCCESS", "type": [ "start" @@ -340,7 +332,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "LOGIN_FAILURE", "type": [ "start" @@ -382,7 +373,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "end" ] @@ -430,7 +420,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "provider": "ZTP", "reason": "Initiating zerotouch provisioning mechanism", "type": [ @@ -460,7 +449,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "provider": "CWMP", "reason": "Reading data from file.", "type": [ @@ -491,7 +479,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "denied" ] @@ -542,7 +529,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "allowed" ] @@ -597,7 +583,6 @@ The following table lists the fields that are extracted, normalized under the EC |`ekinops.oneos.origin` | `keyword` | Origin of the event | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | diff --git a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md index 6984e695ba..94e734f6cf 100644 --- a/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md +++ b/_shared_content/operations_center/integrations/generated/515ed00f-bf70-4fce-96cc-0ca31abd5d24.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2022-06-03T12:09:42.768509Z", - "kind": "event", "start": "2022-06-03T12:09:42.501046Z", "type": [ "info" @@ -138,7 +137,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "end": "2022-06-03T12:09:44.424429Z", - "kind": "event", "start": "2022-06-03T12:09:44.421947Z", "type": [ "info" @@ -243,7 +241,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`google_vpc_flow_logs.insertId` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md index c87c6b9a25..812a6b38f4 100644 --- a/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md +++ b/_shared_content/operations_center/integrations/generated/547234b3-82ea-4507-b28f-3ee3cd5b9a8e.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `iam` | | Type | `admin`, `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "admin_log", - "kind": "event", "type": [ "admin" ] @@ -67,7 +66,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "admin_log", - "kind": "event", "type": [ "admin" ] @@ -106,7 +104,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth_log", - "kind": "event", "type": [ "info" ] @@ -165,7 +162,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "offline_log", - "kind": "event", "type": [ "info" ] @@ -218,7 +214,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "telephony_log", - "kind": "event", "reason": "administrator login", "type": [ "info" @@ -252,7 +247,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "telephony_log", - "kind": "event", "reason": "authentication", "type": [ "info" @@ -286,7 +280,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "telephony_log", - "kind": "event", "reason": "enrollment", "type": [ "info" @@ -325,7 +318,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 3bda9997ff..2445795cdf 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -260,6 +260,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "1685", + "poluuid": "4470d4c5-7e12-4a8f-a369-08eff4a43b5b", "virtual_domain": "root" } }, @@ -345,6 +347,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "770", + "poluuid": "f2aef0f2-a721-49cf-9dd3-b27f7f5b90bc", "virtual_domain": "root" } }, @@ -868,6 +872,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "desc": "illegal parameter", "type": "event" }, + "policyid": "0", "virtual_domain": "PRX1-AA" } }, @@ -1597,6 +1602,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "dns" }, + "policyid": "1", "virtual_domain": "vdom1" } }, @@ -1873,6 +1879,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "utm" }, + "policyid": "1", "virtual_domain": "root" } }, @@ -1961,6 +1968,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", + "poluuid": "1520e1aa-823a-51e9-984f-a55e1f39b3c7", "virtual_domain": "root" } }, @@ -2043,6 +2052,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "0", "virtual_domain": "root" } }, @@ -2196,6 +2206,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "637", + "poluuid": "b23818a6-8f49-51ea-9db7-4e4965a3483c", "virtual_domain": "ROUTER" } }, @@ -2366,6 +2378,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "severity": "low", "type": "utm" }, + "policyid": "494", + "poluuid": "aecacfaf-8d3f-4809-a60f-bf873e0fcab3", "virtual_domain": "root" } }, @@ -2455,6 +2469,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "37", + "poluuid": "6a8f76d0-1459-4ddb-948a-62700ddbf241", "user": { "source": "kerberos" }, @@ -2462,7 +2478,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "host": { - "name": "computer-039482" + "name": "C-3424", + "os": { + "family": "Windows" + } }, "log": { "hostname": "computer-039482", @@ -2844,9 +2863,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", "virtual_domain": "root" } }, + "host": { + "os": { + "family": "Apple" + } + }, "log": { "level": "notice" }, @@ -2926,9 +2951,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", "virtual_domain": "root" } }, + "host": { + "os": { + "family": "Apple" + } + }, "log": { "level": "notice" }, @@ -3005,6 +3036,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "1", + "poluuid": "1eb429d4-ff52-51ea-d119-d1db60e409a6", "virtual_domain": "PRX1-AA" } }, @@ -3159,6 +3192,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "type": "traffic" }, + "policyid": "207", + "poluuid": "d77c53b2-a3c6-51e9-49b2-61c9e68c1f7e", "virtual_domain": "root" } }, @@ -3214,6 +3249,102 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "traffic_nat_1.STANDARD.json" + + ```json + + { + "message": "timestamp=1709762763 devname=\"FW-001\" devid=\"FG100D6G11111111\" vd=\"root\" date=2024-03-06 time=22:06:03 logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" eventtime=1709762764028577926 tz=\"+0000\" srcip=1.2.3.4 srcname=\"DESKTOP-00001\" srcport=62979 srcintf=\"Port3.999\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=53 dstintf=\"wan1\" dstintfrole=\"undefined\" sessionid=538959618 proto=17 action=\"accept\" policyid=41 policytype=\"policy\" poluuid=\"703570eee-edfc-4565-8599-c6a75fd3e1e8\" service=\"DNS\" dstcountry=\"France\" srccountry=\"Reserved\" trandisp=\"snat\" transip=4.5.6.7 transport=62979 appid=16195 app=\"DNS\" appcat=\"Network.Service\" apprisk=\"elevated\" applist=\"EMEA_Monitor\" duration=189 sentbyte=285 rcvdbyte=0 sentpkt=5 rcvdpkt=0 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"54:13:79:a3:8a:a3\" srcmac=\"54:13:79:a3:8a:a3\" srcserver=0", + "event": { + "action": "accept", + "category": "traffic", + "code": "0000000013", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0000" + }, + "@timestamp": "2024-03-06T22:06:03Z", + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 0, + "ip": "5.6.7.8", + "packets": 0, + "port": 53 + }, + "fortinet": { + "fortigate": { + "apprisk": "elevated", + "event": { + "type": "traffic" + }, + "policyid": "41", + "poluuid": "703570eee-edfc-4565-8599-c6a75fd3e1e8", + "virtual_domain": "root" + } + }, + "host": { + "name": "DESKTOP-00001", + "os": { + "family": "Windows" + } + }, + "log": { + "hostname": "FW-001", + "level": "notice" + }, + "network": { + "application": "DNS", + "bytes": 285, + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "wan1" + } + }, + "hostname": "FW-001", + "ingress": { + "interface": { + "name": "Port3.999" + } + }, + "serial_number": "FG100D6G11111111" + }, + "related": { + "hosts": [ + "FW-001" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "apprisk": "elevated", + "category": "Network.Service", + "ruleset": "EMEA_Monitor" + }, + "source": { + "address": "1.2.3.4", + "bytes": 285, + "ip": "1.2.3.4", + "mac": "54:13:79:a3:8a:a3", + "packets": 5, + "port": 62979 + } + } + + ``` + + === "tunnel.json" ```json @@ -3700,6 +3831,8 @@ The following table lists the fields that are extracted, normalized under the EC |`fortinet.fortigate.event.type` | `keyword` | Type of the event. | |`fortinet.fortigate.icmp.request.code` | `keyword` | The request code. | |`fortinet.fortigate.icmp.request.type` | `keyword` | The request type. | +|`fortinet.fortigate.policyid` | `keyword` | ID of the policy | +|`fortinet.fortigate.poluuid` | `keyword` | UUID of pol | |`fortinet.fortigate.tunnel.id` | `keyword` | The id of the tunnel | |`fortinet.fortigate.tunnel.ip` | `keyword` | The ip of the tunnel | |`fortinet.fortigate.tunnel.name` | `keyword` | The name of the tunnel | @@ -3707,6 +3840,8 @@ The following table lists the fields that are extracted, normalized under the EC |`fortinet.fortigate.tunnel.version` | `keyword` | The version of the tunnel | |`fortinet.fortigate.user.source` | `keyword` | The source of the username | |`fortinet.fortigate.virtual_domain` | `keyword` | Name of the virtual domain in which the event was observed | +|`host.name` | `keyword` | Name of the host. | +|`host.os.family` | `keyword` | OS family (such as redhat, debian, freebsd, windows). | |`http.request.method` | `keyword` | HTTP request method. | |`log.level` | `keyword` | Log level of the log event. | |`network.application` | `keyword` | Application level protocol name. | diff --git a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md index 9be995b7df..dec6ba06b3 100644 --- a/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md +++ b/_shared_content/operations_center/integrations/generated/588a448b-c08d-4139-a746-b2b9f366e34b.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `network` | | Type | `connection`, `denied`, `end`, `info`, `start` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "access_requests", - "kind": "event", "type": [ "info" ] @@ -110,7 +109,6 @@ The following table lists the fields that are extracted, normalized under the EC |`cloudflare.TemporaryAccessDuration` | `number` | Approved duration for this access request. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md index 7a280b87b7..5af6b57f6c 100644 --- a/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md +++ b/_shared_content/operations_center/integrations/generated/591feb54-1d1f-4453-b780-b225c59e9f99.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `host` | | Type | `info` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "DUP_SRC_IP", - "kind": "event", "reason": "arp [20856] Source address of packet received from 0050.5683.69cd on Vlan756(port-channel100) is duplicate of local, 10.30.38.5 (message repeated 1 time)", "severity": 2, "type": [ @@ -94,7 +93,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "SYSTEM_MSG", - "kind": "event", "module": "pam", "reason": "pam_aaa:Authentication failed from 1.2.3.4 - dcos_sshd[6531]", "severity": 3, @@ -144,7 +142,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "SYSTEM_MSG", - "kind": "event", "module": "pam", "reason": "error: PAM: Authentication failure for illegal user USERID from 4.3.6.5 - dcos_sshd[6526]", "severity": 3, @@ -201,7 +198,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_DOWN_ADMIN_DOWN", - "kind": "event", "reason": "Administratively down", "severity": 5, "type": [ @@ -242,7 +238,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_DOWN_CFG_CHANGE", - "kind": "event", "reason": "Config change", "severity": 5, "type": [ @@ -282,7 +277,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_DUPLEX", - "kind": "event", "reason": "operational duplex mode changed to Full", "severity": 5, "type": [ @@ -322,7 +316,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_RX_FLOW_CONTROL", - "kind": "event", "reason": "operational Receive Flow Control state changed to off", "severity": 5, "type": [ @@ -362,7 +355,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "SPEED", - "kind": "event", "reason": "operational speed changed to 1 Gbps", "severity": 5, "type": [ @@ -403,7 +395,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_UP", - "kind": "event", "reason": "Interface Ethernet1/38 (description:SRV-01) is up in mode access", "severity": 5, "type": [ @@ -444,7 +435,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", - "kind": "event", "reason": "No operational members", "severity": 5, "type": [ @@ -484,7 +474,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "PORT_SUSPENDED", - "kind": "event", "reason": "Ethernet1/38 is suspended", "severity": 5, "type": [ @@ -524,7 +513,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "SYSTEM_MSG", - "kind": "event", "reason": "No such file or directory", "severity": 3, "type": [ @@ -563,7 +551,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "VSHD_SYSLOG_CMD_EXEC", - "kind": "event", "reason": "User:jdoe executed the command:securityd", "severity": 5, "type": [ @@ -614,7 +601,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "VSHD_SYSLOG_CONFIG_I", - "kind": "event", "reason": "Configured from vty by jdoe on 1.2.3.4@pts/0", "severity": 5, "type": [ @@ -667,7 +653,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "VSHD_SYSLOG_CONFIG_I", - "kind": "event", "reason": "Configured from vty by jdoe on console", "severity": 5, "type": [ @@ -721,7 +706,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | diff --git a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md index 4ec211f23b..5bba9524b6 100644 --- a/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md +++ b/_shared_content/operations_center/integrations/generated/5a8ef52f-d143-4735-8546-98539fc07725.md @@ -30,6 +30,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:31:38Z", "action": { "name": "request", "outcome": "success", @@ -106,6 +107,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:30:59Z", "action": { "name": "request", "outcome": "success", @@ -162,6 +164,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2024-03-03T20:28:52Z", "action": { "name": "request", "outcome": "success", @@ -245,6 +248,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.target` | `keyword` | The target of the action | |`destination.address` | `keyword` | Destination network address. | |`destination.domain` | `keyword` | The domain name of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md index 0e10c51377..ba2b852eb4 100644 --- a/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md +++ b/_shared_content/operations_center/integrations/generated/5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2.md @@ -32,6 +32,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:31:52Z", "action": { "name": "block", "outcome": "success", @@ -74,6 +75,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.target` | `keyword` | Target of the action | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | diff --git a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md index a228ccfa71..dfe727c671 100644 --- a/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md +++ b/_shared_content/operations_center/integrations/generated/622999fe-d383-4d41-9f2d-eed5013fe463.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `info` | @@ -35,7 +35,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "id=sslvpn sn=111111111111 time=\"2023-09-18 07:43:15\" vp_time=\"2023-09-18 05:43:15 UTC\" fw=5.6.7.8 pri=5 m=1 c=1 src=1.2.3.4 dst=\"off0123.example.com\" user=\"JDOE@OFF0123\" usr=\"JDOE@OFF0123\" msg=\"User login successful\" portal=\"off0123\" domain=\"off0123\" agent=\"SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64\"", "event": { - "kind": "event", "category": [ "network" ], @@ -43,46 +42,46 @@ Find below few samples of events and how they are normalized by Sekoia.io. "info" ] }, + "@timestamp": "2023-09-18T05:43:15Z", + "destination": { + "address": "off0123.example.com" + }, "observer": { - "vendor": "SonicWall", + "ip": [ + "5.6.7.8" + ], "product": "Secure Mobile Access", "type": "firewall", + "vendor": "SonicWall" + }, + "related": { "ip": [ + "1.2.3.4", "5.6.7.8" + ], + "user": [ + "JDOE" ] }, - "@timestamp": "2023-09-18T05:43:15Z", "source": { - "ip": "1.2.3.4", - "address": "1.2.3.4" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, - "destination": { - "address": "off0123.example.com" + "user": { + "domain": "OFF0123", + "name": "JDOE" }, "user_agent": { - "original": "SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64", "device": { "name": "Other" }, "name": "IE", - "version": "7.0", + "original": "SonicWALL NetExtender for Windows 10.2.336 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1) x86_64", "os": { "name": "Windows", "version": "10" - } - }, - "user": { - "name": "JDOE", - "domain": "OFF0123" - }, - "related": { - "ip": [ - "1.2.3.4", - "5.6.7.8" - ], - "user": [ - "JDOE" - ] + }, + "version": "7.0" } } @@ -101,7 +100,6 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`destination.address` | `keyword` | Destination network address. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.ip` | `ip` | IP addresses of the observer. | |`observer.product` | `keyword` | The product name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md index 48e0dbdf7f..eb868af35f 100644 --- a/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md +++ b/_shared_content/operations_center/integrations/generated/63974ce1-2f0a-44f7-a4cf-3e64787c1c39.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `access` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 2000, - "kind": "event", "type": [ "access" ] @@ -92,7 +91,6 @@ The following table lists the fields that are extracted, normalized under the EC |`client.ip` | `ip` | IP address of the client. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | |`http.response.status_code` | `long` | HTTP response status code. | diff --git a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md index b2b196cc62..08e5ba62e5 100644 --- a/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md +++ b/_shared_content/operations_center/integrations/generated/69b52166-b804-4f47-860f-2d3fd0b46987.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "module": "azure.waf", "type": [ "access" @@ -125,7 +124,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "health", - "kind": "event", "module": "azure.waf", "type": [ "info" @@ -189,7 +187,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "module": "azure.waf", "reason": "Malicious bots that have falsified their identity", "type": [ @@ -271,7 +268,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "module": "azure.waf", "reason": "Multipart request body failed strict validation", "type": [ @@ -357,7 +353,6 @@ The following table lists the fields that are extracted, normalized under the EC |`error.code` | `keyword` | Error code describing the error. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | diff --git a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md index c1bbf123e3..4b180f9f66 100644 --- a/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md +++ b/_shared_content/operations_center/integrations/generated/6b8cb346-6605-4240-ac15-3828627ba899.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `` | | Type | `end` | @@ -35,7 +35,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "pam_unix(cron:session): session closed for user root", "event": { - "kind": "event", "provider": "cron", "reason": "session closed" }, @@ -60,7 +59,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "pam_unix(sudo:session): session closed for user wabuser", "event": { - "kind": "event", "provider": "sudo", "reason": "session closed" }, @@ -85,8 +83,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2022-09-05T10:05:15+02:00 foo-bastion-bar rdpproxy 4597 - - [RDP Session] session_id=\"1830c6973a42698400505688c380\" client_ip=\"1.1.1.1\" target_ip=\"2.2.2.2\" user=\"adm-foobar@corp.net\" device=\"foo-bar-baz\" service=\"RDP\" account=\"adm-foobar@corp.net\" type=\"FOREGROUND_WINDOW_CHANGED\" text=\"Espace de travail - IBM Lotus Notes\" class_name=\"SWT_Window0\" command_line=\"\\\"C:/lotus/Notes852/framework/rcp/eclipse/plugins/com.ibm.rcp.base_6.2.2.20100729-1241\\\\win32\\\\x86\\\\notes2.exe\\\" --launcher.suppressErrors \\\"-nosplash\\\" \\\"-nl\\\" \\\"fr\\\" \\\"-dir\\\" \\\"ltr\\\" \\\"-NPARAMS\\\" \\\"/authenticate\\\" \\\"-RPARAMS\\\" \\\"-name\\\" \\\"IBM Lotus Notes\\\" -personality \\\"com.ibm.rcp.platform.personality\\\" -product \\\"com.ibm.rcp.personality.framework.RCPProduct:com.ibm.notes.branding.notes\\\" -data \\\"c:/Lotus/Notes852/Data/workspace\\\" -configuration \\\"c:/Lotus/Notes852/Data/workspace/.config\\\" -plugincustomization \\\"C:/lotus/Notes852/framework/rcp/plugin_customization.ini\\\" -vm \\\"C:/lotus/Notes852/framework/../jvm/bin/\\\" -startup \\\"C:/lotus/Notes852/framework/rcp/eclipse/plugins/com.ibm.rcp.base_6.2.2.20100729-1241/launcher.jar\\\" -vmargs \\\"-Djava.security.policy=C:/lotus/Notes852/framework/../java.policy\\\" \\\"-Dorg.eclipse.swt.fixCitrix=false\\\" \\\"-Dosgi.framework.extensions=com.ibm.rcp.core.logger.frameworkhook,com.ibm.rds,com.ibm.cds\\\" \\\"-Xscmx64m\\\" \\\"-Xshareclasses:name=xpdplat_.jvm,controlDir=c:/Lotus/Notes852/Data/workspace/.config/org.eclipse.osgi,groupAccess,keep,singleJVM,nonfatal\\\" \\\"-Xgcpolicy:gencon\\\" \\\"-Xjit:noResumableTrapHandler\\\" \\\"-Xmaxt0.6\\\" \\\"-Xmca8k\\\" \\\"-Xminf0.1\\\" \\\"-Xmn7m\\\" \\\"-Xms48m\\\" \\\"-Xmx256m\\\" \\\"-Xnolinenumbers\\\" \\\"-Xverify:none\\\" \\\"-Xquickstart\\\" \\\"-Xscmaxaot12m\\\" \\\"-Xtrace:none\\\" \\\"-Xzero\\\" -Drcp.home=\\\"C:\\\\lotus\\\\Notes852\\\\framework\\\" -Drcp.data=\\\"c:/Lotus/Notes852/Data/workspace\\\" -Dosgi.splashPath=\\\"platform:/base/../../shared/eclipse/plugins/com.ibm.notes.branding,platform:/base/../../shared/eclipse/plugins/com.ibm.notes.branding.nl1,platform:/base/../.shared/eclipse/plugins/com.ibm.notes.branding.nl2,platform:/base/../../shared/eclipse/plugins/com.ibm.notes.branding.nl3\\\" -Dcom.ibm.rcp.install.id=\\\"1320657906134\\\" -Drcp.install.config=\\\"user\\\" -Declipse.registry.nulltoken=\\\"true\\\" -Dautopd.logfile.generations=\\\"3\\\" -Dorg.apache.xerces.xni.parser.XMLParserConfiguration=\\\"org.apache.xerces.parsers.XIncludeAwareParserConfiguration\\\" -Dcom.ibm.pvc.webcontainer.http.address=\\\"localhost\\\" -Dosgi.nl.user=\\\"true\\\" -Dautopd.instance.area=\\\"c:/Lotus/Notes852/Data/workspace/autopd\\\" -Dorg.eclipse.swt.browser.XULRunnerPath=\\\"C:/lotus/Notes852/framework/rcp/eclipse/plugins/com.ibm.rcp.xulrunner.runtime.win32.x86_6.2.2.20100729-1241/xulrunner\\\" -Djava.util.logging.config.class=\\\"com.ibm.rcp.core.internal.logger.boot.LoggerConfig\\\" -Dcom.ibm.pvc.webcontainer.port=\\\"0,59449\\\" -Dcom.ibm.pvc.webcontainer.vhost.configfile=\\\"C:/lotus/Notes852/framework/shared/eclipse/plugins/com.ibm.collaboration.realtime.webapi_8.0.2.20100802-0849/virtualhost.properties\\\" -Dderby.stream.error.file=\\\"c:/Lotus/Notes852/Data/workspace/logs/derby.log\\\" -Djava.security.properties=\\\"file:C:/lotus/Notes852/framework/rcp/eclipse/plugins/com.ibm.rcp.base_6.2.2.20100729-1241/rcp.security.properties\\\" -Djava.protocol.handler.pkgs=\\\"com.ibm.net.ssl.www.protocol\\\" -Dosgi.hook.configurators.exclude=\\\"org.eclipse.core.runtime.internal.adaptor.EclipseLogHook\\\" -Drcp.osgi.install.area=\\\"C:\\\\lotus\\\\Notes852\\\\framework\\\\rcp\\\\eclipse\\\" -Xbootclasspath/a:\\\"C:/lotus/Notes852/framework/shared/eclipse/plugins/com.ibm.collaboration.realtime.stjavatk_8.0.2.20100802-0849/sslite140-v3.16.jar;C:/lotus/Notes852/framework/rceclipse/plugins/com.ibm.rcp.base_6.2.2.20100729-1241/rcpbootcp.jar\\\"\"\n\n", "event": { - "action": "FOREGROUND_WINDOW_CHANGED", - "kind": "event" + "action": "FOREGROUND_WINDOW_CHANGED" }, "destination": { "address": "2.2.2.2", @@ -126,8 +123,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2022-09-05T10:05:15+02:00 foo-bastion-bar rdpproxy 13297 - - [RDP Session] session_id=\"1830c403be7caf0c00505688c380\" client_ip=\"1.1.1.1\" target_ip=\"2.2.2.2\" user=\"adm-bar\" device=\"foo-bastion-bar\" service=\"RDP\" account=\"adm-bar@corp.net\" type=\"FOREGROUND_WINDOW_CHANGED\" text=\"Remote Desktop Manager Free [FOO-BAR-P01]\" class_name=\"WindowsForms10.Window.8.app.0.13965fa_r6_ad1\" command_line=\"\\\"C:\\\\Program Files (x86)\\\\Devolutions\\\\Remote Desktop Manager Free\\\\RemoteDesktopManagerFree.exe\\\" \"\n\n", "event": { - "action": "FOREGROUND_WINDOW_CHANGED", - "kind": "event" + "action": "FOREGROUND_WINDOW_CHANGED" }, "destination": { "address": "2.2.2.2", @@ -167,7 +163,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", "event": { - "kind": "event", "provider": "sshd" }, "wallix": {} @@ -184,7 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[sshproxy] psid=\"161607370130601\" type=\"INCOMING_CONNECTION\" src_ip=\"10.17.86.250\" src_port=\"53344\"", "event": { "action": "INCOMING_CONNECTION", - "kind": "event", "provider": "sshproxy" }, "related": { @@ -212,8 +206,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "sshproxy: [SSH Session] session_id=\"168bd3b417f437ae005056b60af6\" client_ip=\"10.10.43.84\" target_ip=\"10.10.47.53\" user=\"user01\" device=\"10.10.47.53\" service=\"ssh\" account=\"root\" type=\"SESSION_DISCONNECTION\" duration=\"0:00:05\"", "event": { - "action": "SESSION_DISCONNECTION", - "kind": "event" + "action": "SESSION_DISCONNECTION" }, "destination": { "address": "10.10.47.53", @@ -257,7 +250,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[SSH Session] session_id=\"182f9642c81320eb0050568e16d9\" client_ip=\"1.1.1.1\" target_ip=\"1.1.1.1\" user=\"username123@corp.net\" device=\"1.1.1.1\" service=\"SSH\" account=\"username123\" type=\"SESSION_DISCONNECTION\" duration=\"0:59:57\"", "event": { "action": "SESSION_DISCONNECTION", - "kind": "event", "provider": "SSH Session" }, "destination": { @@ -301,7 +293,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[SSH Session] session_id=\"1830cbf7a55a11dd005056b01296\" client_ip=\"1.1.1.1\" target_ip=\"ip-foo-bar-baz.corp.net\" user=\"user.name@corp.net\" device=\"DEVICE-FOO\" service=\"SSH\" account=\"username\" type=\"SESSION_ESTABLISHED_SUCCESSFULLY\"", "event": { "action": "SESSION_ESTABLISHED_SUCCESSFULLY", - "kind": "event", "provider": "SSH Session" }, "related": { @@ -337,7 +328,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "root : TTY=unknown ; PWD=/root ; USER=wabuser ; COMMAND=/opt/wab/bin/WABCleanApprovals close", "event": { - "kind": "event", "provider": "sudo" }, "process": { @@ -365,8 +355,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "[RDP Session] session_id=\"57a6694d877c413ba502946a03461dd2\" client_ip=\"1.2.3.4\" target_ip=\"5.6.7.8\" user=\"john.doe@example.org\" device=\"HOST0102\" service=\"RDP\" account=\"u10293@platform.example.org\" type=\"KBD_INPUT\" data=\"cusi//si//is\"\n", "event": { - "action": "KBD_INPUT", - "kind": "event" + "action": "KBD_INPUT" }, "destination": { "address": "5.6.7.8", @@ -408,7 +397,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"ConnectionPolicy\" object=\"QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services [], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING and 1 other(s)], Data [server_pubkey[server_pubkey_check]: '1', server_pubkey[server_pubkey_create_message]: '1', server_pubkey[server_access_allowed_message]: '0', server_pubkey[server_pubkey_success_message]: '0', server_pubkey[server_pubkey_failure_message]: '1', server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False', startup_scenario[ask_startup]: 'False', startup_scenario[show_output]: 'True', startup_scenario[enable]: 'False', startup_scenario[timeout]: '10', startup_scenario[scenario]: '', general[transformation_rule]: '', session[inactivity_timeout]: '0', session[allow_multi_channels]: 'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '', algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']\"", "event": { "action": "ConnectionPolicy", - "kind": "event", "provider": "wabengine", "reason": "cn [QA_CONNECTION_POLICY_SSH_AGENT_FORWARDING], protocol [SSH], services [], methods [PASSWORD_VAULT, PUBKEY_VAULT, PUBKEY_AGENT_FORWARDING and 1 other(s)], Data [server_pubkey[server_pubkey_check]: '1', server_pubkey[server_pubkey_create_message]: '1', server_pubkey[server_access_allowed_message]: '0', server_pubkey[server_pubkey_success_message]: '0', server_pubkey[server_pubkey_failure_message]: '1', server_pubkey[server_pubkey_store]: 'True', trace[log_all_kbd]: 'False', startup_scenario[ask_startup]: 'False', startup_scenario[show_output]: 'True', startup_scenario[enable]: 'False', startup_scenario[timeout]: '10', startup_scenario[scenario]: '', general[transformation_rule]: '', session[inactivity_timeout]: '0', session[allow_multi_channels]: 'False', algorithms[kex_algos]: '', algorithms[compression_algos]: '', algorithms[cipher_algos]: '', algorithms[integrity_algos]: '']", "type": [ @@ -448,7 +436,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CredChgInfo\" object=\"local1/None\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"service_name ['None' to 'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']\"", "event": { "action": "CredChgInfo", - "kind": "event", "provider": "wabengine", "reason": "service_name ['None' to 'XE'], host ['None' to 'my.db.hostname'], port ['None' to '1234']", "type": [ @@ -488,7 +475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CredChgPolicy\" object=\"QA_PASSWORD_CHANGE_POLICY\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"pwdLength [8], specialChars [1], changePeriod []\"", "event": { "action": "CredChgPolicy", - "kind": "event", "provider": "wabengine", "reason": "pwdLength [8], specialChars [1], changePeriod []", "type": [ @@ -528,7 +514,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Globaldomain\" object=\"QA_DOMAIN_SIMPLE\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [QA_DOMAIN_SIMPLE], name [QA_DOMAIN_SIMPLE]\"", "event": { "action": "Globaldomain", - "kind": "event", "provider": "wabengine", "reason": "cn [QA_DOMAIN_SIMPLE], name [QA_DOMAIN_SIMPLE]", "type": [ @@ -568,7 +553,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"LdapMapping\" object=\" in user_group_154954913825 GROUP\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"ldapGroup [OU=Group], domain [QA_DOMAIN_1], group [user_group_154954913825]\"", "event": { "action": "LdapMapping", - "kind": "event", "provider": "wabengine", "reason": "ldapGroup [OU=Group], domain [QA_DOMAIN_1], group [user_group_154954913825]", "type": [ @@ -608,7 +592,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Ldapdomain\" object=\"QA_DOMAIN_1\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"description [], ldapDomain [domain1.qa], defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute [memberOf], snAttribute [displayName], emailAttribute [mail], languageAttribute [preferredLanguage], isDefaultDomain [True]\"", "event": { "action": "Ldapdomain", - "kind": "event", "provider": "wabengine", "reason": "description [], ldapDomain [domain1.qa], defaultLanguage [en], defaultEmailDomain [wallix], groupAttribute [memberOf], snAttribute [displayName], emailAttribute [mail], languageAttribute [preferredLanguage], isDefaultDomain [True]", "type": [ @@ -648,7 +631,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Localdomain\" object=\"local\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [local], device [QA_DEVICE_SSH_SHELL_SESSION]\"", "event": { "action": "Localdomain", - "kind": "event", "provider": "wabengine", "reason": "cn [local], device [QA_DEVICE_SSH_SHELL_SESSION]", "type": [ @@ -688,7 +670,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Notification\" object=\"notification_154955208543\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"dest [qa-notify@wallix.com], flag [0], isNotificationEnable [True], type [EMAIL]\"", "event": { "action": "Notification", - "kind": "event", "provider": "wabengine", "reason": "dest [qa-notify@wallix.com], flag [0], isNotificationEnable [True], type [EMAIL]", "type": [ @@ -728,7 +709,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Period\" object=\"<2030-01-01 to 2099-12-31 , 00:00:00 to 23:59:00, 127>\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"startDate [2030-01-01], endDate [2099-12-31], startTime [00:00:00], endTime [23:59:00], weekmask [127]\"", "event": { "action": "Period", - "kind": "event", "provider": "wabengine", "reason": "startDate [2030-01-01], endDate [2099-12-31], startTime [00:00:00], endTime [23:59:00], weekmask [127]", "type": [ @@ -768,7 +748,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Profile\" object=\"QA_PROFILE_IP_FORBIDDEN\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"ip_limitation [1.1.1.1], habilitationFlag [1], groups_limitation [], groups_member []\"", "event": { "action": "Profile", - "kind": "event", "provider": "wabengine", "reason": "ip_limitation [1.1.1.1], habilitationFlag [1], groups_limitation [], groups_member []", "type": [ @@ -808,7 +787,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Restriction\" object=\" in GROUP QA_USER_GROUP_UNIX_KILL\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"action [kill], data [Kill.+Softly], groups [QA_USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]\"", "event": { "action": "Restriction", - "kind": "event", "provider": "wabengine", "reason": "action [kill], data [Kill.+Softly], groups [QA_USER_GROUP_UNIX_KILL], subprotocol [SSH_SHELL_SESSION]", "type": [ @@ -848,7 +826,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Service\" object=\"QA_DEVICE_SSH_SHELL_SESSION:SSH\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"protocol [SSH], port [22], subprotocols [SSH_SHELL_SESSION], connectionPolicy [SSH]\"", "event": { "action": "Service", - "kind": "event", "provider": "wabengine", "reason": "protocol [SSH], port [22], subprotocols [SSH_SHELL_SESSION], connectionPolicy [SSH]", "type": [ @@ -888,7 +865,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Targetgroup\" object=\"QA_DEVICE_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Users [], Targets [__WIL__@am_il_domain@QA_DEVICE_TELNET:TELNET, __WAM__@am_il_domain@QA_DEVICE_SSH_SCP_DOWN:SSH, pubkey_account_without_password@local@QA_DEVICE_SSH_FORWARDING:SSH and 35 other(s)], Profiles_limit [], Timeframes [allthetime]\"", "event": { "action": "Targetgroup", - "kind": "event", "provider": "wabengine", "reason": "Users [], Targets [__WIL__@am_il_domain@QA_DEVICE_TELNET:TELNET, __WAM__@am_il_domain@QA_DEVICE_SSH_SCP_DOWN:SSH, pubkey_account_without_password@local@QA_DEVICE_SSH_FORWARDING:SSH and 35 other(s)], Profiles_limit [], Timeframes [allthetime]", "type": [ @@ -928,7 +904,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"TimeFrame\" object=\"timeframe_154954856399\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"description [], isOvertimable [False]\"", "event": { "action": "TimeFrame", - "kind": "event", "provider": "wabengine", "reason": "description [], isOvertimable [False]", "type": [ @@ -968,7 +943,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"User\" object=\"QA_USER_IP_FORBIDDEN\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"email [qa-notify@wallix.com], preferredLanguage [en], host [1.1.1.1], profile [user], groups [QA_USER_GROUP_UNIX], forceChangePwd [False], userPassword [********], userauths [local]\"", "event": { "action": "User", - "kind": "event", "provider": "wabengine", "reason": "email [qa-notify@wallix.com], preferredLanguage [en], host [1.1.1.1], profile [user], groups [QA_USER_GROUP_UNIX], forceChangePwd [False], userPassword [********], userauths [local]", "type": [ @@ -1008,7 +982,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"UserAuth\" object=\"QA_USER_AUTH_KERBEROS\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"wabAuthType [KERBEROS], description [], port [88], host [10.10.45.148], kerDomControler [QA.IFR.LAN]\"", "event": { "action": "UserAuth", - "kind": "event", "provider": "wabengine", "reason": "wabAuthType [KERBEROS], description [], port [88], host [10.10.45.148], kerDomControler [QA.IFR.LAN]", "type": [ @@ -1048,7 +1021,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Usergroup\" object=\"QA_USER_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Users [], Profiles_limit [], Timeframes [allthetime]\"", "event": { "action": "Usergroup", - "kind": "event", "provider": "wabengine", "reason": "Users [], Profiles_limit [], Timeframes [allthetime]", "type": [ @@ -1088,7 +1060,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [url fetched hourly]\"", "event": { "action": "X509 Parameters", - "kind": "event", "provider": "wabengine", "reason": "CRL [url fetched hourly]", "type": [ @@ -1127,7 +1098,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Account\" object=\"account_with_approval@QA_DOMAIN_SIMPLE\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"name [account_with_approval], login [account_with_approval], autoChangePassword [True], autoChangeSSHKey [True], isExternalVault [False]\"", "event": { "action": "Account", - "kind": "event", "provider": "wabengine", "reason": "name [account_with_approval], login [account_with_approval], autoChangePassword [True], autoChangeSSHKey [True], isExternalVault [False]", "type": [ @@ -1167,7 +1137,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"accountactivity\" object=\"168c1c48f141e911005056b60af6\" user=\"admin\" client_ip=\"10.10.43.84\" infos=", "event": { "action": "accountactivity", - "kind": "event", "provider": "wabengine", "type": [ "access" @@ -1206,7 +1175,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Apikey\" object=\"apikey_154954880399\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"cn [apikey_154954880399], apikey [********], ipLimitation []\"", "event": { "action": "Apikey", - "kind": "event", "provider": "wabengine", "reason": "cn [apikey_154954880399], apikey [********], ipLimitation []", "type": [ @@ -1246,7 +1214,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Application\" object=\"QA_APP_DUMMY\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"target [account@local@QA_DEVICE_DUMMY_WIN:RDP]\"", "event": { "action": "Application", - "kind": "event", "provider": "wabengine", "reason": "target [account@local@QA_DEVICE_DUMMY_WIN:RDP]", "type": [ @@ -1286,7 +1253,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Apppath\" object=\"account@local@QA_DEVICE_DUMMY_WIN:RDP[:]\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"program [C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe], workingdir [C:\\]\"", "event": { "action": "Apppath", - "kind": "event", "provider": "wabengine", "reason": "program [C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe], workingdir [C:\\]", "type": [ @@ -1326,7 +1292,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Approval\" object=\"\\n\" user=\"user_154954851465\" client_ip=\"10.10.45.212\" infos=\"status [3], begin [2019-02-07 15:08:00], creation [2019-02-07 15:08:35.382824], duration [600], end [2019-02-07 15:18:00], username [user_154954851465], targetname [user_1@local@QA_DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH], quorum [1], email [qa-notify@wallix.com], language [en]\"", "event": { "action": "Approval", - "kind": "event", "provider": "wabengine", "reason": "status [3], begin [2019-02-07 15:08:00], creation [2019-02-07 15:08:35.382824], duration [600], end [2019-02-07 15:18:00], username [user_154954851465], targetname [user_1@local@QA_DEVICE_WITH_APPROVAL_OPTIONAL_COMMENT_AND_TICKET:SSH], quorum [1], email [qa-notify@wallix.com], language [en]", "type": [ @@ -1366,7 +1331,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Authorization\" object=\"QA_USER_GROUP_UNIX:QA_DEVICE_GROUP_UNIX\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"cn [unix_group], targetGroupIdentifier [QA_DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess [False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired [False], hasComment [False], mandatoryComment [False], hasTicket [False], mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]\"", "event": { "action": "Authorization", - "kind": "event", "provider": "wabengine", "reason": "cn [unix_group], targetGroupIdentifier [QA_DEVICE_GROUP_UNIX], isRecorded [True], isCritical [False], userAccess [False], proxyAccess [True], subprotocols [SSH_SHELL_SESSION, SSH_REMOTE_COMMAND, SSH_SCP_UP and 7 other(s)], approvalRequired [False], hasComment [False], mandatoryComment [False], hasTicket [False], mandatoryTicket [False], activeQuorum [0], inactiveQuorum [0]", "type": [ @@ -1406,7 +1370,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"CheckoutPolicy\" object=\"QA_CHECKOUT_POLICY_LOCK\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"enableLock [True], duration [600], extension [0], maxDuration [600], checkinChange [0]\"", "event": { "action": "CheckoutPolicy", - "kind": "event", "provider": "wabengine", "reason": "enableLock [True], duration [600], extension [0], maxDuration [600], checkinChange [0]", "type": [ @@ -1446,7 +1409,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Cluster\" object=\"cluster_154954837225\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"member_targets [account_154954837122@local1@device_154954837021:rdp, account_154954837224@local1@device_154954837123:rdp]\"", "event": { "action": "Cluster", - "kind": "event", "provider": "wabengine", "reason": "member_targets [account_154954837122@local1@device_154954837021:rdp, account_154954837224@local1@device_154954837123:rdp]", "type": [ @@ -1486,7 +1448,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Device\" object=\"QA_DEVICE_SSH_SHELL_SESSION\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]\"", "event": { "action": "Device", - "kind": "event", "provider": "wabengine", "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "type": [ @@ -1529,7 +1490,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "database" ], - "kind": "event", "provider": "wabengine", "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' saved]" }, @@ -1565,7 +1525,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"ConnectionPolicy\" object=\"connection_policy_154954884812\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "ConnectionPolicy", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1604,7 +1563,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"CredChgInfo\" object=\"\\n\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CredChgInfo", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1643,7 +1601,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"CredChgPolicy\" object=\"password_change_policy_name_154954918141\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CredChgPolicy", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1682,7 +1639,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Globaldomain\" object=\"global_domain_154954904181\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Globaldomain", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1721,7 +1677,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"LdapMapping\" object=\" in user_group_154954913825 GROUP\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "LdapMapping", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1760,7 +1715,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Ldapdomain\" object=\"domain_154955334782\" user=\"admin\" client_ip=\"192.168.122.1\" infos=\"\"", "event": { "action": "Ldapdomain", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1799,7 +1753,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Localdomain\" object=\"local1\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Localdomain", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1838,7 +1791,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Notification\" object=\"notification_154955204621\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Notification", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1877,7 +1829,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Period\" object=\"<2010-01-01 to 2020-01-01 , 09:30:00 to 18:30:00, 124>\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Period", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1916,7 +1867,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Profile\" object=\"profile_154954924847\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Profile", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1955,7 +1905,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Service\" object=\"device_154954928856:ssh\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Service", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -1994,7 +1943,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Targetgroup\" object=\"target_group_154954938767\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Targetgroup", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2033,7 +1981,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"TimeFrame\" object=\"timeframe_154954953374\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "TimeFrame", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2072,7 +2019,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"User\" object=\"UNKNOWN_USER\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "User", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2111,7 +2057,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"UserAuth\" object=\"auth_LDAP_154955198487\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "UserAuth", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2150,7 +2095,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Usergroup\" object=\"user_group_154954962345\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Usergroup", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2189,7 +2133,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [deleted]\"", "event": { "action": "X509 Parameters", - "kind": "event", "provider": "wabengine", "reason": "CRL [deleted]", "type": [ @@ -2228,7 +2171,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Account\" object=\"account_154954844398@local1@application_154954844399\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Account", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2267,7 +2209,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Apikey\" object=\"apikey_154954882800\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Apikey", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2306,7 +2247,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Application\" object=\"application_154954836612\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Application", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2345,7 +2285,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Apppath\" object=\"account_154954841440@local1@device_154954841439:rdp[:]\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Apppath", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2384,7 +2323,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Approval\" object=\"\\n\" user=\"OPERATOR\" client_ip=\"127.0.0.1\" infos=\"\"", "event": { "action": "Approval", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2423,7 +2361,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Authorization\" object=\"user_group_154954865272:target_group_154954865373\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Authorization", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2462,7 +2399,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"CheckoutPolicy\" object=\"checkout_policy_154954874456\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CheckoutPolicy", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2501,7 +2437,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"delete\" type=\"Cluster\" object=\"cluster_154954875802\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Cluster", - "kind": "event", "provider": "wabengine", "type": [ "deletion" @@ -2540,7 +2475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"add\" type=\"Device\" object=\"QA_DEVICE_SSH_SHELL_SESSION\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]\"", "event": { "action": "Device", - "kind": "event", "provider": "wabengine", "reason": "Host [10.10.45.148], Alias [QA_DEVICE_SSH_SHELL_SESSION_ALIAS]", "type": [ @@ -2583,7 +2517,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "database" ], - "kind": "event", "provider": "wabengine", "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' downloaded]" }, @@ -2619,7 +2552,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"ConnectionPolicy\" object=\"SSH\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"methods [Add < PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >, Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s) >], Data [session[allow_multi_channels]: 'False' => 'on']\"", "event": { "action": "ConnectionPolicy", - "kind": "event", "provider": "wabengine", "reason": "methods [Add < PASSWORD_VAULT, PUBKEY_VAULT, PASSWORD_INTERACTIVE and 1 other(s) >, Remove < PUBKEY_VAULT, PASSWORD_MAPPING, PASSWORD_VAULT and 1 other(s) >], Data [session[allow_multi_channels]: 'False' => 'on']", "type": [ @@ -2659,7 +2591,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"CredChgInfo\" object=\"local1/None\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CredChgInfo", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -2698,7 +2629,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"CredChgPolicy\" object=\"password_change_policy_name_154954918865\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CredChgPolicy", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -2737,7 +2667,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Globaldomain\" object=\"global_domain_154954904486\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"credchgplugin ['None' to 'Windows'], credchgpolicy ['None' to 'default'], adminAccount ['None' to 'account_154954904487...']\"", "event": { "action": "Globaldomain", - "kind": "event", "provider": "wabengine", "reason": "credchgplugin ['None' to 'Windows'], credchgpolicy ['None' to 'default'], adminAccount ['None' to 'account_154954904487...']", "type": [ @@ -2777,7 +2706,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Ldapdomain\" object=\"domain_154955334798\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"description ['some description' to 'updated'], snAttribute ['' to 'updated']\"", "event": { "action": "Ldapdomain", - "kind": "event", "provider": "wabengine", "reason": "description ['some description' to 'updated'], snAttribute ['' to 'updated']", "type": [ @@ -2817,7 +2745,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Localdomain\" object=\"local1\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"adminAccount ['None' to 'account_154954837938...']\"", "event": { "action": "Localdomain", - "kind": "event", "provider": "wabengine", "reason": "adminAccount ['None' to 'account_154954837938...']", "type": [ @@ -2857,7 +2784,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Notification\" object=\"notification_154955216694\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"flag ['16' to '0']\"", "event": { "action": "Notification", - "kind": "event", "provider": "wabengine", "reason": "flag ['16' to '0']", "type": [ @@ -2897,7 +2823,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Profile\" object=\"profile_154954927022\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Profile", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -2936,7 +2861,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"PwdPolicy\" object=\"default\" user=\"admin\" client_ip=\"10.10.45.212\" infos=\"pwdMinLowerLetter ['1' to '0'], rsaMinLength ['4096' to '1024']\"", "event": { "action": "PwdPolicy", - "kind": "event", "provider": "wabengine", "reason": "pwdMinLowerLetter ['1' to '0'], rsaMinLength ['4096' to '1024']", "type": [ @@ -2976,7 +2900,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Recording Options\" user=\"admin\" client_ip=\"10.10.43.28\" infos=\"Recording Options ['No encryption, with checksum' to 'No encryption, no checksum']\"", "event": { "action": "Recording Options", - "kind": "event", "provider": "wabengine", "reason": "Recording Options ['No encryption, with checksum' to 'No encryption, no checksum']", "type": [ @@ -3015,7 +2938,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Service\" object=\"device_154954931097:ssh\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Service", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3054,7 +2976,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Targetgroup\" object=\"target_group_154954945465\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"Description ['some desc' to 'some other desc']\"", "event": { "action": "Targetgroup", - "kind": "event", "provider": "wabengine", "reason": "Description ['some desc' to 'some other desc']", "type": [ @@ -3094,7 +3015,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"TimeFrame\" object=\"timeframe_154954954305\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "TimeFrame", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3133,7 +3053,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"User\" object=\"user_154954924239\" user=\"user_154954924239\" client_ip=\"10.10.45.212\" infos=\"email ['qa-notify@wallix.com...' to 'qa-notify+1@wallix.c...']\"", "event": { "action": "User", - "kind": "event", "provider": "wabengine", "reason": "email ['qa-notify@wallix.com...' to 'qa-notify+1@wallix.c...']", "type": [ @@ -3173,7 +3092,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"UserAuth\" object=\"auth_LDAP_154955202505\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"description ['None' to 'updated while used b...']\"", "event": { "action": "UserAuth", - "kind": "event", "provider": "wabengine", "reason": "description ['None' to 'updated while used b...']", "type": [ @@ -3213,7 +3131,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Usergroup\" object=\"user_group_154954965326\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"Description ['some desc' to 'some other desc']\"", "event": { "action": "Usergroup", - "kind": "event", "provider": "wabengine", "reason": "Description ['some desc' to 'some other desc']", "type": [ @@ -3253,7 +3170,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"X509 Parameters\" user=\"admin\" client_ip=\"192.168.0.12\" infos=\"CRL [file updated]\"", "event": { "action": "X509 Parameters", - "kind": "event", "provider": "wabengine", "reason": "CRL [file updated]", "type": [ @@ -3292,7 +3208,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Account\" object=\"account_154954837938@local1@application_154954837837\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Account", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3331,7 +3246,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Application\" object=\"application_154954842057\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Application", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3370,7 +3284,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Approval\" object=\"\\n\" user=\"QA_USER_APPROVER_1\" client_ip=\"10.10.45.212\" infos=\"status ['3' to '1']\"", "event": { "action": "Approval", - "kind": "event", "provider": "wabengine", "reason": "status ['3' to '1']", "type": [ @@ -3410,7 +3323,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Authorization\" object=\"user_group_154954869778:target_group_154954869779\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Authorization", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3449,7 +3361,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"CheckoutPolicy\" object=\"checkout_policy_154954875282\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "CheckoutPolicy", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3488,7 +3399,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Cluster\" object=\"cluster_154954878267\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Cluster", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3527,7 +3437,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"edit\" type=\"Device\" object=\"device_154954892089\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Device", - "kind": "event", "provider": "wabengine", "type": [ "change" @@ -3566,7 +3475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"accountactivity\" object=\"168c1c48f141e911005056b60af6\" user=\"admin\" client_ip=\"10.10.43.84\" infos=\"\"", "event": { "action": "accountactivity", - "kind": "event", "provider": "wabengine", "type": [ "access" @@ -3605,7 +3513,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"Approval\" user=\"QA_ADMIN\" client_ip=\"10.10.45.212\" infos=\"\"", "event": { "action": "Approval", - "kind": "event", "provider": "wabengine", "type": [ "access" @@ -3646,7 +3553,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "provider": "wabengine", "reason": "Current sessions", "type": [ @@ -3688,7 +3594,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "database" ], - "kind": "event", "provider": "wabengine", "reason": "Backup ['wab-6.0-cspn_2019-02-04_16-59-11.wbk' restored]" }, @@ -3724,7 +3629,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "[wabaudit] action=\"list\" type=\"Approvals\" user=\"OPERATOR\" client_ip=\"127.0.0.1\" infos=\"\"\n", "event": { "action": "Approvals", - "kind": "event", "provider": "wabengine", "type": [ "access" @@ -3764,7 +3668,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "reason": "diagnostic [Authentication success: identified with local(LOCAL), authentified with: API key Bastion(APIKEY).]" }, "related": { @@ -3800,7 +3703,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "reason": "\"diagnostic [Authentication failed]", "type": [ "denied" @@ -3840,7 +3742,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "provider": "wabengine", "reason": "Closed sessions, Sessionlogs newly terminated", "type": [ @@ -3881,7 +3782,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "reason": "\"diagnostic [Authentication failed]", "type": [ "denied" @@ -3921,7 +3821,6 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`destination.ip` | `ip` | IP address of the destination. | |`event.action` | `keyword` | The action captured by the event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index ef170cc856..60d59decd0 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `threat`, `web` | | Type | `access`, `indicator` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "ubika-waf", - "kind": "event", "module": "ubika.waf", "type": [ "access" @@ -111,7 +110,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "ubika-waf", - "kind": "event", "module": "ubika.waf", "type": [ "access" @@ -171,6 +169,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"2576cdd6c17d441234567891234\",\"@timestamp\":\"1688012345678\",\"timestamp\":\"1688012345678\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"monespacetest.com\"},{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"User-Agent\",\"value\":\"ContentSquare Static Resource Scraper\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip,deflate\"},{\"key\":\"X-Forwarded-For\",\"value\":\"1.2.3.4\"}],\"hostname\":\"monespacetest.com\",\"ipDst\":\"1.2.3.4\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/redirect\",\"portDst\":443,\"protocol\":\"HTTP/1.1\",\"query\":\"token=123456789123456789\",\"requestUid\":\"ZJ1EyTzEESxHZlPdslM1MgAAAQw\"},\"context\":{\"tags\":\"\",\"applianceName\":\"zzzzz.test\",\"applianceUid\":\"bde804caa644121234567891234567\",\"backendHost\":\"monespacetest.com\",\"backendPort\":443,\"reverseProxyName\":\"Rp-test-02\",\"reverseProxyUid\":\"61d95350a8f99874123456789\",\"tunnelName\":\"NEC PROD v10 #1\",\"tunnelUid\":\"317a891996f275b12345678912345\",\"workflowName\":\"Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter\",\"workflowUid\":\"f00058d7c75c34e123456789987654\"},\"events\":[{\"eventUid\":\"fe767ff2e8574789941b998e6\",\"tokens\":{\"date\":14012345678999,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ContentSquare Static Resource Scraper\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"43333333333333333333\",\"botMitigationConfigurationName\":\"PREVOIR Bot mitigation Configuration\"}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -178,16 +177,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "Bot Mitigation", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2023-06-29T04:19:05.678000Z", "destination": { @@ -203,6 +196,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "monespacetest.com" @@ -225,6 +223,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "27" + } + }, "tunnel": { "name": "NEC PROD v10 #1", "uuid": "317a891996f275b12345678912345" @@ -232,11 +235,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter", "uuid": "f00058d7c75c34e123456789987654" - }, - "tokens": { - "risk": { - "level": "27" - } } } }, @@ -272,6 +270,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"ddf61af5388949b486059409e9a10d23\",\"@timestamp\":\"1570176199762\",\"timestamp\":\"1570176199762\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"\",\"requestUid\":\"e380e3bef3814649aebc50e940c8bf98\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - Bot Mitigation\",\"workflowUid\":\"8c73e669cea1a99016ccacb21eccfa69\"},\"events\":[{\"eventUid\":\"3ce7643dbe52433bb481ff8a401c6301\",\"tokens\":{\"date\":140422462751864,\"eventType\":\"bot mitigation\",\"engineUid\":\"botMitigation\",\"engineName\":\"Bot Mitigation\",\"attackFamily\":\"Bots and Web Scraping\",\"riskLevel\":27,\"riskLevelOWASP\":2.7,\"cwe\":\"CWE-799\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"No Part\",\"reason\":\"Basic bot detected\",\"botMitigationDetails\":\"Client does not follow HTTP redirect or uses cookies\",\"botMitigationRuleName\":\"\",\"botMitigationRuleUid\":\"\",\"botMitigationRuleSource\":\"\",\"botMitigationRuleExpirationDate\":\"\",\"botMitigationChallenge\":\"challengeBasic\",\"botMitigationClientFingerprint\":\"\",\"botMitigationClientUseragent\":\"ApacheBench/2.3\",\"botMitigationNewRule\":\"false\",\"botMitigationConfigurationUid\":\"0d990aa0b2f5265ad8ea74cc0e3e09f7\",\"botMitigationConfigurationName\":\"BM_conf\"}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -279,16 +278,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "Bot Mitigation", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2019-10-04T08:03:19.762000Z", "destination": { @@ -304,6 +297,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -327,6 +325,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "27" + } + }, "tunnel": { "name": "Tunnel1", "uuid": "28ebc9deec52dd1b3a5c51eaf52b0606" @@ -334,11 +337,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - Bot Mitigation", "uuid": "8c73e669cea1a99016ccacb21eccfa69" - }, - "tokens": { - "risk": { - "level": "27" - } } } }, @@ -373,6 +371,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -380,15 +379,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "ICX Engine", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -404,6 +398,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -429,6 +427,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "80" + } + }, "tunnel": { "name": "tunnel1", "uuid": "a4ae3647b1e7e868b2d0e6ff47b02fd1" @@ -436,11 +439,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" - }, - "tokens": { - "risk": { - "level": "80" - } } } }, @@ -476,6 +474,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"logAlertUid\":\"ad97ec2b41c342ebbb1fec1fc283fff3\",\"@timestamp\":\"1527241410891\",\"timestamp\":\"1527241410891\",\"_type_\":\"Controller_Business_Log_SecurityLog\",\"request\":{\"body\":\"\",\"cookies\":[],\"headers\":[{\"key\":\"Connection\",\"value\":\"Keep-Alive\"},{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"ApacheBench/2.3\"},{\"key\":\"Accept\",\"value\":\"*/*\"}],\"hostname\":\"example.org\",\"ipDst\":\"5.6.7.8\",\"ipSrc\":\"1.2.3.4\",\"method\":\"GET\",\"path\":\"/afs/login\",\"portDst\":80,\"protocol\":\"HTTP/1.0\",\"query\":\"username=test&passwd=*****\",\"requestUid\":\"4d2fc15b25494ae5bb6de1fae7800601\"},\"context\":{\"tags\":\"\",\"applianceName\":\"Management\",\"applianceUid\":\"d1ecdf0f3ad7a64279b9e01f08c1f642\",\"backendHost\":\"5.6.7.8\",\"backendPort\":8000,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"ce4770e1d581d92f1344b8b1ac41e8de\",\"tunnelName\":\"tunnel1\",\"tunnelUid\":\"a4ae3647b1e7e868b2d0e6ff47b02fd1\",\"workflowName\":\"WF - All logs\",\"workflowUid\":\"x256f94d50d6d66f9732e0ab8532d154\"},\"events\":[{\"eventUid\":\"15546f6e600011e8a3b819267d550fc8\",\"tokens\":{\"date\":1527241410891973,\"eventType\":\"security\",\"engineUid\":\"icxEngine\",\"engineName\":\"ICX Engine\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\",\"severity\":5,\"resolveType\":\"Default Resolve\",\"part\":\"Multiple\",\"icxPolicyName\":\"Default policy\",\"icxPolicyUid\":\"fbfb5aec58e3ff3bea900f646351cc30\",\"icxRuleName\":\"SQL Injection\",\"icxRuleUid\":\"eeeea8b382ef38e44f0b620c39adbbba\",\"matchingParts\":[{\"part\":\"Var_GET\",\"partKey\":\"passwd\",\"partKeyOperator\":\"regexp\",\"partKeyPattern\":\".*\",\"partKeyMatch\":\"passwd\",\"partValue\":\"1' or 1=1 --\",\"partValueOperator\":\"pattern\",\"partValuePatternUid\":\"SqlInjectionProprietaryPattern_00359\",\"partValuePatternName\":\"SQL Injection\",\"partValuePatternVersion\":\"00359\",\"partValueMatch\":\"' or 1=1 --\",\"attackFamily\":\"SQL Injection\",\"riskLevel\":80,\"riskLevelOWASP\":8,\"cwe\":\"CWE-89\"}],\"reason\":\"ICX Engine: SQL Injection in Var_GET 'passwd'\",\"securityExceptionConfigurationUids\":[\"xd298902fbf8340e241f195fe81e7511\"]}}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -483,15 +482,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "kind": "alert", "module": "ubika.waf", "provider": "ICX Engine", + "severity": 5, "type": [ "indicator" - ], - "action": "block", - "severity": 5 - }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" + ] }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -507,6 +501,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" @@ -532,6 +530,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "ubika": { "waap": { + "tokens": { + "risk": { + "level": "80" + } + }, "tunnel": { "name": "tunnel1", "uuid": "a4ae3647b1e7e868b2d0e6ff47b02fd1" @@ -539,11 +542,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" - }, - "tokens": { - "risk": { - "level": "80" - } } } }, @@ -579,6 +577,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "2023-05-23T14:24:09.190263+02:00 waf01.example.org - - - - {\"logAlertUid\":\"fe79950502024cf1951504b01b28cb60\",\"@timestamp\":\"1570179501178\",\"timestamp\":\"1570179501178\",\"request\":{\"headers\":[{\"key\":\"Host\",\"value\":\"example.org\"},{\"key\":\"User-Agent\",\"value\":\"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0\"},{\"key\":\"Accept\",\"value\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\"},{\"key\":\"Accept-Language\",\"value\":\"en-US,en;q=0.5\"},{\"key\":\"Accept-Encoding\",\"value\":\"gzip, deflate\"},{\"key\":\"Content-Type\",\"value\":\"application/x-www-form-urlencoded\"},{\"key\":\"Content-Length\",\"value\":\"45\"},{\"key\":\"Connection\",\"value\":\"keep-alive\"},{\"key\":\"Referer\",\"value\":\"http://example.org/auth/login\"},{\"key\":\"Upgrade-Insecure-Requests\",\"value\":\"1\"}],\"hostname\":\"example.org\",\"ipSrc\":\"1.2.3.4\",\"method\":\"POST\",\"path\":\"/auth/authentication\",\"query\":\"username=test&context=111111111\",\"requestUid\":\"6bf5057e1ad64b1c99ee6ad8c21f098e\"},\"context\":{\"applianceName\":\"Management\",\"applianceUid\":\"481294d4fdefdb1bcbfcedac6f5e2777\",\"backendHost\":\"5.6.7.8\",\"backendPort\":80,\"reverseProxyName\":\"RP1\",\"reverseProxyUid\":\"79473e608a1cbccc06a86a0a6484a2f7\",\"tunnelName\":\"Tunnel1\",\"tunnelUid\":\"28ebc9deec52dd1b3a5c51eaf52b0606\",\"workflowName\":\"WF - WAM\",\"workflowUid\":\"061b2aaca542ad07e9873fcb6f3e2a85\"},\"events\":[{\"eventUid\":\"90e826d3889443b286ab4fdd4854d379\",\"eventType\":1,\"eventDetails\":\"Perimeter authentication failed\",\"userId\":\"user1\",\"sessionId\":\"5jfh2myazzq6l6gjmz9qtabw4e\",\"resource\":\"Perim1\",\"ticketId\":\"\",\"logindate\":1570179496322223,\"expiredate\":1570183101178725}]}", "event": { + "action": "block", "category": [ "threat" ], @@ -587,13 +586,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "module": "ubika.waf", "type": [ "indicator" - ], - "action": "block" - }, - "observer": { - "vendor": "Ubika", - "name": "waf01.example.org", - "product": "Ubika WAAP" + ] }, "@timestamp": "2019-10-04T08:58:21.178000Z", "host": { @@ -605,6 +598,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "referrer": "http://example.org/auth/login" } }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" + }, "related": { "hosts": [ "example.org" diff --git a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md index 3bb7ffc79c..26774bf5af 100644 --- a/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md +++ b/_shared_content/operations_center/integrations/generated/700f332f-d515-4bc5-8a62-49fa5f2c9206.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `host` | | Type | `` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "UPDOWN", - "kind": "event", "reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to down", "severity": 5, "type": [ @@ -86,7 +85,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "UPDOWN", - "kind": "event", "reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to up", "severity": 5, "type": [ @@ -130,7 +128,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "UPDOWN", - "kind": "event", "reason": "Interface GigabitEthernet2/0/13, changed state to down", "severity": 3, "type": [ @@ -174,7 +171,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "UPDOWN", - "kind": "event", "reason": "Interface GigabitEthernet2/0/25, changed state to up", "severity": 3, "type": [ @@ -217,7 +213,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "LOGIN_SUCCESS", - "kind": "event", "reason": "Login Success [user: jdoe] [Source: 1.2.3.4] [localport: 22] at 10:16:05 GMT Fri Jan 13 2023", "severity": 5, "type": [ @@ -272,7 +267,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "LOGGINGHOST_FAIL", - "kind": "event", "reason": "Logging to host 3.2.4.5 port 514 failed", "severity": 3, "type": [ @@ -321,7 +315,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "LOGOUT", - "kind": "event", "reason": "User jdoe has exited tty session 2(1.2.3.4)", "severity": 6, "type": [ @@ -378,7 +371,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "MACFLAP_NOTIF", - "kind": "event", "reason": "Host 0011.2233.4455 in vlan 20 is flapping between port Gi1/0/9 and port Gi2/0/9", "severity": 4, "type": [ @@ -432,7 +424,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "TTY_EXPIRE_TIMER", - "kind": "event", "reason": "(exec timer expired, tty 2 (1.2.3.4)), user jdoe", "severity": 6, "type": [ @@ -496,7 +487,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md index d355743091..df38f85ed1 100644 --- a/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md +++ b/_shared_content/operations_center/integrations/generated/70c5c3db-fae8-4825-8d8b-08d6315e1ef6.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `["network"]` | | Type | `` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "StorageDelete", - "kind": "event", "provider": "Microsoft.Storage/storageAccounts/fileServices", "type": [ "info" @@ -71,6 +70,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -97,11 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Linux" }, "version": "119.0.0" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -120,7 +119,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "StorageRead", - "kind": "event", "provider": "Microsoft.Storage/storageAccounts/fileServices", "type": [ "info" @@ -150,6 +148,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "10.0.0.10" + ] + }, "source": { "address": "10.0.0.10", "ip": "10.0.0.10", @@ -176,11 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Windows", "version": "95" } - }, - "related": { - "ip": [ - "10.0.0.10" - ] } } @@ -199,7 +197,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "StorageWrite", - "kind": "event", "provider": "Microsoft.Storage/storageAccounts/fileServices", "type": [ "info" @@ -229,6 +226,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network": { "protocol": "HTTPS" }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -255,11 +257,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "Linux" }, "version": "119.0.0" - }, - "related": { - "ip": [ - "1.2.3.4" - ] } } @@ -284,7 +281,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`http.response.status_code` | `long` | HTTP response status code. | |`network.protocol` | `keyword` | Application protocol name. | diff --git a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md index dca9a475ec..b3b36e4169 100644 --- a/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md +++ b/_shared_content/operations_center/integrations/generated/76d767ed-5431-4db1-b893-a48b6903d871.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `access` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "audit_logs", - "kind": "event", "type": [ "access" ] @@ -93,7 +92,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "audit_logs", - "kind": "event", "type": [ "access" ] @@ -153,7 +151,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "audit_logs", - "kind": "event", "type": [ "access" ] @@ -205,7 +202,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "audit_logs", - "kind": "event", "type": [ "access" ] @@ -258,7 +254,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "audit_logs", - "kind": "event", "type": [ "access" ] @@ -326,7 +321,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md index 15fb11f7cb..84545022ed 100644 --- a/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md +++ b/_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `configuration`, `network`, `process`, `web` | | Type | `connection`, `info` | @@ -187,7 +187,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth", - "kind": "event", "outcome": "success", "start": "2023-11-14T15:27:30Z", "timezone": "+0100", @@ -261,7 +260,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth", - "kind": "event", "outcome": "failure", "start": "2023-09-28T14:37:39Z", "timezone": "+0200", @@ -336,7 +334,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "filter", "duration": 0.0, - "kind": "event", "outcome": "failure", "risk_score": 5, "start": "2022-03-17T13:49:51Z", @@ -447,7 +444,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "filter", "duration": 2000000000.0, - "kind": "event", "outcome": "success", "risk_score": 5, "start": "2022-03-03T13:21:10Z", @@ -559,7 +555,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "connection", "duration": 107331180000000.0, - "kind": "event", "outcome": "success", "risk_score": 5, "timezone": "+0100", @@ -677,7 +672,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "plugin", "duration": 10000000.0, - "kind": "event", "outcome": "success", "risk_score": 5, "start": "2023-11-23T08:19:43Z", @@ -807,7 +801,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "server", - "kind": "event", "outcome": "success", "start": "2023-07-03T16:26:30Z", "timezone": "+0200", @@ -879,7 +872,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "system", - "kind": "event", "risk_score": 5, "start": "2023-11-23T08:20:58Z", "timezone": "+0100", @@ -932,7 +924,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "vpn", - "kind": "event", "risk_score": 5, "start": "2023-07-04T09:27:09Z", "timezone": "+0200", @@ -1014,7 +1005,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "vpn", - "kind": "event", "risk_score": 5, "start": "2023-07-03T16:20:02Z", "timezone": "+0200", diff --git a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md index af98b52cad..9ffb0939a4 100644 --- a/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md +++ b/_shared_content/operations_center/integrations/generated/7b1317ec-3f87-4b53-9b6d-3f79045f28fa.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_dns", - "kind": "event", "type": [ "info" ] @@ -114,7 +113,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_dns", - "kind": "event", "type": [ "info" ] @@ -235,7 +233,6 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.resolved_ip` | `ip` | Array containing all IPs seen in answers.data | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.hostname` | `keyword` | Hostname of the host. | |`network.protocol` | `keyword` | Application protocol name. | diff --git a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md index f4158830b8..d7c0fb0c48 100644 --- a/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md +++ b/_shared_content/operations_center/integrations/generated/80b8382e-0667-4469-bbc9-74be1e0ca1c1.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "allowed" ] @@ -115,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -181,7 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -274,7 +271,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -353,7 +349,6 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`observer.hostname` | `keyword` | Hostname of the observer. | |`rule.name` | `keyword` | Rule name | |`service.name` | `keyword` | Name of the service. | diff --git a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md index 39e5155e07..13c6f46726 100644 --- a/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md +++ b/_shared_content/operations_center/integrations/generated/80de6ccb-7246-40de-bcbb-bc830118c1f9.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `configuration` | | Type | `allowed`, `change`, `creation`, `deletion`, `denied`, `info`, `user` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change", "creation", @@ -100,7 +99,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change", "info" @@ -157,7 +155,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change", "info" @@ -216,7 +213,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change", "info" @@ -275,7 +271,6 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`geo.country_iso_code` | `keyword` | Country ISO code. | |`geo.country_name` | `keyword` | Country name. | diff --git a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md index 04b432962e..f16cb5a6d0 100644 --- a/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md +++ b/_shared_content/operations_center/integrations/generated/838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "reason": "2", "type": [ "info" @@ -104,7 +103,6 @@ The following table lists the fields that are extracted, normalized under the EC |`email.to.address` | `keyword` | Email address of recipient | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`vadecloud.filter_type` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md index f2cc1854bd..5619836f38 100644 --- a/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md +++ b/_shared_content/operations_center/integrations/generated/8461aabe-6eba-4044-ad7f-a0c39a2b2279.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email` | | Type | `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -94,7 +93,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -143,7 +141,6 @@ The following table lists the fields that are extracted, normalized under the EC |`email.to.address` | `keyword` | Email address of recipient. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`office365.message_trace.MessageTraceId` | `keyword` | An identifier used to get the detailed message transfer trace information. | |`office365.message_trace.Size` | `number` | The size of the message, in bytes. | diff --git a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md index 610fde27bc..8176f4e318 100644 --- a/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md +++ b/_shared_content/operations_center/integrations/generated/8510051d-c7cf-4b0c-a398-031afe91faa0.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `connection` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "denied" @@ -113,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -183,7 +181,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -258,7 +255,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -330,7 +326,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -406,7 +401,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -485,7 +479,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -559,7 +552,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "match", "type": [ "allowed" @@ -633,7 +625,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`network.bytes` | `long` | Total bytes transferred in both directions. | diff --git a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md index b015203e33..a255fc158a 100644 --- a/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md +++ b/_shared_content/operations_center/integrations/generated/890207d2-4878-440d-9079-3dd25d472e0a.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `configuration`, `file`, `iam`, `network` | | Type | `change`, `info`, `start` | @@ -101,7 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "ADObjectsAuditReports", - "kind": "event", "module": "EventLog", "outcome": "Success", "reason": "msExchOAB 'Default Offline Address Book' was modified by 'EXAMPLE\\JDX2093$'. Modified Properties : ms-Exch-OAB-Last-Number-Of-Records. Value : 7970", @@ -151,7 +150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "DNSAuditReports", - "kind": "event", "module": "EventLog", "outcome": "Success", "reason": "dnsNode (null) '119251-P10'was modified by 'NT AUTHORITY\\SYSTEM'. Modified Properties : NT-Security-Descriptor", @@ -201,7 +199,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "GroupMgmtReports", - "kind": "event", "module": "EventLog", "reason": "Group 'MyGROUP' was modified by 'EXAMPLE\\J_DOE' Modified Properties : member, Values : CN\\=JANEDOE,OU\\=USERS,DC\\=example,DC\\=org", "severity": 1, @@ -248,7 +245,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "UserMgmtReports", - "kind": "event", "module": "EventLog", "outcome": "Success", "reason": "User 'JaneDoe' was modified by 'EXAMPLE\\J_DOE' Modified Properties : primaryGroupID, Values : 513", @@ -299,7 +295,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "UserMgmtReports", - "kind": "event", "module": "EventLog", "outcome": "Failure", "reason": "Change Password Attempt by user 'J_DOE'. Status:Failure'", @@ -350,7 +345,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "LogonReports", - "kind": "event", "module": "EventLog", "outcome": "Failure", "reason": "Kerberos pre-authentication failed.", @@ -404,7 +398,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "LogonReports", - "kind": "event", "module": "EventLog", "outcome": "Success", "reason": "A Kerberos authentication ticket (TGT) was requested.", diff --git a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md index 5f88ceb450..18a310c4a8 100644 --- a/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md +++ b/_shared_content/operations_center/integrations/generated/8a9894f8-d7bc-4c06-b96a-8808b3c6cade.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `configuration`, `network` | | Type | `change`, `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "type": [ "change" ] @@ -78,7 +77,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "INFO: 5 endpoint(s) purged successfully", "event": { - "kind": "event", "reason": " 5 endpoint(s) purged successfully", "type": [ "info" @@ -103,7 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "MnT purge event occurred", "type": [ "info" @@ -135,7 +132,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": ": ACTIVE_DIRECTORY_DIAGNOSTIC_TOOL_ISSUES_FOUND need to complete", "type": [ "info" @@ -160,7 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -198,7 +193,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -241,7 +235,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Request timed out.", "type": [ "info" @@ -286,7 +279,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -337,7 +329,6 @@ The following table lists the fields that are extracted, normalized under the EC |`cisco.ise.event.outcome` | `keyword` | The outcome of the event | |`cisco.ise.network_calling_station.id` | `keyword` | the calling station id | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.product` | `keyword` | The product name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md index bb8d5a5162..c965097228 100644 --- a/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md +++ b/_shared_content/operations_center/integrations/generated/8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `` | | Type | `info` | @@ -242,7 +242,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "130181040000001", - "kind": "event", "module": "das", "reason": "URLs detected in a document file\n\nRemediation: no remediation taken\n\nSuspicious URLs:\n- http://www.google.com", "severity": 5, @@ -342,7 +341,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "130181041000003", - "kind": "event", "module": "das", "reason": "Potential malicious VBA code detected in a document file\n- Suspicious macros detected (1)\n\nRemediation: no remediation taken\n\nBehaviors:\n- Suspicious | May run PowerShell commands\n\nSuspicious macros sha1:\n- adc83b19e793491b1c6ea0fd8b46cd9f32e592fc", "severity": 6, diff --git a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md index 7ccb49dd45..05850869ef 100644 --- a/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md +++ b/_shared_content/operations_center/integrations/generated/8f472113-ba5b-45b9-9a2c-944834396333.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `intrusion_detection`, `vulnerability` | | Type | `info` | @@ -84,7 +84,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vulnerability" ], "dataset": "issue", - "kind": "event", "type": [ "info" ] diff --git a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md index 2206a1f253..058a08c190 100644 --- a/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md +++ b/_shared_content/operations_center/integrations/generated/90179796-f949-490c-8729-8cbc9c65be55.md @@ -30,6 +30,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2021-02-21T15:30:49Z", "action": { "name": "DNS query", "outcome": "success", @@ -85,6 +86,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "success" }, + "@timestamp": "2020-06-12T14:29:47Z", "action": { "name": "DNS query", "outcome": "success", @@ -139,6 +141,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "failure" }, + "@timestamp": "2020-06-12T14:29:48Z", "action": { "name": "DNS query", "outcome": "failure", @@ -190,6 +193,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "outcome": "failure" }, + "@timestamp": "2024-03-04T11:17:25Z", "action": { "name": "DNS query", "outcome": "failure", @@ -234,6 +238,115 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "umbrella-dns-5.json" + + ```json + + { + "message": " \"2024-01-15 17:29:16\",\"CORP - IP INTERNET\",\"CORP - IP INTERNET\",\"1.1.1.1\",\"1.1.1.1\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"emea.corp.\",\"\",\"Networks\",\"Networks\",\"\"", + "event": { + "outcome": "success" + }, + "@timestamp": "2024-01-15T17:29:16Z", + "action": { + "name": "DNS query", + "outcome": "success", + "target": "network-traffic", + "type": "allowed" + }, + "dns": { + "question": { + "name": "emea.corp.", + "subdomain": "emea", + "type": "A" + }, + "response_code": "NOERROR", + "size_in_char": "10", + "type": "query" + }, + "related": { + "hosts": [ + "emea.corp." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "CORP - IP INTERNET" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1" + } + }, + "user": { + "name": "CORP - IP INTERNET" + } + } + + ``` + + +=== "umbrella-dns-6.json" + + ```json + + { + "message": " \"2024-03-12 09:09:48\",\"CD111\",\"CD111\",\"1.1.1.1\",\"1.1.1.1\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"substrate.office.com.\",\"Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Computers and Internet\",\"Anyconnect Roaming Client\",\"Anyconnect Roaming Client\",\"Allow List\"", + "event": { + "outcome": "success" + }, + "@timestamp": "2024-03-12T09:09:48Z", + "action": { + "name": "DNS query", + "outcome": "success", + "properties": { + "Categories": "Software/Technology,Webmail,Business Services,Allow List,Organizational Email,Application,Web-based Email,Computers and Internet" + }, + "target": "network-traffic", + "type": "allowed" + }, + "dns": { + "question": { + "name": "substrate.office.com.", + "registered_domain": "office.com", + "subdomain": "substrate", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "size_in_char": "21", + "type": "query" + }, + "related": { + "hosts": [ + "substrate.office.com." + ], + "ip": [ + "1.1.1.1" + ], + "user": [ + "CD111" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "nat": { + "ip": "1.1.1.1" + } + }, + "user": { + "name": "CD111" + } + } + + ``` + + @@ -243,6 +356,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | |`action.properties.Categories` | `keyword` | | |`action.target` | `keyword` | the target of the action | |`dns.question.name` | `keyword` | The name being queried. | diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index 2d3dd3a693..36464b5c58 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `host`, `network`, `session` | | Type | `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "userid", - "kind": "event", "type": [ "start" ] @@ -105,7 +104,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "userid", - "kind": "event", "type": [ "start" ] @@ -170,7 +168,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth", - "kind": "event", "severity": 3, "start": "2021-02-28T18:20:40Z", "timezone": "UTC", @@ -247,7 +244,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "decryption", - "kind": "event", "severity": 3, "start": "2021-03-01T20:35:54Z", "timezone": "UTC", @@ -342,7 +338,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "threat", - "kind": "event", "severity": 3, "start": "2021-03-01T21:06:06Z", "timezone": "UTC", @@ -439,7 +434,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 16, - "kind": "event", "outcome": "success", "type": [ "end" @@ -535,7 +529,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 16, - "kind": "event", "outcome": "success", "type": [ "end" @@ -630,7 +623,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "globalprotect", - "kind": "event", "reason": "Client cert not present", "severity": 3, "start": "2021-03-01T20:35:54Z", @@ -701,7 +693,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "globalprotect", - "kind": "event", "outcome": "success", "type": [ "start" @@ -777,7 +768,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "globalprotect", - "kind": "event", "outcome": "success", "type": [ "info" @@ -853,7 +843,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "hipmatch", - "kind": "event", "severity": 3, "start": "2021-03-01T21:20:13Z", "timezone": "UTC", @@ -930,7 +919,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "type": [ "start" @@ -1011,7 +999,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "iptag", - "kind": "event", "severity": 3, "start": "2021-03-01T21:20:13Z", "timezone": "UTC", @@ -1072,7 +1059,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "sctp", - "kind": "event", "severity": 9, "start": "2021-03-01T21:22:02Z", "timezone": "UTC", @@ -1166,7 +1152,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system", - "kind": "event", "reason": "authenticated for user 'user1'. auth profile 'GP', vsys 'vsys123', server profile 'LDAP', server address 'srv01.entreprise.local', From: 1.2.3.4.", "type": [ "start" @@ -1229,7 +1214,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "type": [ "start" @@ -1310,7 +1294,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "CLOUD ELECTION: serverlist2.urlcloud.paloaltonetworks.com IP: 35.244.229.101 was elected, measured alive test 143294.", "type": [ "info" @@ -1369,7 +1352,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "type": [ "info" @@ -1429,7 +1411,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "DNS Proxy object: mgmt-obj inherited following values from dynamic interface: mgmt-if: Primary DNS: 1.2.3.1 Secondary DNS: ::", "type": [ "info" @@ -1472,7 +1453,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "threat", - "kind": "event", "outcome": "success", "type": [ "info" @@ -1575,7 +1555,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "globalprotect", - "kind": "event", "outcome": "success", "type": [ "info" @@ -1654,7 +1633,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "contents", "reason": "Installed contents package: panupv2-all-contents-8676-7858.tgz", "type": [ @@ -1701,7 +1679,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "NTP sync to server de.pool.ntp.org", "type": [ "info" @@ -1748,7 +1725,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "Port ethernet1/2: Up 10Gb/s-full duplex", "type": [ "info" @@ -1797,7 +1773,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "Successfully registered to Public Cloud wildfire.paloaltonetworks.com", "type": [ "info" @@ -1852,7 +1827,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "unknown test peer", "type": [ "info" @@ -1899,7 +1873,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Successfully connect to address: 5.6.7.8 port: 3978, conn id: triallr-5.6.7.8-2-def", "type": [ "info" @@ -1952,7 +1925,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "module": "PAN-DB", "reason": "PAN-DB was upgraded to version 20230203.20250.", "type": [ @@ -1996,7 +1968,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "reason": "DHCP RENEW: interface eth0, ip 1.2.3.4 netmask 255.255.255.0 dhcp server: 1.2.3.1", "type": [ "info" @@ -2056,7 +2027,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "Installed WildFire package: panupv3-all-wildfire-739610-742990.tgz", "type": [ @@ -2103,7 +2073,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "WildFire update job succeeded for user Auto update agent", "type": [ @@ -2147,7 +2116,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Connection to Update server: completed successfully, initiated by 1.2.3.4", "type": [ "info" @@ -2199,7 +2167,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "WildFire job started processing. Dequeue time=2023/02/03 17:45:52. Job Id=72. ", "type": [ @@ -2243,7 +2210,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "WildFire package upgraded from version 739610-742990 to 739613-742993 by Auto update agent", "type": [ @@ -2287,7 +2253,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "WildFire job enqueued. Enqueue time=2023/02/03 17:45:52. JobId=72. . Type: Full", "type": [ @@ -2331,7 +2296,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 1.2.3.4", "type": [ "info" @@ -2386,7 +2350,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "Installed WildFire package: panupv3-all-wildfire-739613-742993.tgz", "type": [ @@ -2433,7 +2396,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "WildFire version 739613-742993 downloaded by Auto update agent", "type": [ @@ -2477,7 +2439,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "threat", - "kind": "event", "outcome": "success", "reason": "(9999)", "type": [ @@ -2567,7 +2528,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Request made to server \"server_test.com\" is successful . ", "type": [ "info" @@ -2615,7 +2575,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "start": "2023-02-03T16:46:00Z", "type": [ @@ -2707,7 +2666,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "start": "2023-02-03T16:45:44Z", "type": [ @@ -2798,7 +2756,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Content update job succeeded for user admin", "type": [ "info" @@ -2849,7 +2806,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "Content package upgraded from version 8671-7826 to 8676-7858 by admin", "type": [ "info" @@ -2900,7 +2856,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system", - "kind": "event", "reason": "authenticated for user 'admin'. From: 1.2.3.4.", "type": [ "info" @@ -2958,7 +2913,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "userid", - "kind": "event", "type": [ "start" ] @@ -3023,7 +2977,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "dataset": "system", - "kind": "event", "reason": "User admin logged in via Web from 1.2.3.4 using https", "type": [ "info" @@ -3084,7 +3037,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "system", - "kind": "event", "module": "WildFire", "reason": "Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com", "type": [ @@ -3141,7 +3093,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "dataset": "threat", - "kind": "event", "severity": 1, "start": "2021-03-01T20:48:16Z", "timezone": "UTC", @@ -3273,7 +3224,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "vulnerability" ], "dataset": "threat", - "kind": "event", "outcome": "success", "reason": "PDF Exploit Evasion Found(34805)", "type": [ @@ -3360,7 +3310,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 178, - "kind": "event", "reason": "tcp-fin", "severity": 3, "start": "2022-07-31T12:46:07Z", @@ -3469,7 +3418,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "reason": "tcp-fin", "severity": 3, "start": "2022-08-02T06:42:01Z", @@ -3582,7 +3530,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 56, - "kind": "event", "reason": "unknown", "severity": 3, "start": "2021-02-27T20:16:17Z", @@ -3728,7 +3675,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "type": [ "end" @@ -3811,7 +3757,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "traffic", "duration": 0, - "kind": "event", "outcome": "success", "type": [ "denied" @@ -3894,7 +3839,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "threat", - "kind": "event", "severity": 1, "start": "2021-03-01T20:48:16Z", "timezone": "UTC", @@ -4028,7 +3972,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "userid", - "kind": "event", "severity": 3, "start": "2021-03-01T21:06:02Z", "timezone": "UTC", @@ -4106,7 +4049,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "dataset": "threat", - "kind": "event", "outcome": "success", "type": [ "info" @@ -4232,7 +4174,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | diff --git a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md index 6fe9d74740..fab1de4754 100644 --- a/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md +++ b/_shared_content/operations_center/integrations/generated/9044ba46-2b5d-4ebd-878a-51d62e84c8df.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `connection` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "connection" @@ -81,7 +80,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "connection" @@ -117,7 +115,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "connection" @@ -155,7 +152,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "connection" @@ -200,7 +196,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.ip` | `ip` | IP address of the destination. | |`dhcpd.query` | `keyword` | name of the DHCP query | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`source.domain` | `keyword` | The domain name of the source. | diff --git a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md index 29246571ba..0461a49b58 100644 --- a/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md +++ b/_shared_content/operations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md @@ -619,6 +619,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "Event_4698.json" + + ```json + + { + "message": "{\n \"EventTime\": \"2024-03-27 10:57:48\",\n \"Hostname\": \"server001.example.org\",\n \"Keywords\": -9214364837600035000,\n \"EventType\": \"AUDIT_SUCCESS\",\n \"SeverityValue\": 2,\n \"Severity\": \"INFO\",\n \"EventID\": 4698,\n \"SourceName\": \"Microsoft-Windows-Security-Auditing\",\n \"ProviderGuid\": \"{70F17275-E2D6-40BF-9990-D3347AD59BBF}\",\n \"Version\": 1,\n \"Task\": 12804,\n \"OpcodeValue\": 0,\n \"RecordNumber\": 60217389,\n \"ActivityID\": \"{70F17275-E2D6-40BF-9990-D3347AD59BBF}\",\n \"ProcessID\": 816,\n \"ThreadID\": 3272,\n \"Channel\": \"Security\",\n \"SubjectUserSid\": \"S-1-5-18\",\n \"SubjectUserName\": \"JDOE$\",\n \"SubjectDomainName\": \"EXAMPLE\",\n \"SubjectLogonId\": \"0x3e7\",\n \"TaskName\": \"\\\\MicrosoftEdgeUpdateBrowserReplacementTask\",\n \"TaskContent\": \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?>\\r\\n<Task version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\">\\r\\n <RegistrationInfo>\\r\\n <Version>1.3.185.27</Version>\\r\\n <Description>Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.</Description>\\r\\n <URI>\\\\MicrosoftEdgeUpdateBrowserReplacementTask</URI>\\r\\n </RegistrationInfo>\\r\\n <Triggers>\\r\\n <BootTrigger>\\r\\n <Enabled>true</Enabled>\\r\\n </BootTrigger>\\r\\n </Triggers>\\r\\n <Principals>\\r\\n <Principal id=\\\"Author\\\">\\r\\n <UserId>S-1-5-18</UserId>\\r\\n <RunLevel>HighestAvailable</RunLevel>\\r\\n </Principal>\\r\\n </Principals>\\r\\n <Settings>\\r\\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\\r\\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\\r\\n <StartWhenAvailable>true</StartWhenAvailable>\\r\\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\\r\\n <Enabled>true</Enabled>\\r\\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\\r\\n <WakeToRun>false</WakeToRun>\\r\\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\\r\\n <Priority>4</Priority>\\r\\n </Settings>\\r\\n <Actions Context=\\\"Author\\\">\\r\\n <Exec>\\r\\n <Command>C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe</Command>\\r\\n <Arguments>/browserreplacement</Arguments>\\r\\n </Exec>\\r\\n </Actions>\\r\\n</Task>\",\n \"ClientProcessStartKey\": \"20829148276605418\",\n \"ClientProcessId\": \"5632\",\n \"ParentProcessId\": \"808\",\n \"RpcCallClientLocality\": \"0\",\n \"FQDN\": \"server001.example.org\",\n \"EventReceivedTime\": \"2024-03-27 10:58:34\",\n \"SourceModuleName\": \"eventlog\",\n \"SourceModuleType\": \"im_msvistalog\"\n}", + "event": { + "code": "4698", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "action": { + "id": 4698, + "name": "A scheduled task was created", + "outcome": "success", + "properties": { + "EventType": "AUDIT_SUCCESS", + "Keywords": "-9214364837600035000", + "OpcodeValue": 0, + "ProviderGuid": "{70F17275-E2D6-40BF-9990-D3347AD59BBF}", + "Severity": "INFO", + "SourceName": "Microsoft-Windows-Security-Auditing", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "JDOE$", + "SubjectUserSid": "S-1-5-18", + "Task": 12804, + "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Version>1.3.185.27</Version>\r\n <Description>Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Microsoft software using it.</Description>\r\n <URI>\\MicrosoftEdgeUpdateBrowserReplacementTask</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <BootTrigger>\r\n <Enabled>true</Enabled>\r\n </BootTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <UserId>S-1-5-18</UserId>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <Enabled>true</Enabled>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe</Command>\r\n <Arguments>/browserreplacement</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>", + "TaskContentNew_Args": "/browserreplacement", + "TaskContentNew_Command": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "TaskName": "\\MicrosoftEdgeUpdateBrowserReplacementTask" + }, + "record_id": 60217389, + "type": "Security" + }, + "host": { + "hostname": "server001.example.org", + "name": "server001.example.org" + }, + "log": { + "hostname": "server001.example.org", + "level": "info" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": 816, + "pid": 816, + "ppid": "808", + "thread": { + "id": 3272 + } + }, + "related": { + "hosts": [ + "server001.example.org" + ], + "user": [ + "JDOE$" + ] + }, + "user": { + "domain": "EXAMPLE", + "id": "S-1-5-18", + "name": "JDOE$" + } + } + + ``` + + === "Event_4768.json" ```json @@ -4125,6 +4198,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "SubjectUserName": "srv-foo$", "SubjectUserSid": "S-1-5-18", "Task": 12804, + "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <Author>KEY\\adm_foo</Author>\r\n <URI>\\CORP-Dump_Installed_Updates</URI>\r\n </RegistrationInfo>\r\n <Triggers>\r\n <CalendarTrigger>\r\n <Repetition>\r\n <Interval>PT1H</Interval>\r\n <Duration>P1D</Duration>\r\n <StopAtDurationEnd>true</StopAtDurationEnd>\r\n </Repetition>\r\n <StartBoundary>2016-05-02T04:45:00</StartBoundary>\r\n <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>\r\n <Enabled>true</Enabled>\r\n <ScheduleByDay>\r\n <DaysInterval>1</DaysInterval>\r\n </ScheduleByDay>\r\n </CalendarTrigger>\r\n </Triggers>\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <RunLevel>HighestAvailable</RunLevel>\r\n <UserId>NT AUTHORITY\\System</UserId>\r\n <LogonType>S4U</LogonType>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <Duration>PT5M</Duration>\r\n <WaitTimeout>PT1H</WaitTimeout>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>\r\n <Priority>7</Priority>\r\n <RestartOnFailure>\r\n <Interval>PT15M</Interval>\r\n <Count>3</Count>\r\n </RestartOnFailure>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe</Command>\r\n <Arguments>-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>", "TaskContentNew_Args": "-NonInteractive -NoProfile -Command \"Import-Module -Name 'PSWindowsUpdate'; Get-WUHistory -MaxDate (Get-Date).AddMonths(-3) | Export-Clixml -Path 'C:\\Exploitation\\Scripts\\Nagios\\LastInstalledUpdates.xml'\"", "TaskContentNew_Command": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "TaskName": "\\CORP-Dump_Installed_Updates" @@ -7137,6 +7211,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.StartFunction` | `keyword` | | |`action.properties.StartModule` | `keyword` | | |`action.properties.StatusInformation` | `keyword` | | +|`action.properties.TaskContent` | `keyword` | | |`action.properties.TaskContentNew_Args` | `keyword` | | |`action.properties.TaskContentNew_Command` | `keyword` | | |`action.properties.ThreatName` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md index 818d32f8aa..a9764ba504 100644 --- a/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md +++ b/_shared_content/operations_center/integrations/generated/954a6488-6394-4385-8427-621541e881d5.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `` | | Type | `["info"]` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "start": "2023-09-25T15:00:20.994000Z", "type": [ "info" @@ -142,7 +141,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "start": "2023-08-27T05:34:29Z", "type": [ "info" @@ -181,7 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "end": "2023-08-27T05:34:29Z", - "kind": "event", "start": "2023-08-27T05:34:29Z", "type": [ "info" diff --git a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md index 87bbd62b27..629ef9ae09 100644 --- a/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md +++ b/_shared_content/operations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `network`, `threat` | | Type | `info` | @@ -116,7 +116,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"summariser\":\"SaasBruteforceSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1708649003457,\"attackPhases\":[2,4],\"mitreTactics\":[\"credential-access\"],\"title\":\"Possible Distributed Bruteforce of AzureActiveDirectory Account\",\"id\":\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"incidentEventUrl\":\"https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"children\":[\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\"],\"category\":\"suspicious\",\"currentGroup\":\"g7bd28910-7d7d-4971-9a20-48f12b8518e1\",\"groupCategory\":\"suspicious\",\"groupScore\":32.34820100820068,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"6ae71ab6\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":85.47036382887099,\"summary\":\"Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\\n\\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\\n\\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\\n\\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.\",\"periods\":[{\"start\":1708040149000,\"end\":1708648697000}],\"sender\":null,\"breachDevices\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}],\"relatedBreaches\":[{\"modelName\":\"SaaS / Access / Password Spray\",\"pbid\":7130,\"threatScore\":47,\"timestamp\":1708648698000}],\"details\":[[{\"header\":\"SaaS User Details\",\"contents\":[{\"key\":\"SaaS account\",\"type\":\"device\",\"values\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}]},{\"key\":\"Actor\",\"type\":\"string\",\"values\":[\"test@test.fr\"]}]}],[{\"header\":\"Summary of Related Access Attempts\",\"contents\":[{\"key\":\"Attempts grouped by\",\"type\":\"string\",\"values\":[\"same targeted account\"]},{\"key\":\"Number of source ASNs\",\"type\":\"integer\",\"values\":[241]},{\"key\":\"Suspicious properties\",\"type\":\"string\",\"values\":[\"Unusual time for activity\",\"Unusual external source for activity\",\"Large number of login failures\"]}]},{\"header\":\"Details of Access Attempts\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1708040149000,\"end\":1708648697000}]},{\"key\":\"Targeted account\",\"type\":\"string\",\"values\":[\"test@test.fr\"]},{\"key\":\"Total number of login failures\",\"type\":\"integer\",\"values\":[1136]},{\"key\":\"Reasons for login failures\",\"type\":\"string\",\"values\":[\"Sign-in was blocked because it came from an IP address with malicious activity\",\"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\",\"Error validating credentials due to invalid username or password.\"]}]},{\"header\":\"Sources of Access Attempts\",\"contents\":[{\"key\":\"Source ASNs include\",\"type\":\"string\",\"values\":[\"AS4134 Chinanet\",\"AS4837 CHINA UNICOM China169 Backbone\",\"AS4766 Korea Telecom\",\"AS9808 China Mobile Communications Group Co., Ltd.\",\"AS24560 Bharti Airtel Ltd., Telemedia Services\"]},{\"key\":\"Source IPs include\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"122.4.70.38\",\"ip\":\"122.4.70.38\"},{\"hostname\":\"41.207.248.204\",\"ip\":\"41.207.248.204\"},{\"hostname\":\"124.89.116.178\",\"ip\":\"124.89.116.178\"},{\"hostname\":\"121.184.235.17\",\"ip\":\"121.184.235.17\"},{\"hostname\":\"61.153.208.38\",\"ip\":\"61.153.208.38\"}]},{\"key\":\"Countries include\",\"type\":\"string\",\"values\":[\"China\",\"South Korea\",\"India\",\"United States\",\"Brazil\"]},{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"Office 365 Exchange Online\"]}]}]]}\n", "event": { "category": "network", - "kind": "event", "type": [ "info" ] @@ -968,7 +967,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"commentCount\": 0, \"pbid\": 36586, \"time\": 1700634482000, \"creationTime\": 1700634481000, \"model\": {\"name\": \"System::System\", \"pid\": 530, \"phid\": 4861, \"uuid\": \"1c3f429b-ccb9-46a2-b864-868653bc780a\", \"logic\": {\"data\": [9686], \"type\": \"componentList\", \"version\": 1}, \"throttle\": 10, \"sharedEndpoints\": false, \"actions\": {\"alert\": true, \"antigena\": {}, \"breach\": true, \"model\": true, \"setPriority\": false, \"setTag\": false, \"setType\": false}, \"tags\": [], \"interval\": 0, \"delay\": 0, \"sequenced\": true, \"active\": true, \"modified\": \"2021-11-24 18:04:19\", \"activeTimes\": {\"devices\": {}, \"tags\": {}, \"type\": \"exclusions\", \"version\": 2}, \"autoUpdatable\": true, \"autoUpdate\": true, \"autoSuppress\": true, \"description\": \"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.\", \"behaviour\": \"decreasing\", \"defeats\": [], \"created\": {\"by\": \"System\"}, \"edited\": {\"by\": \"System\"}, \"version\": 16, \"priority\": 3, \"category\": \"Informational\", \"compliance\": false}, \"triggeredComponents\": [{\"time\": 1700634481000, \"cbid\": 36900, \"cid\": 9686, \"chid\": 15251, \"size\": 1, \"threshold\": 0, \"interval\": 3600, \"logic\": {\"data\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"B\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"C\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"D\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"E\"}, \"operator\": \"OR\", \"right\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"F\"}}}}}, \"version\": \"v0.1\"}, \"metric\": {\"mlid\": 206, \"name\": \"dtsystem\", \"label\": \"System\"}, \"triggeredFilters\": [{\"cfid\": 111299, \"id\": \"A\", \"filterType\": \"Event details\", \"arguments\": {\"value\": \"analyze credential ignore list\"}, \"comparatorType\": \"does not contain\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111300, \"id\": \"B\", \"filterType\": \"System message\", \"arguments\": {\"value\": \"Probe error\"}, \"comparatorType\": \"is\", \"trigger\": {\"value\": \"Probe error\"}}, {\"cfid\": 111305, \"id\": \"d1\", \"filterType\": \"Event details\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111306, \"id\": \"d2\", \"filterType\": \"System message\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe error\"}}]}], \"score\": 0.674, \"device\": {\"did\": -1},\"log_type\":\"modelbreaches\"}", "event": { "category": "network", - "kind": "event", "type": [ "info" ] @@ -1029,7 +1027,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "CREATE_NEEDSCONFIRMATION", "category": "network", - "kind": "event", "type": [ "info" ] diff --git a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md index 014ef10e56..3d2045760b 100644 --- a/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md +++ b/_shared_content/operations_center/integrations/generated/995d7daf-4e4a-42ec-b90d-9af2f7be7019.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `denied`, `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -84,7 +83,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -120,7 +118,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "outcome": "failure", "type": [ "denied" @@ -172,7 +169,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "outcome": "success", "type": [ "allowed" @@ -230,7 +226,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -281,7 +276,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -332,7 +326,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -385,7 +378,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "type": [ "info" ] @@ -433,7 +425,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "events", - "kind": "event", "outcome": "block", "type": [ "denied" @@ -491,7 +482,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall", - "kind": "event", "outcome": "allow", "type": [ "allowed" @@ -542,7 +532,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall", - "kind": "event", "outcome": "allow", "type": [ "allowed" @@ -593,7 +582,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall", - "kind": "event", "outcome": "deny", "type": [ "denied" @@ -644,7 +632,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "firewall", - "kind": "event", "outcome": "deny", "type": [ "denied" @@ -695,7 +682,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "flows", - "kind": "event", "outcome": "allow", "type": [ "allowed" @@ -746,7 +732,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "flows", - "kind": "event", "outcome": "allow", "type": [ "allowed" @@ -797,7 +782,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "flows", - "kind": "event", "outcome": "allow", "type": [ "allowed" @@ -848,7 +832,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "flows", - "kind": "event", "outcome": "deny", "type": [ "denied" @@ -899,7 +882,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "flows", - "kind": "event", "outcome": "deny", "type": [ "denied" @@ -950,7 +932,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ip_flow_end", - "kind": "event", "type": [ "info" ] @@ -1002,7 +983,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ip_flow_start", - "kind": "event", "type": [ "info" ] @@ -1054,7 +1034,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "urls", - "kind": "event", "type": [ "info" ] @@ -1113,7 +1092,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "urls", - "kind": "event", "type": [ "info" ] @@ -1172,7 +1150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "urls", - "kind": "event", "type": [ "info" ] @@ -1243,7 +1220,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "urls", - "kind": "event", "type": [ "info" ] @@ -1310,7 +1286,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | |`network.protocol` | `keyword` | Application protocol name. | diff --git a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md index a0c421bd83..e3d8fcf513 100644 --- a/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md +++ b/_shared_content/operations_center/integrations/generated/99da26fc-bf7b-4e5b-a76c-408472fcfebb.md @@ -14,14 +14,6 @@ The following table lists the data source offered by this integration. -In details, the following table denotes the type of events produced by this integration. - -| Name | Values | -| ---- | ------ | -| Kind | `event` | -| Category | `` | -| Type | `` | - @@ -39,7 +31,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "WIN-EVENT-1111", "ingested": "2024-01-17T12:46:35.825000Z", - "kind": "event", "reason": "A User Account was changed", "severity": 4 }, @@ -150,7 +141,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "COMPLIANCE-DEP-PERMISSIVE", "ingested": "2022-11-30T09:22:29.980000Z", - "kind": "event", "severity": 4 }, "@timestamp": "2022-11-30T09:22:11Z", @@ -271,7 +261,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "COMPLIANCE-APP", "ingested": "2022-11-30T09:22:45.391000Z", - "kind": "event", "severity": 4 }, "@timestamp": "2022-11-30T09:22:25Z", @@ -386,7 +375,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "EVENT-4625-Brute-Force-Attempt", "ingested": "2023-07-17T11:34:57.356000Z", - "kind": "event", "reason": "Source IP is shuffling through 20 or more different usernames, appears to be a brute force attack", "severity": 5 }, @@ -490,7 +478,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "WIN-EVENT-4740", "ingested": "2025-12-12T13:59:11.487000Z", - "kind": "event", "reason": "A user account was locked out.", "severity": 5 }, @@ -612,7 +599,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"upload_size\":2088,\"record_identifier\":\"0242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_severity\":5,\"ioc_detection_sigma\":\"{\\\"id\\\":\\\"EVENT-0000\\\",\\\"logsource\\\":{\\\"dedup_fields\\\":[\\\"machine_test\\\"],\\\"product\\\":\\\"windows\\\",\\\"platform\\\":\\\"windows\\\",\\\"category\\\":\\\"windows_event_user_account_locked_out\\\",\\\"references\\\":[\\\"https://test.com/event-0000\\\"]}}\",\"folded\":0,\"meta_mac_address\":\"00:11:22:33:44:55\",\"endpoint_id\":\"70599d12-fec7-4129-8844-7c6cfded4642\",\"meta_public_ip_country_code\":\"FR\",\"schema_version\":\"22\",\"ioc_detection_mitre_attack\":\"[]\",\"ioc_detection_experiment_level\":0,\"ioc_created_at\":\"2025-12-12T13:59:12.269Z\",\"ingestion_timestamp\":\"2025-12-12T13:59:11.487Z\",\"ioc_detection_attack\":\"Suspicious Activity\",\"numerics\":false,\"eventid\":4740,\"meta_public_ip\":\"1.2.3.4\",\"detection_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002_0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"query_name\":\"windows_query_event\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"meta_os_version\":\"1.0.2s\",\"meta_public_ip_latitude\":55.8582,\"source\":\"Security\",\"ioc_detection_licenses\":\"[\\\"License1\\\",\\\"License2\\\"]\",\"description\":\"A user account was locked out.\",\"meta_aggressive_activity\":\"False\",\"meta_ip_address\":\"1.2.3.4\",\"ingest_date\":\"2023-08-17\",\"target_domain\":\"AC000-TEST0011\",\"meta_endpoint_type\":\"server\",\"meta_domain_controller\":\"False\",\"customer_id\":\"36c536f0-4282-11ee-be56-0242ac120002\",\"ioc_detection_description\":\"Windows Event User Account Locked Out.\",\"message_identifier\":\"0cd6e1e0428211eebe560242ac1200020cd6e1e0428211eebe560242ac120002\",\"ioc_attack_type\":\"Suspicious Activity\",\"target_username\":\"Administrateur\",\"user_upn\":\"user.mail@company.fr\",\"ml_score_band\":\"HIGH_SUSPICION\",\"target_server\":\"TEST/1.2.3.4\",\"package\":\"TEST\",\"ioc_detection_weight\":5,\"logon_process\":\"logon_process\",\"is_process_file_signed\":\"1\",\"sha1\":\"d4baeeb9180a4284b33fa3602d86c\",\"process_cmd_line\":\"\\\"C:\\\\Program Files (x86)\\\\test.exe\\\" --te /test:5\",\"process_ml_score_band\":\"ml_score\",\"process_parent_name\":\"process_parent.exe\",\"threat_type\":\"threat_type\",\"threat_source\":\"threat_source\",\"ioc_event_path\":\"C:\\\\Program Files (x86)\\\\TEST.EXE\",\"sha256\":\"94256542e235681ba64a20bc50910dd745d52347\",\"cmdline\":\"get_test \",\"password_last_set\":\"18/08/2021 03:37:25\",\"lolbins_ml_results\":{\"score\":19,\"score_label\":\"score_label\",\"sha256\":\"dd6748642b108262f933260c3ae8\"}}", "event": { "ingested": "2025-12-12T13:59:11.487000Z", - "kind": "event", "reason": "A user account was locked out.", "severity": 5 }, @@ -756,7 +742,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "WIN-EXE-ENR-ML-SUSPICIOUS-1", "ingested": "2023-08-30T15:04:17.022000Z", - "kind": "event", "severity": 5 }, "@timestamp": "2023-08-30T15:03:56Z", @@ -913,7 +898,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "code": "WIN-DET-T1547.009", "ingested": "2023-09-20T09:31:41.090000Z", - "kind": "event", "severity": 5 }, "@timestamp": "2023-09-20T09:28:15Z", @@ -1040,7 +1024,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.code` | `keyword` | Identification code for this event. | |`event.ingested` | `date` | Timestamp when an event arrived in the central data store. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`file.hash.sha1` | `keyword` | SHA1 hash. | diff --git a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md index 7aac8403d7..f638560521 100644 --- a/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md +++ b/_shared_content/operations_center/integrations/generated/9b95c9cf-8b78-4830-a1ed-b9e88f05e67a.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `file`, `host`, `intrusion_detection`, `network`, `process`, `registry` | | Type | `change`, `connection`, `info` | @@ -99,7 +99,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "dataset": "File Event", - "kind": "event", "type": [ "change" ] @@ -159,7 +158,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Network Connections", - "kind": "event", "type": [ "connection" ] @@ -238,7 +236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "Process Execution", - "kind": "event", "type": [ "info" ] @@ -294,7 +291,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "dataset": "Registry Event", - "kind": "event", "type": [ "change" ] @@ -353,7 +349,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "RPC Call", - "kind": "event", "type": [ "info" ] @@ -409,7 +404,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "VPN", - "kind": "event", "type": [ "connection" ] diff --git a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md index 8478250dbf..a7f732728c 100644 --- a/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md +++ b/_shared_content/operations_center/integrations/generated/9f89b634-0531-437b-b060-a9d9f2d270db.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `file`, `host`, `intrusion_detection`, `malware`, `session` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "file_suspect", - "kind": "event", "type": [ "info" ] @@ -95,7 +94,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "machine", - "kind": "event", "type": [ "info" ] @@ -138,7 +136,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "host" ], "code": "machine", - "kind": "event", "type": [ "info" ] @@ -288,7 +285,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "code": "suspicion", - "kind": "event", "type": [ "info" ] @@ -329,7 +325,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "intrusion_detection" ], "code": "suspicion", - "kind": "event", "type": [ "info" ] @@ -376,7 +371,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "code": "user", - "kind": "event", "type": [ "info" ] diff --git a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md index f41b52a2ea..7695d8ea82 100644 --- a/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md +++ b/_shared_content/operations_center/integrations/generated/a0716ffd-5f9e-4b97-add4-30f1870e3d03.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `info` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -120,7 +119,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -186,7 +184,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -251,7 +248,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -371,7 +367,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.ip` | `ip` | IP address of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.md5` | `keyword` | MD5 hash. | diff --git a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md index 6ce4b2a51a..8cfddfd113 100644 --- a/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md +++ b/_shared_content/operations_center/integrations/generated/a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network`, `web` | | Type | `connection`, `denied`, `error` | @@ -39,8 +39,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 3387, - "kind": "event" + "duration": 3387 }, "@timestamp": "2019-08-01T10:34:44.277000Z", "destination": { @@ -99,8 +98,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 5756, - "kind": "event" + "duration": 5756 }, "@timestamp": "2019-07-31T12:39:01.982000Z", "destination": { @@ -160,8 +158,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 1717, - "kind": "event" + "duration": 1717 }, "@timestamp": "2020-04-16T13:09:56.494000Z", "destination": { @@ -222,7 +219,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 0, - "kind": "event", "type": [ "connection", "denied", @@ -284,8 +280,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 24, - "kind": "event" + "duration": 24 }, "@timestamp": "2019-08-12T08:33:21.353000Z", "destination": { @@ -359,7 +354,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 5007, - "kind": "event", "type": [ "connection", "error" @@ -435,7 +429,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 0, - "kind": "event", "type": [ "connection", "denied", @@ -502,8 +495,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 82, - "kind": "event" + "duration": 82 }, "@timestamp": "2021-08-04T13:36:43.491000Z", "destination": { @@ -570,8 +562,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network", "web" ], - "duration": 549, - "kind": "event" + "duration": 549 }, "@timestamp": "2021-08-05T08:01:50.448000Z", "http": { @@ -634,7 +625,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 5007, - "kind": "event", "type": [ "connection", "error" @@ -724,7 +714,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | |`http.request.referrer` | `keyword` | Referrer for this HTTP request. | diff --git a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md index 1d6f55be28..4fde451f18 100644 --- a/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md +++ b/_shared_content/operations_center/integrations/generated/a14b1141-2d61-414b-bf79-da99b487b1af.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `network`, `process` | | Type | `alert`, `info`, `start` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "23003137", - "kind": "event", "outcome": "success", "severity": 8, "type": [ @@ -124,7 +123,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "Bad TCP checksum", - "kind": "event", "outcome": "success", "severity": 8, "type": [ @@ -196,7 +194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "23003139", - "kind": "event", "outcome": "success", "severity": 8, "type": [ @@ -279,7 +276,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "error", "reason": "ssl_codec_rx:2314: alert(46) received alert", "type": "alert" @@ -325,7 +321,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "info" ] @@ -360,7 +355,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "start" ] @@ -395,7 +389,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "type": [ "start" ] @@ -431,7 +424,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "type": [ "start" ] @@ -469,7 +461,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -660,7 +651,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "Successful Request", - "kind": "event", "outcome": "success", "severity": 2, "type": [ @@ -756,7 +746,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -833,7 +822,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -893,7 +881,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -953,21 +940,20 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", + "reason": "Sec-Fetch-User: ?1", "type": [ "info" ] }, + "action": { + "type": "tmm1" + }, "os": { "family": "linux", "platform": "linux" }, - "sekoiaio": { - "intake": { - "parsing_warnings": [ - "No fields extracted from original event" - ] - } + "rule": { + "name": "/Common/Log-all-the-HTTP-Requests" } } @@ -984,7 +970,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", + "reason": "DNT: 1", "type": [ "info" ] @@ -1014,7 +1000,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", + "reason": "Request: GET example.com/a/path/to/an/image.png", "type": [ "info" ] @@ -1052,7 +1038,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", + "reason": "Referer: https://example.com/a/path/to/anywhere", "type": [ "info" ] @@ -1087,7 +1073,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "failed", "type": [ "info" @@ -1139,7 +1124,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "Successful Request", - "kind": "event", "outcome": "success", "severity": 2, "type": [ @@ -1238,7 +1222,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "200021069", - "kind": "event", "outcome": "success", "severity": 5, "type": [ diff --git a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md index 1fbd309a80..d759f4349a 100644 --- a/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md +++ b/_shared_content/operations_center/integrations/generated/a406a8c1-e1e0-4fe9-835b-3607d01150e6.md @@ -12,14 +12,6 @@ The following table lists the data source offered by this integration. -In details, the following table denotes the type of events produced by this integration. - -| Name | Values | -| ---- | ------ | -| Kind | `event` | -| Category | `` | -| Type | `` | - @@ -36,7 +28,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Exchange Online|1.0|Added|Added Mailbox|0|shost=REDACTED cat=Mailbox suser=user@acme.wtf filePath=REDACTED start=d\u00e9c. 01 2022 13:40:34 GMT msg=Name: \"REDACTED\", Alias: \"REDACTED_ALIAS\", Email Address: \"redacted@acme.onmicrosoft.com\", Display Name: \"REDACTED\", Equipment: \"True\", Windows Live ID: \"redacted@acme.onmicrosoft.com\"", "event": { "code": "added", - "kind": "event", "reason": "Name: \"REDACTED\", Alias: \"REDACTED_ALIAS\", Email Address: \"redacted@acme.onmicrosoft.com\", Display Name: \"REDACTED\", Equipment: \"True\", Windows Live ID: \"redacted@acme.onmicrosoft.com\"", "severity": 0, "start": "2022-12-01T13:40:34Z" @@ -62,7 +53,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Calendar Processing|0|shost=PAWPR07MB9321 cat=Calendar Processing suser=user@acme.tld filePath= start=d\u00e9c. 01 2022 13:41:23 GMT msg=Resource Delegates changed, All Book In Policy changed to \"False\", All Request In Policy changed to \"True\", Allow Recurring Meetings changed to \"False\", Booking Window In Days changed to \"0\", Maximum Duration In Minutes changed to \"0\"", "event": { "code": "modified", - "kind": "event", "reason": "Resource Delegates changed, All Book In Policy changed to \"False\", All Request In Policy changed to \"True\", Allow Recurring Meetings changed to \"False\", Booking Window In Days changed to \"0\", Maximum Duration In Minutes changed to \"0\"", "severity": 0, "start": "2022-12-01T13:41:23Z" @@ -88,7 +78,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Conditional Access Policy|0|shost=redatec cat=Conditional Access Policy suser=ACME\\Administrator (Microsoft.Office.Datacenter.Torus.PowerShellWorker) filePath=some-uuid start=d\u00e9c. 01 2022 12:19:45 GMT msg=Policy Details changed to \"{\"DummyKnownNetworkPolicy\":\"\"}\", Policy Last Updated Time changed to \"12/1/2022 12:19:45 PM\", Tenant Default Policy changed to \"6\", Display Name changed to \"Policy Display Name\", Policy Identifier String changed to \"10/5/2022 7:27:35 AM\"", "event": { "code": "modified", - "kind": "event", "reason": "Policy Details changed to \"{\"DummyKnownNetworkPolicy\":\"\"}\", Policy Last Updated Time changed to \"12/1/2022 12:19:45 PM\", Tenant Default Policy changed to \"6\", Display Name changed to \"Policy Display Name\", Policy Identifier String changed to \"10/5/2022 7:27:35 AM\"", "severity": 0, "start": "2022-12-01T12:19:45Z" @@ -120,7 +109,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Exchange Online|1.0|Modified|Modified Mailbox|0|shost=REDACTED cat=Mailbox suser=user@acme.tld filePath=Redacted start=d\u00e9c. 01 2022 13:40:37 GMT msg=Office changed to \"SaaS\"", "event": { "code": "modified", - "kind": "event", "reason": "Office changed to \"SaaS\"", "severity": 0, "start": "2022-12-01T13:40:37Z" @@ -146,7 +134,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Logon Activity|1.0|Logoff|Logoff Interactive logon|0|shost=server.acme.wtf cat=Interactive logon suser=Acme Domain\\user filePath=server.acme.wtf start=d\u00e9c. 01 2022 12:42:08 GMT msg=Session duration: 2 hours 1 minute.", "event": { "code": "logoff", - "kind": "event", "reason": "Session duration: 2 hours 1 minute.", "severity": 0, "start": "2022-12-01T12:42:08Z" @@ -188,7 +175,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Logon Activity|1.0|Failed Logon|Failed Logon Logon|0|shost=server.acme.tld cat=Logon suser=user filePath=N/A start=nov. 29 2022 14:51:57 GMT msg=Cause: User logon with misspelled or bad user account", "event": { "code": "failed logon", - "kind": "event", "reason": "Cause: User logon with misspelled or bad user account", "severity": 0, "start": "2022-11-29T14:51:57Z" @@ -227,7 +213,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "CEF:0|Netwrix|Logon Activity|1.0|Successful Logon|Successful Logon Interactive logon|0|shost=server.acme.wtf cat=Interactive logon suser=domain\\user filePath=server.acme.wtf start=d\u00e9c. 01 2022 13:35:20 GMT", "event": { "code": "successful logon", - "kind": "event", "severity": 0, "start": "2022-12-01T13:35:20Z" }, @@ -269,7 +254,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "added document", "code": "added", - "kind": "event", "severity": 0, "start": "2022-12-01T12:38:40Z" }, @@ -300,7 +284,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "modified document", "code": "modified", - "kind": "event", "severity": 0, "start": "2022-11-29T14:49:11Z" }, @@ -331,7 +314,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "renamed document", "code": "renamed", - "kind": "event", "severity": 0, "start": "2022-11-29T14:31:21Z" }, @@ -364,7 +346,6 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`event.action` | `keyword` | The action captured by the event. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index b54ffa1c0e..d99b7da6f5 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -101,7 +100,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "error" ] @@ -166,7 +164,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -238,7 +235,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -310,7 +306,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -378,7 +373,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "error" ] @@ -441,7 +435,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "error" ] @@ -495,7 +488,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -551,7 +543,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "access", "duration": 7000000.0, - "kind": "event", "outcome": "success", "type": [ "error" @@ -631,7 +622,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "access", "duration": 3000000.0, - "kind": "event", "outcome": "failure", "type": [ "access" @@ -713,7 +703,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "access", "duration": 8000000.0, - "kind": "event", "outcome": "success", "type": [ "access" @@ -795,7 +784,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "access", "duration": 0.0, - "kind": "event", "outcome": "failure", "type": [ "access" @@ -869,7 +857,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "dataset": "access", - "kind": "event", "type": [ "access" ] @@ -941,7 +928,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index 277461b2b4..528cb1699b 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -79,7 +78,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "reason": "Rejected: User-Name contains whitespace", "type": [ "info" @@ -121,7 +119,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "reason": "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject", "type": [ "info" @@ -160,7 +157,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "reason": "The users session was previously rejected: returning reject (again.)", "type": [ "info" @@ -201,7 +197,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -242,7 +237,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -290,7 +284,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -328,7 +321,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -368,7 +360,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -412,7 +403,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -450,7 +440,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -490,7 +479,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "freeradius.authentication", - "kind": "event", "type": [ "info" ] @@ -536,7 +524,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`freeradius.outcome` | `keyword` | The outcome of the event | diff --git a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md index 584a49cfb4..61146613f8 100644 --- a/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md +++ b/_shared_content/operations_center/integrations/generated/b28db14b-e3a7-463e-8659-9bf0e577944f.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `network`, `session` | | Type | `end`, `protocol`, `start` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "type": [ "start" @@ -98,7 +97,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "type": [ "start" @@ -158,7 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "type": [ "start" @@ -226,7 +223,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -284,7 +280,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -339,7 +334,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "failure", "type": [ "protocol" @@ -385,7 +379,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -431,7 +424,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -486,7 +478,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -541,7 +532,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -596,7 +586,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -642,7 +631,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -688,7 +676,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -734,7 +721,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -789,7 +775,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -844,7 +829,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -899,7 +883,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -954,7 +937,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1012,7 +994,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1061,7 +1042,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1097,7 +1077,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1143,7 +1122,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1188,7 +1166,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "type": [ "start" @@ -1237,7 +1214,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1293,7 +1269,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -1342,7 +1317,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "success", "type": [ "start" @@ -1391,7 +1365,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -1437,7 +1410,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -1483,7 +1455,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -1529,7 +1500,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "outcome": "success", "type": [ "end" @@ -1575,7 +1545,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "session" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1621,7 +1590,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "end" @@ -1676,7 +1644,6 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`action.target` | `keyword` | | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.sha256` | `keyword` | SHA256 hash. | diff --git a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md index 441fc83355..69eec970ee 100644 --- a/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md +++ b/_shared_content/operations_center/integrations/generated/b2d961ae-0f7e-400b-879a-f97be24cc02d.md @@ -20,7 +20,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `intrusion_detection` | | Type | `start` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Realtime", "severity": 6, "type": [ @@ -113,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Apache HTTP Server 'mod_sed' Denial Of Service Vulnerability (CVE-2022-30522)", "severity": 6, "type": [ @@ -184,7 +182,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "notWhitelisted", "severity": 6, "type": [ @@ -253,7 +250,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Device Control DeviceControl", "severity": 6, "type": [ @@ -296,7 +292,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Log for TCP Port 80", "type": [ "info" @@ -366,7 +361,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "lastModified,sha1,size", "severity": 6, "type": [ @@ -426,7 +420,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Test Intrusion Prevention Rule", "severity": 3, "type": [ @@ -498,7 +491,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..", "severity": 8, "type": [ @@ -563,7 +555,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "reason": "User signed in from 2001:db8::5", "severity": 3, "type": [ @@ -614,7 +605,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "reason": "Blocked By Admin", "severity": 5, "type": [ @@ -664,7 +654,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.user.name` | `keyword` | Short name or login of the user. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.risk_score_norm` | `float` | Normalized risk score or priority of the event (0-100). | |`event.severity` | `long` | Numeric severity of the event. | diff --git a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md index 1fa23c751b..3b7024982b 100644 --- a/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md +++ b/_shared_content/operations_center/integrations/generated/ba40ab72-1456-11ee-be56-0242ac120002.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `intrusion_detection`, `process` | | Type | `` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "intrusion_detection" ], - "kind": "event", "type": [ "denied" ] @@ -131,7 +130,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`destination.user.name` | `keyword` | Short name or login of the user. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md index 58a45ab0cc..f8c15d6209 100644 --- a/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md +++ b/_shared_content/operations_center/integrations/generated/bae128bb-98c6-45f7-9763-aad3451821e5.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `` | | Type | `info` | @@ -35,63 +35,62 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|DM|domain-match|1|src=1.2.3.4 spt=48255 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=53 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=93000001 cn3Label=cncPort cn3=53 cs1Label=sname cs1=DTI:Bot.Mariposa.DNS cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612 cs5Label=cncHost cs5=butterfly.bigmoney.biz proto=udp rt=Sep 05 2023 16:47:48 UTC externalId=20967020 act=notified devicePayloadId=cd467397-8c43-4e03-acaa-398cf2e8c612 start=Sep 05 2023 16:47:48 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "domain-match", - "severity": 1, - "start": "2023-09-05T16:47:48Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612", "category": [ "network" ], + "dataset": "domain-match", + "severity": 1, + "start": "2023-09-05T16:47:48Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=cd467397-8c43-4e03-acaa-398cf2e8c612" }, "@timestamp": "2023-09-05T16:47:48Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 53 + }, + "network": { + "transport": "udp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "udp" - }, - "trellix": { - "nx": { - "sname": "DTI:Bot.Mariposa.DNS", - "cnc_port": "53", - "cnc_host": "butterfly.bigmoney.biz" - } - }, - "destination": { - "port": 53, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 48255, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 48255 + }, + "trellix": { + "nx": { + "cnc_host": "butterfly.bigmoney.biz", + "cnc_port": "53", + "sname": "DTI:Bot.Mariposa.DNS" + } } } @@ -105,80 +104,79 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|IM|infection-match|1|spt=1046 smac=6c:af:1a:fb:fe:a7 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=607378 cn3Label=cncPort cn3=80 cs1Label=sname cs1=Local.Infection cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 cs5Label=cncHost cs5=2011::1:6377:90aa cs6Label=channel cs6=GET /m/web.php HTTP/1.1::~~Host: zebrabel1.co.cc::~~User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5::~~Accept: text/html,application/xhtml+xml,application/xml;q\\=0.9,*/*;q\\=0.8::~~Accept-Language: en-us,en;q\\=0.5::~~Accept-Encoding: gzip,deflate::~~Accept-Charset: ISO-8859-1,utf-8;q\\=0.7,*;q\\=0.7::~~Keep-Alive: 300::~~Connection: keep-alive::~~Referer: http://zebrabel1.co.cc/m/::~~::~~ proto=tcp rt=Sep 05 2023 16:28:55 UTC externalId=20966332 act=notified c6a3=1c83:125e:807c:d317:d732:d30b:6af0:d34f c6a3Label=Attacker IP c6a2=decc:4ab1:133a:f9ce:18d2:7c83:2142:601e c6a2Label=Victim IP requestMethod=GET requestClientApplication=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 requestContext=http://zebrabel1.co.cc/m/ devicePayloadId=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6 start=Sep 05 2023 16:28:55 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "infection-match", - "severity": 1, - "start": "2023-09-05T16:28:55Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6", "category": [ "intrusion_detection" ], + "dataset": "infection-match", + "severity": 1, + "start": "2023-09-05T16:28:55Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=2cededd4-cb4b-42de-9d7e-8e1ce56a9fe6" }, "@timestamp": "2023-09-05T16:28:55Z", + "destination": { + "address": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", + "ip": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "http": { + "request": { + "method": "GET" + } + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" + }, + "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], + "ip": [ + "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "3.4.5.6", + "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" ] }, - "network": { - "transport": "tcp" + "source": { + "address": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "ip": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1046 }, - "http": { - "request": { - "method": "GET" + "trellix": { + "nx": { + "cnc_host": "2011::1:6377:90aa", + "cnc_port": "80", + "sname": "Local.Infection" } }, "user_agent": { - "original": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5", "device": { "name": "Other" }, "name": "Firefox Beta", - "version": "3.0.b5", + "original": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5", "os": { "name": "Windows", "version": "XP" - } - }, - "trellix": { - "nx": { - "sname": "Local.Infection", - "cnc_port": "80", - "cnc_host": "2011::1:6377:90aa" - } - }, - "destination": { - "port": 80, - "mac": "00:78:db:db:96:f6", - "ip": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e", - "address": "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" - }, - "source": { - "port": 1046, - "mac": "6c:af:1a:fb:fe:a7", - "ip": "1c83:125e:807c:d317:d732:d30b:6af0:d34f", - "address": "1c83:125e:807c:d317:d732:d30b:6af0:d34f" - }, - "related": { - "ip": [ - "1c83:125e:807c:d317:d732:d30b:6af0:d34f", - "3.4.5.6", - "decc:4ab1:133a:f9ce:18d2:7c83:2142:601e" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" - ] + }, + "version": "3.0.b5" } } @@ -192,61 +190,60 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|IE|ips-event|7|externalId=3463232 rt=Sep 05 2023 16:46:51 UTC proto=tcp src=1.2.3.4 spt=80 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=1109 dmac=00:78:db:db:96:f6 cnt=1 cs1Label=sname cs1=Exploit Kit Landing Page act=notified dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 dvcmac=e3:e9:d0:5e:ba:8e cn2=85305161 cn2Label=sid cfp1=12 cfp1Label=signature revision cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd cs4Label=link flexString2=client flexString2Label=attack mode msg=MVX Correlation Status:N/A cn1=0 cn1Label=vlan", "event": { - "kind": "event", - "dataset": "ips-event", - "severity": 7, "action": "notified", - "reason": "MVX Correlation Status:N/A", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd", "category": [ "intrusion_detection" ], + "dataset": "ips-event", + "reason": "MVX Correlation Status:N/A", + "severity": 7, "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=6682a2ba-bf3e-4c12-b7a1-822d648132fd" }, "@timestamp": "2023-09-05T16:46:51Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 1109 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "tcp" - }, - "trellix": { - "nx": { - "sname": "Exploit Kit Landing Page" - } - }, - "destination": { - "port": 1109, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 80, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 80 + }, + "trellix": { + "nx": { + "sname": "Exploit Kit Landing Page" + } } } @@ -260,68 +257,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|MC|malware-callback|7|src=1.2.3.4 spt=1133 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=443 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=33332506 cn3Label=cncPort cn3=443 cs1Label=sname cs1=Bot.Pushdo.C1 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b cs5Label=cncHost cs5=223.92.214.59 proto=tcp rt=Sep 05 2023 16:28:40 UTC shost=ip-095-223-164-201.um35.pools.vodafone-ip.de externalId=20966324 act=notified devicePayloadId=8a4875e0-195e-436a-b3a1-e2a52c544d4b start=Sep 05 2023 16:28:40 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "malware-callback", - "severity": 7, - "start": "2023-09-05T16:28:40Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b", "category": [ "intrusion_detection" ], + "dataset": "malware-callback", + "severity": 7, + "start": "2023-09-05T16:28:40Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=8a4875e0-195e-436a-b3a1-e2a52c544d4b" }, "@timestamp": "2023-09-05T16:28:40Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 443 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "network": { - "transport": "tcp" - }, - "trellix": { - "nx": { - "sname": "Bot.Pushdo.C1", - "cnc_port": "443", - "cnc_host": "223.92.214.59" - } - }, - "destination": { - "port": 443, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 1133, - "ip": "1.2.3.4", - "domain": "ip-095-223-164-201.um35.pools.vodafone-ip.de", - "mac": "6c:af:1a:fb:fe:a7", - "address": "ip-095-223-164-201.um35.pools.vodafone-ip.de", - "top_level_domain": "de", - "subdomain": "ip-095-223-164-201.um35.pools", - "registered_domain": "vodafone-ip.de" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "ip-095-223-164-201.um35.pools.vodafone-ip.de" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com", - "ip-095-223-164-201.um35.pools.vodafone-ip.de" ] + }, + "source": { + "address": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "domain": "ip-095-223-164-201.um35.pools.vodafone-ip.de", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1133, + "registered_domain": "vodafone-ip.de", + "subdomain": "ip-095-223-164-201.um35.pools", + "top_level_domain": "de" + }, + "trellix": { + "nx": { + "cnc_host": "223.92.214.59", + "cnc_port": "443", + "sname": "Bot.Pushdo.C1" + } } } @@ -335,82 +331,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|MO|malware-object|4|src=1.2.3.4 spt=49207 smac=6c:af:1a:fb:fe:a7 dst=5.6.7.8 dpt=80 dmac=00:78:db:db:96:f6 dvchost=cms-nx5600-1.eng.fireeye.com dvc=3.4.5.6 cn1Label=vlan cn1=0 cn2Label=sid cn2=8816733 cs1Label=sname cs1=Exploit.JAVA.CVE-2013-0422.FEC2 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87 filePath=kentuckyautoexchange.com/tsh.jar rt=Sep 05 2023 16:28:42 UTC shost=dynamic-ip-adsl.viettel.vn fileHash=517f9835592fe08912c702c70219b20a externalId=8838994 act=notified devicePayloadId=860e5b30-5a8b-4159-8eb5-148ec3387e87 fileType=jar sproc=Java JDK JRE 7.13 fsize=13676 fname=tsh.jar flexString1Label=sha256sum flexString1=6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2 start=Sep 04 2023 11:26:23 UTC dvcmac=e3:e9:d0:5e:ba:8e", "event": { - "kind": "event", - "dataset": "malware-object", - "severity": 4, - "start": "2023-09-04T11:26:23Z", "action": "notified", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87", "category": [ "malware" ], + "dataset": "malware-object", + "severity": 4, + "start": "2023-09-04T11:26:23Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=860e5b30-5a8b-4159-8eb5-148ec3387e87" }, "@timestamp": "2023-09-04T11:26:23Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "file": { + "extension": "jar", + "hash": { + "md5": "517f9835592fe08912c702c70219b20a", + "sha256": "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2" + }, + "name": "tsh.jar", + "path": "kentuckyautoexchange.com/tsh.jar", + "size": 13676 + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] - }, - "file": { - "path": "kentuckyautoexchange.com/tsh.jar", - "name": "tsh.jar", - "hash": { - "sha256": "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2", - "md5": "517f9835592fe08912c702c70219b20a" - }, - "size": 13676, - "extension": "jar" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "process": { "parent": { "title": "Java JDK JRE 7.13" } }, - "trellix": { - "nx": { - "sname": "Exploit.JAVA.CVE-2013-0422.FEC2" - } - }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 49207, - "ip": "1.2.3.4", - "domain": "dynamic-ip-adsl.viettel.vn", - "mac": "6c:af:1a:fb:fe:a7", - "address": "dynamic-ip-adsl.viettel.vn", - "top_level_domain": "vn", - "subdomain": "dynamic-ip-adsl", - "registered_domain": "viettel.vn" - }, "related": { "hash": [ "517f9835592fe08912c702c70219b20a", "6e46b55feaeee973cfebabda18fa004b676a4be0919fd79bbad63f9f6a7a98f2" ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com", + "dynamic-ip-adsl.viettel.vn" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com", - "dynamic-ip-adsl.viettel.vn" ] + }, + "source": { + "address": "dynamic-ip-adsl.viettel.vn", + "domain": "dynamic-ip-adsl.viettel.vn", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 49207, + "registered_domain": "viettel.vn", + "subdomain": "dynamic-ip-adsl", + "top_level_domain": "vn" + }, + "trellix": { + "nx": { + "sname": "Exploit.JAVA.CVE-2013-0422.FEC2" + } } } @@ -424,72 +419,71 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|RC|riskware-callback|1|rt=Sep 05 2023 16:46:47 UTC start=Sep 05 2023 16:46:47 UTC end=Sep 05 2023 16:46:47 UTC src=1.2.3.4 dst=5.6.7.8 request=hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 cs1Label=sname cs1=Adware.Downloader.Generic act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 spt=1072 dpt=80 cn1Label=vlan cn1=0 externalId=20966952 devicePayloadId=ae490699-29f0-4680-abb1-9db7ff757cad msg=risk ware detected:13436744 proto=tcp cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad cs6Label=channel cs6=GET /abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34 HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: stan.mxp2142.com::~~Connection: Keep-Alive::~~::~~", "event": { - "kind": "event", - "dataset": "riskware-callback", - "severity": 1, - "start": "2023-09-05T16:46:47Z", - "end": "2023-09-05T16:46:47Z", "action": "notified", - "reason": "risk ware detected:13436744", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad", "category": [ "intrusion_detection" ], + "dataset": "riskware-callback", + "end": "2023-09-05T16:46:47Z", + "reason": "risk ware detected:13436744", + "severity": 1, + "start": "2023-09-05T16:46:47Z", "type": [ "info" - ] + ], + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=ae490699-29f0-4680-abb1-9db7ff757cad" }, "@timestamp": "2023-09-05T16:46:47Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 + }, + "network": { + "transport": "tcp" + }, "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", + "hostname": "cms-nx5600-1.eng.fireeye.com", "ip": [ "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", "mac": [ "e3:e9:d0:5e:ba:8e" - ] + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, - "network": { - "transport": "tcp" + "related": { + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], + "ip": [ + "1.2.3.4", + "3.4.5.6", + "5.6.7.8" + ] }, - "url": { - "original": "hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", - "domain": "stan.mxp2142.com", - "top_level_domain": "com", - "subdomain": "stan", - "registered_domain": "mxp2142.com", - "path": "/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", - "scheme": "hxxp" + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 1072 }, "trellix": { "nx": { "sname": "Adware.Downloader.Generic" } }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 1072, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" - }, - "related": { - "ip": [ - "1.2.3.4", - "3.4.5.6", - "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" - ] + "url": { + "domain": "stan.mxp2142.com", + "original": "hxxp://stan.mxp2142.com/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "path": "/abf858fda549bc190bd08eb75a07247bd98d194f57886d31b78b12ee01934bf147e3a36d2778243d1945d8a473515b6d196b33304340dfd578c64e47c8be025d7475f1090b8d3d34", + "registered_domain": "mxp2142.com", + "scheme": "hxxp", + "subdomain": "stan", + "top_level_domain": "com" } } @@ -503,82 +497,81 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "CEF:0|Trellix|MPS|10.0.0.992057|RO|riskware-object|1|rt=Sep 05 2023 16:45:08 UTC start=Sep 04 2023 11:27:16 UTC end=Sep 05 2023 16:45:08 UTC src=1.2.3.4 dst=5.6.7.8 request=16.16.16.11/043d611854b9c141a36798ac813ff9f7 fname=043d611854b9c141a36798ac813ff9f7 fileType=dmg cs1Label=sname cs1=PUP.MacOS.Bnodlero.FEC3 act=notified dvc=3.4.5.6 dvchost=cms-nx5600-1.eng.fireeye.com dvcmac=e3:e9:d0:5e:ba:8e fileHash=043d611854b9c141a36798ac813ff9f7 smac=6c:af:1a:fb:fe:a7 dmac=00:78:db:db:96:f6 fsize=1315301 spt=37640 dpt=80 cn1Label=vlan cn1=0 requestMethod=GET externalId=8839150 devicePayloadId=c61444e1-64a5-41b3-b31d-3aa4408af602 msg=risk ware detected:13436641 cs4Label=link cs4=https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602 flexString1Label=sha256sum flexString1=b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", "event": { - "kind": "event", - "dataset": "riskware-object", - "severity": 1, - "start": "2023-09-04T11:27:16Z", - "end": "2023-09-05T16:45:08Z", "action": "notified", - "reason": "risk ware detected:13436641", - "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602", "category": [ "malware" ], + "dataset": "riskware-object", + "end": "2023-09-05T16:45:08Z", + "reason": "risk ware detected:13436641", + "severity": 1, + "start": "2023-09-04T11:27:16Z", "type": [ "info" - ] - }, - "@timestamp": "2023-09-04T11:27:16Z", - "observer": { - "vendor": "Trellix", - "product": "MPS", - "version": "10.0.0.992057", - "ip": [ - "3.4.5.6" ], - "hostname": "cms-nx5600-1.eng.fireeye.com", - "mac": [ - "e3:e9:d0:5e:ba:8e" - ] - }, - "url": { - "original": "16.16.16.11/043d611854b9c141a36798ac813ff9f7", - "path": "16.16.16.11/043d611854b9c141a36798ac813ff9f7" + "url": "https://cms-nx5600-1.eng.fireeye.com/detection/objects?uuid\\=c61444e1-64a5-41b3-b31d-3aa4408af602" }, - "http": { - "request": { - "method": "GET" - } + "@timestamp": "2023-09-04T11:27:16Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "mac": "00:78:db:db:96:f6", + "port": 80 }, "file": { - "name": "043d611854b9c141a36798ac813ff9f7", + "extension": "dmg", "hash": { - "sha256": "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c", - "md5": "043d611854b9c141a36798ac813ff9f7" + "md5": "043d611854b9c141a36798ac813ff9f7", + "sha256": "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c" }, - "size": 1315301, - "extension": "dmg" + "name": "043d611854b9c141a36798ac813ff9f7", + "size": 1315301 }, - "trellix": { - "nx": { - "sname": "PUP.MacOS.Bnodlero.FEC3" + "http": { + "request": { + "method": "GET" } }, - "destination": { - "port": 80, - "ip": "5.6.7.8", - "mac": "00:78:db:db:96:f6", - "address": "5.6.7.8" - }, - "source": { - "port": 37640, - "ip": "1.2.3.4", - "mac": "6c:af:1a:fb:fe:a7", - "address": "1.2.3.4" + "observer": { + "hostname": "cms-nx5600-1.eng.fireeye.com", + "ip": [ + "3.4.5.6" + ], + "mac": [ + "e3:e9:d0:5e:ba:8e" + ], + "product": "MPS", + "vendor": "Trellix", + "version": "10.0.0.992057" }, "related": { "hash": [ "043d611854b9c141a36798ac813ff9f7", "b1e7df9bcb9f2d4183b085450f1f9c5e9d87e919a92f628c04106e5210950e6c" ], + "hosts": [ + "cms-nx5600-1.eng.fireeye.com" + ], "ip": [ "1.2.3.4", "3.4.5.6", "5.6.7.8" - ], - "hosts": [ - "cms-nx5600-1.eng.fireeye.com" ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "6c:af:1a:fb:fe:a7", + "port": 37640 + }, + "trellix": { + "nx": { + "sname": "PUP.MacOS.Bnodlero.FEC3" + } + }, + "url": { + "original": "16.16.16.11/043d611854b9c141a36798ac813ff9f7", + "path": "16.16.16.11/043d611854b9c141a36798ac813ff9f7" } } @@ -601,7 +594,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | diff --git a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md index 4f83cad7f6..7b41632e1d 100644 --- a/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md +++ b/_shared_content/operations_center/integrations/generated/bd9d0f51-114e-499a-bb7a-4f2d0a518b04.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns_logs", - "kind": "event", "type": [ "info" ] @@ -79,7 +78,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns_logs", - "kind": "event", "type": [ "info" ] @@ -119,7 +117,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns_logs", - "kind": "event", "type": [ "info" ] @@ -159,7 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns_logs", - "kind": "event", "type": [ "info" ] @@ -204,7 +200,6 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.question.name` | `keyword` | The name being queried. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md index fd1298a12e..d4d9124514 100644 --- a/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md +++ b/_shared_content/operations_center/integrations/generated/c20528c1-621e-4959-83ba-652eca2e8ed0.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `` | | Type | `info` | @@ -35,7 +35,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-11-16T09:35:22.0835000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"AuditLogs\",\"operationName\":\"Rename device ManagedDevice\",\"properties\":{\"ActivityDate\":\"11/16/2022 9:35:22 AM\",\"ActivityResultStatus\":1,\"ActivityType\":3,\"Actor\":{\"ActorType\":1,\"Application\":\"5926fc8e-304e-4f59-8bed-58ca97cc39a4\",\"ApplicationName\":\"Microsoft Intune portal extension\",\"IsDelegatedAdmin\":false,\"Name\":null,\"ObjectId\":\"d9851461-2e64-43b5-bc4d-a3b3c115c19e\",\"PartnerTenantId\":\"00000000-0000-0000-0000-000000000000\",\"UserPermissions\":[\"*\"],\"UPN\":\"Pipin.Saquet@theShire.com\"},\"AdditionalDetails\":\"\",\"AuditEventId\":\"6f3dfd87-3320-41a1-88ff-672a7e731162\",\"Category\":4,\"RelationId\":null,\"TargetDisplayNames\":[\"\"],\"TargetObjectIds\":[\"fee80c12-4b53-4196-ac97-8e249e749ab3\"],\"Targets\":[{\"ModifiedProperties\":[{\"Name\":\"DeviceManagementAPIVersion\",\"Old\":null,\"New\":\"5022-09-16\"}],\"Name\":null}]},\"resultType\":\"Success\",\"resultDescription\":\"None\",\"correlationId\":\"1012dc54-3990-42a6-854e-15b93f707cd3\",\"identity\":\"Pipin.Saquet@theShire.com\"}", "event": { - "kind": "event", "type": [ "info" ] @@ -69,7 +68,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-11-21T14:09:13.8152000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"AuditLogs\",\"operationName\":\"Delete MobileAppAssignment\",\"properties\":{\"ActivityDate\":\"11/21/2022 2:09:13 PM\",\"ActivityResultStatus\":1,\"ActivityType\":1,\"Actor\":{\"ActorType\":1,\"Application\":\"5926fc8e-304e-4f59-8bed-58ca97cc39a4\",\"ApplicationName\":\"Microsoft Intune portal extension\",\"IsDelegatedAdmin\":false,\"Name\":null,\"ObjectId\":\"d9851461-2e64-43b5-bc4d-a3b3c115c19e\",\"PartnerTenantId\":\"00000000-0000-0000-0000-000000000000\",\"UserPermissions\":[\"*\"],\"UPN\":\"Pipin@TheShire.com\"},\"AdditionalDetails\":\"Key = GroupPropertyNamesValue = Target.GroupId Key = IgnoreTruncatePropertyNamesValue = Target.GroupId \",\"AuditEventId\":\"59fa433c-2f2b-4ac6-a2c5-4c88ed70fce6\",\"Category\":5,\"RelationId\":null,\"TargetDisplayNames\":[\"Remove-HPbloatware.ps1\",\"\"],\"TargetObjectIds\":[\"a7c6992d-0260-4d73-8c4c-13b16c0d7638\",\"38b059fb-6e7c-494d-99a9-0f51e6c3cfaa_1_0\"],\"Targets\":[{\"ModifiedProperties\":[],\"Name\":\"Remove-HPbloatware.ps1\"},{\"ModifiedProperties\":[{\"Name\":\"Target.Type\",\"Old\":null,\"New\":\"GroupAssignmentTarget\"},{\"Name\":\"Settings.Type\",\"Old\":null,\"New\":\"Win32LobAppAssignmentSettings\"},{\"Name\":\"Id\",\"Old\":null,\"New\":\"38b059fb-6e7c-494d-99a9-0f51e6c3cfaa_1_0\"},{\"Name\":\"Intent\",\"Old\":null,\"New\":\"Required\"},{\"Name\":\"Target.GroupId\",\"Old\":null,\"New\":\"SDP_MDM_WINDOWSDEVICE(38b059fb-6e7c-494d-99a9-0f51e6c3cfaa) \"},{\"Name\":\"Target.DeviceAndAppManagementAssignmentFilterId\",\"Old\":null,\"New\":\"\"},{\"Name\":\"Target.DeviceAndAppManagementAssignmentFilterType\",\"Old\":null,\"New\":\"None\"},{\"Name\":\"Settings.Notifications\",\"Old\":null,\"New\":\"ShowAll\"},{\"Name\":\"Settings.DeliveryOptimizationPriority\",\"Old\":null,\"New\":\"NotConfigured\"},{\"Name\":\"Source\",\"Old\":null,\"New\":\"Direct\"},{\"Name\":\"SourceId\",\"Old\":null,\"New\":\"\"},{\"Name\":\"DeviceManagementAPIVersion\",\"Old\":null,\"New\":\"5022-09-01\"}],\"Name\":\"\"}]},\"resultType\":\"Success\",\"resultDescription\":\"None\",\"correlationId\":\"f1e94900-1bc8-48fc-b097-fa23ab9c160f\",\"identity\":\"Pipin@TheShire.com\"}", "event": { - "kind": "event", "type": [ "info" ] @@ -103,7 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-11-02T15:50:50.9419000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"DeviceComplianceOrg\",\"operationName\":\"DeviceCompliance\",\"resultType\":\"None\",\"properties\":{\"DeviceName\":\"DESKTOP-086N6KI\",\"UPN\":\"Pipin.Saquet@theShire.com\",\"ComplianceState\":\"1\",\"ComplianceState_loc\":\"Compliant\",\"OSDescription\":\"Windows\",\"OSVersion\":\"10.0.19044.2130\",\"OS\":\"Windows\",\"OS_loc\":\"Windows\",\"OwnerType\":1,\"OwnerType_loc\":\"Company\",\"DeviceId\":\"06334044-1a53-47d6-b6f8-ec9dcba8fa93\",\"LastContact\":\"2022-10-28 08:27:37.0000000\",\"UserId\":\"41ab6092-2435-4ed0-a28b-d638523d096e\",\"IMEI\":\"\",\"SerialNumber\":\"5CG21492VW\",\"RetireAfterDatetime\":\"\",\"ManagementAgents\":2,\"ManagementAgents_loc\":\"MDM\",\"DeviceType\":1,\"UserName\":\"Saquet Pipin\",\"InGracePeriodUntil\":\"9999-12-31 23:59:59.0000000\",\"DeviceHealthThreatLevel\":null,\"DeviceHealthThreatLevel_loc\":\"Unknown\",\"UserEmail\":\"Pipin.Saquet@theShire.com\",\"BatchId\":\"9ed4cac5-3d86-4760-980d-f1331dfc5ee9\",\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\"}}", "event": { - "kind": "event", "type": [ "info" ] @@ -143,7 +140,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-11-17T07:39:02.4103000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"Devices\",\"operationName\":\"Devices\",\"resultType\":\"None\",\"properties\":{\"DeviceId\":\"a2f25343-1d87-4876-9e72-de6111b614e5\",\"DeviceName\":\"Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM\",\"UPN\":\"Pipin.Saquet@theShire.com\",\"LastContact\":\"2022-11-17 07:03:14.6829201\",\"OSVersion\":\"12.0\",\"OS\":\"Android (Personally-Owned Work Profile)\",\"CompliantState\":\"Compliant\",\"Ownership\":\"Personal\",\"ManagedBy\":\"Intune\",\"Model\":\"SM-G996B\",\"SerialNumber\":\"0\",\"Manufacturer\":\"samsung\",\"CreatedDate\":\"2022-10-17 14:23:27.0091131\",\"DeviceState\":\"Managed\",\"UserEmail\":\"Pipin.Saquet@theShire.com\",\"UserName\":\"Pipin.Saquet\",\"IMEI\":\"88888\",\"PhoneNumber\":\"+*******0016\",\"DeviceRegistrationState\":\"Registered\",\"ReferenceId\":\"5f02959f-d014-4f53-a1be-892a7e7dd450\",\"ManagedDeviceName\":\"Pipin.Saquet_AndroidForWork_10/17/2022_2:23 PM\",\"GraphDeviceIsManaged\":true,\"CategoryName\":\"\",\"EncryptionStatusString\":\"True\",\"SubscriberCarrierNetwork\":\"Orange F\",\"JoinType\":\"Azure AD registered\",\"SupervisedStatusString\":\"False\",\"WifiMacAddress\":\"aaa:ffff\",\"StorageTotal\":0,\"StorageFree\":0,\"AndroidPatchLevel\":\"2022-10-01\",\"MEID\":\"\",\"InGracePeriodUntil\":\"9999-12-31 23:59:59.9999999\",\"JailBroken\":\"false\",\"SkuFamily\":\"\",\"EasID\":\"afw72216560A482C5F77A4E4A9E38E58\",\"PrimaryUser\":\"a7b9fde1-d8d5-438b-9516-7ef639dfe244\",\"BatchId\":\"3068a7ce-6e3a-438f-a943-634dd1412bc5\",\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\"}}", "event": { - "kind": "event", "type": [ "info" ] @@ -199,7 +195,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\"time\":\"2022-11-18T09:04:24.7065000Z\",\"tenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"category\":\"OperationalLogs\",\"operationName\":\"Compliance\",\"resultType\":\"None\",\"properties\":{\"IntuneAccountId\":\"2b9f48a7-75d9-4a72-9b2e-16fd38e121ef\",\"AlertDisplayName\":\"Managed Device Pipin.Saquet_Windows_10/4/2022_12:43 PM is not Compliant\",\"AlertType\":\"Managed Device Not Compliant\",\"AADTenantId\":\"163381f4-6b9c-43c2-8b57-bfc16b7354f2\",\"Description\":\"Windows10CompliancePolicy.AntivirusRequired_IID_aae45eb0-5edb-fc0b-7adf-47a5d6b12208||||Windows10CompliancePolicy.AntivirusRequired||Equals 0||2||./Vendor/MSFT/DeviceStatus/Antivirus/Status\",\"DeviceDnsDomain\":\"\",\"DeviceHostName\":\"TheShire-W744\",\"IntuneDeviceId\":\"45241578-2168-4649-9edc-2e9025b699ac\",\"DeviceName\":\"Pipin.Saquet_Windows_10/4/2022_12:43 PM\",\"DeviceNetBiosName\":\"TheShire-W744\",\"DeviceOperatingSystem\":\"Windows 10.0.19044.2251\",\"ScaleUnit\":\"AMSUB0502\",\"ScenarioName\":\"Microsoft.Management.Services.Diagnostics.SLAEvents.DeviceNotInComplianceSecurityAlert\",\"StartTimeUtc\":\"2022-11-18T09:04:24.7065Z\",\"UserName\":\"Pipin.Saquet\",\"UPNSuffix\":\"TheShire.com\",\"UserDisplayName\":\"Saquet Saquet\",\"IntuneUserId\":\"7d5c7f0f-8740-4e9d-96a9-5c2d4baf1d70\",\"OperationalLogCategory\":\"DeviceCompliance\"}}", "event": { - "kind": "event", "reason": "Windows10CompliancePolicy.AntivirusRequired_IID_aae45eb0-5edb-fc0b-7adf-47a5d6b12208||||Windows10CompliancePolicy.AntivirusRequired||Equals 0||2||./Vendor/MSFT/DeviceStatus/Antivirus/Status", "type": [ "info" @@ -240,7 +235,6 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`action.name` | `keyword` | The name of the action | |`action.target` | `keyword` | The target of the action | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.id` | `keyword` | Unique host id. | diff --git a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md index 9282d5a41f..efd9230700 100644 --- a/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md +++ b/_shared_content/operations_center/integrations/generated/c2faea65-1eb3-4f3f-b895-c8769a749d45.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `configuration`, `threat` | | Type | `` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "created API Access Token `Dev Audit log`", "type": [ "creation" @@ -101,7 +100,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "tested a \"generic\" integration", "type": [ "info" @@ -141,7 +139,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "changed agent mode from \"block\" to \"log\"", "type": [ "change" @@ -181,7 +178,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "created a new \"generic\" integration subscribed to \"all events\"", "type": [ "creation" diff --git a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md index 6554b3fa16..23771ba11a 100644 --- a/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md +++ b/_shared_content/operations_center/integrations/generated/c6a43439-7b9d-4678-804b-ebda6756db60.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `vulnerability` | | Type | `info` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "vulnerability" ], - "kind": "event", "type": [ "info" ] @@ -109,7 +108,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "vulnerability" ], - "kind": "event", "type": [ "info" ] @@ -198,7 +196,6 @@ The following table lists the fields that are extracted, normalized under the EC |`cyberwatch.vas.groups` | `array` | Lists of groups | |`cyberwatch.vas.ignored` | `keyword` | Indicates whether the vulnerability has been ignored on the asset or not | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.architecture` | `keyword` | Operating system architecture. | diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index 8a6215df2c..b85ebdba7f 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `email`, `file`, `iam`, `intrusion_detection`, `network` | | Type | `access`, `change`, `info`, `start` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "15", - "kind": "event", "outcome": "success", "type": [ "start" @@ -130,7 +129,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "15", - "kind": "event", "outcome": "success", "type": [ "start" @@ -532,7 +530,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "ListViewed", "code": "36", - "kind": "event", "outcome": "success" }, "@timestamp": "2023-12-13T10:08:25Z", @@ -599,7 +596,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "COMPLIANCEMANAGER-SCORECHANGE", "code": "155", - "kind": "event", "outcome": "success", "reason": "Enable self-service password reset" }, @@ -645,7 +641,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "2", - "kind": "event", "outcome": "success", "type": [ "creation", @@ -714,7 +709,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "MailItemsAccessed", "code": "50", - "kind": "event", "outcome": "success" }, "@timestamp": "2023-09-15T18:16:53Z", @@ -768,7 +762,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "code": "3", - "kind": "event", "outcome": "success", "type": [ "info" @@ -842,7 +835,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "code": "3", - "kind": "event", "outcome": "success", "type": [ "info" @@ -973,7 +965,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "2", - "kind": "event", "outcome": "success", "type": [ "change", @@ -1095,7 +1086,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "6", - "kind": "event", "outcome": "success", "type": [ "info" @@ -1192,7 +1182,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "6", - "kind": "event", "outcome": "success", "type": [ "info" @@ -1296,7 +1285,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "6", - "kind": "event", "outcome": "success", "type": [ "info" @@ -1401,7 +1389,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "22", - "kind": "event", "outcome": "success" }, "@timestamp": "2022-09-07T12:22:07Z", @@ -1462,7 +1449,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "EditForm", "code": "66", - "kind": "event", "outcome": "success" }, "@timestamp": "2023-12-13T10:08:21Z", @@ -1524,7 +1510,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "New-InboxRule", "code": "1", - "kind": "event", "outcome": "success" }, "@timestamp": "2023-05-24T15:10:53Z", @@ -1605,7 +1590,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "4", - "kind": "event", "outcome": "success", "type": [ "access" @@ -1824,7 +1808,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "AtpDetection", "code": "47", - "kind": "event", "outcome": "success", "url": "https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&query-Id=2ab4791e-fdd4-42f9-ad3c-c54ef7a4d548" }, @@ -1897,7 +1880,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "Blocked", "code": "28", - "kind": "event", "outcome": "success", "url": "https://protection.office.com/?hash=/threatexplorer?messageParams=a4dbf74a-89e0-40de-b14d-df573f48aa45,a4dbf74a-89e0-40de-b14d-df573f48aa45-0000000000000000000-1,2022-07-08T00:00:00,2022-07-08T23:59:59&view=Malware" }, @@ -2044,7 +2026,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "TIUrlClickData", "code": "41", - "kind": "event", "outcome": "success", "url": "https://protection.office.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=Phish&query-Recipients=people@xample.org&query-NetworkMessageId=53b5da37-1893-4e78-a89f-a4d26b53184c" }, @@ -2092,7 +2073,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "ViewReport", "code": "20", - "kind": "event", "outcome": "success" }, "@timestamp": "2023-08-22T13:51:33Z", @@ -2228,7 +2208,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "14", - "kind": "event", "outcome": "success", "type": [ "info" @@ -2327,7 +2306,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "25", - "kind": "event", "outcome": "success", "type": [ "info" @@ -2408,7 +2386,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "AtpDetection", "code": "47", - "kind": "event", "outcome": "success", "url": "https://security.mamamia.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2023-07-30T23:59:59.002Z&endtime=2023-09-01T23:59:59.002Z&query-Id=f872f447-2417-492a-d462-08dba99a7777" }, @@ -2484,7 +2461,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "code": "8", - "kind": "event", "outcome": "success", "type": [ "change" @@ -2541,7 +2517,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "code": "8", - "kind": "event", "outcome": "success", "type": [ "change" @@ -2598,7 +2573,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "code": "8", - "kind": "event", "outcome": "success", "type": [ "change" @@ -2660,7 +2634,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "15", - "kind": "event", "outcome": "success", "type": [ "start" @@ -2751,7 +2724,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "15", - "kind": "event", "outcome": "success", "type": [ "start" @@ -2854,7 +2826,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "code": "15", - "kind": "event", "outcome": "success", "type": [ "info" diff --git a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md index bd160742ab..f03282c2dc 100644 --- a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md +++ b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `["connection", "access"]` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -115,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -197,7 +195,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -279,7 +276,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -352,7 +348,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -425,7 +420,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -498,7 +492,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "ogo-shield", "duration": 0, - "kind": "event", "module": "ogo.shield.waf", "type": [ "access", @@ -586,7 +579,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.body.bytes` | `long` | Size in bytes of the request body. | diff --git a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md index fc52d556e8..0c21a0737f 100644 --- a/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md +++ b/_shared_content/operations_center/integrations/generated/d14567dd-56b1-42f8-aa64-fb65d4b0a4cf.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_network", - "kind": "event", "type": [ "allowed" ] @@ -105,7 +104,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_network", - "kind": "event", "type": [ "allowed" ] @@ -181,7 +179,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_network", - "kind": "event", "type": [ "allowed" ] @@ -248,7 +245,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.hostname` | `keyword` | Hostname of the host. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | diff --git a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md index 1f8e4ca479..c18c58b0f1 100644 --- a/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md +++ b/_shared_content/operations_center/integrations/generated/d2725f97-0c7b-4942-a847-983f38efb8ff.md @@ -20,7 +20,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `network` | | Type | `end`, `info` | @@ -43,7 +43,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Apex Execution", - "kind": "event", "type": [ "info" ] @@ -75,7 +74,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "API", - "kind": "event", "type": [ "info" ] @@ -116,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ApiTotalUsage", - "kind": "event", "type": [ "info" ] @@ -174,7 +171,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Audit Trail", - "kind": "event", "type": [ "info" ] @@ -207,7 +203,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "ltng:error", "dataset": "LightningPageView", "duration": 123, - "kind": "event", "reason": "custom message", "start": "2016-08-18T23:59:48.642000Z", "type": [ @@ -348,7 +343,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "code": "ltng:error", "dataset": "LightningPageView", "duration": 123, - "kind": "event", "reason": "custom message", "start": "2016-08-18T23:59:48.642000Z", "type": [ @@ -481,7 +475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "Login", - "kind": "event", "type": [ "start" ] @@ -521,7 +514,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "Report/Dashboard", - "kind": "event", "type": [ "info" ] @@ -560,7 +552,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.code` | `keyword` | Identification code for this event. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md index b251ec6aae..1cf5ffd566 100644 --- a/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md +++ b/_shared_content/operations_center/integrations/generated/d3a813ac-f9b5-451c-a602-a5994544d9ed.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `iam`, `network` | | Type | `access`, `change` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "ec2.amazonaws.com", "type": [ @@ -157,7 +156,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "cloudtrail.amazonaws.com", "type": [ @@ -257,81 +255,80 @@ Find below few samples of events and how they are normalized by Sekoia.io. { "message": "{\n \"eventVersion\": \"1.08\",\n \"userIdentity\": {\n \"type\": \"IAMUser\",\n \"principalId\": \"demo\",\n \"arn\": \"arn:aws:iam::0:user/demo\",\n \"accountId\": \"00000\",\n \"accessKeyId\": \"AAAAAAAAA\",\n \"userName\": \"AAAAAAAAAAAA\"\n },\n \"eventTime\": \"2023-09-29T15:06:45Z\",\n \"eventSource\": \"ecs.amazonaws.com\",\n \"eventName\": \"PutClusterCapacityProviders\",\n \"awsRegion\": \"eu-west-1\",\n \"sourceIPAddress\": \"00.000.000.00\",\n \"userAgent\": \"APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)\",\n \"requestParameters\": {\n \"cluster\": \"cluster_name\",\n \"capacityProviders\": [\n \"DEMO\"\n ],\n \"defaultCapacityProviderStrategy\": [\n {\n \"capacityProvider\": \"DEMO\",\n \"weight\": 0,\n \"base\": 0\n }\n ]\n },\n \"responseElements\": {\n \"cluster\": {\n \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\",\n \"clusterName\": \"cluster_name\",\n \"configuration\": {\n \"executeCommandConfiguration\": {\n \"logging\": \"OVERRIDE\",\n \"logConfiguration\": {\n \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\",\n \"cloudWatchEncryptionEnabled\": true,\n \"s3EncryptionEnabled\": false\n }\n }\n },\n \"status\": \"ACTIVE\",\n \"registeredContainerInstancesCount\": 0,\n \"runningTasksCount\": 0,\n \"pendingTasksCount\": 0,\n \"activeServicesCount\": 0,\n \"statistics\": [],\n \"tags\": [],\n \"settings\": [\n {\n \"name\": \"containerInsights\",\n \"value\": \"enabled\"\n }\n ],\n \"capacityProviders\": [\n \"DEMO\"\n ],\n \"defaultCapacityProviderStrategy\": [\n {\n \"capacityProvider\": \"DEMO\",\n \"weight\": 0,\n \"base\": 0\n }\n ],\n \"attachments\": [],\n \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\"\n }\n },\n \"readOnly\": false,\n \"eventType\": \"AwsApiCall\",\n \"managementEvent\": true,\n \"recipientAccountId\": \"007\",\n \"eventCategory\": \"Management\",\n \"tlsDetails\": {\n \"tlsVersion\": \"TLSv1.3\",\n \"cipherSuite\": \"TLS_AES_128_GCM_SHA256\",\n \"clientProvidedHostHeader\": \"sekoia.eu-west-1.amazonaws.com\"\n }\n}", "event": { - "kind": "event", + "action": "PutClusterCapacityProviders", "category": [ "network" ], - "type": [ - "access" - ], "dataset": "cloudtrail", - "action": "PutClusterCapacityProviders", + "outcome": "success", "provider": "ecs.amazonaws.com", - "outcome": "success" + "type": [ + "access" + ] }, "@timestamp": "2023-09-29T15:06:45Z", - "cloud": { - "provider": "aws", - "service": { - "name": "cloudtrail" - }, - "region": "eu-west-1", - "account": { - "id": "00000" - } - }, "action": { - "type": "AwsApiCall", "name": "PutClusterCapacityProviders", "outcome": "success", - "target": "network-traffic", "properties": { "recipientAccountId": "007", "userIdentity": { - "type": "IAMUser", - "principalId": "demo", - "arn": "arn:aws:iam::0:user/demo", - "accountId": "00000", "accessKeyId": "AAAAAAAAA", + "accountId": "00000", + "arn": "arn:aws:iam::0:user/demo", + "principalId": "demo", + "type": "IAMUser", "userName": "AAAAAAAAAAAA" } - } - }, - "user_agent": { - "original": "APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)", - "device": { - "name": "Other" }, - "name": "aws-sdk-go", - "version": "1.44.221", - "os": { - "name": "Linux" - } - }, - "user": { - "id": "00000" - }, - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "version": "TLSv1.3" + "target": "network-traffic", + "type": "AwsApiCall" }, "aws": { "cloudtrail": { + "cluster_name": "cluster_name", "event_version": "1.08", + "flattened": { + "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}", + "response_elements": "{\"cluster\": {\"activeServicesCount\": 0, \"attachments\": [], \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\", \"capacityProviders\": [\"DEMO\"], \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\", \"clusterName\": \"cluster_name\", \"configuration\": {\"executeCommandConfiguration\": {\"logConfiguration\": {\"cloudWatchEncryptionEnabled\": true, \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\", \"s3EncryptionEnabled\": false}, \"logging\": \"OVERRIDE\"}}, \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}], \"pendingTasksCount\": 0, \"registeredContainerInstancesCount\": 0, \"runningTasksCount\": 0, \"settings\": [{\"name\": \"containerInsights\", \"value\": \"enabled\"}], \"statistics\": [], \"status\": \"ACTIVE\", \"tags\": []}}" + }, "recipient_account_id": "007", "user_identity": { - "type": "IAMUser", - "principalId": "demo", - "arn": "arn:aws:iam::0:user/demo", + "accessKeyId": "AAAAAAAAA", "accountId": "00000", - "accessKeyId": "AAAAAAAAA" - }, - "cluster_name": "cluster_name", - "flattened": { - "response_elements": "{\"cluster\": {\"activeServicesCount\": 0, \"attachments\": [], \"attachmentsStatus\": \"UPDATE_IN_PROGRESS\", \"capacityProviders\": [\"DEMO\"], \"clusterArn\": \"arn:aws:ecs:eu-west-1:00000000:cluster/cluster_name\", \"clusterName\": \"cluster_name\", \"configuration\": {\"executeCommandConfiguration\": {\"logConfiguration\": {\"cloudWatchEncryptionEnabled\": true, \"cloudWatchLogGroupName\": \"/ecs/cluster/cluster_name\", \"s3EncryptionEnabled\": false}, \"logging\": \"OVERRIDE\"}}, \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}], \"pendingTasksCount\": 0, \"registeredContainerInstancesCount\": 0, \"runningTasksCount\": 0, \"settings\": [{\"name\": \"containerInsights\", \"value\": \"enabled\"}], \"statistics\": [], \"status\": \"ACTIVE\", \"tags\": []}}", - "request_parameters": "{\"capacityProviders\": [\"DEMO\"], \"cluster\": \"cluster_name\", \"defaultCapacityProviderStrategy\": [{\"base\": 0, \"capacityProvider\": \"DEMO\", \"weight\": 0}]}" + "arn": "arn:aws:iam::0:user/demo", + "principalId": "demo", + "type": "IAMUser" } } + }, + "cloud": { + "account": { + "id": "00000" + }, + "provider": "aws", + "region": "eu-west-1", + "service": { + "name": "cloudtrail" + } + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "version": "TLSv1.3" + }, + "user": { + "id": "00000" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "aws-sdk-go", + "original": "APN/1.0 HashiCorp/1.0 Terraform/1.4.7 (+https://www.terraform.io) terraform-provider-aws/4.59.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.221 (go1.19.6; linux; amd64)", + "os": { + "name": "Linux" + }, + "version": "1.44.221" } } @@ -351,7 +348,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "Client.AuthFailure", "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "ec2.amazonaws.com", "reason": "vm-import-export@amazon.com must have WRITE and READ_ACL permission on the S3 bucket.", @@ -448,7 +444,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "ec2.amazonaws.com", "type": [ @@ -554,7 +549,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "iam.amazonaws.com", "type": [ @@ -659,7 +653,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "kms.amazonaws.com", "type": [ @@ -792,7 +785,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "rds.amazonaws.com", "type": [ @@ -898,7 +890,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "sts.amazonaws.com", "type": [ @@ -992,7 +983,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "signin.amazonaws.com", "type": [ @@ -1082,7 +1072,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "sts.amazonaws.com", "type": [ @@ -1177,7 +1166,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "code": "NoSuchBucketPolicy", "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "s3.amazonaws.com", "type": [ @@ -1228,7 +1216,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "elasticfilesystem.amazonaws.com", "type": [ @@ -1357,7 +1344,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "cloudtrail", - "kind": "event", "outcome": "success", "provider": "signin.amazonaws.com", "type": [ @@ -1481,7 +1467,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md index 54f7cb2fb7..d98e93a848 100644 --- a/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md +++ b/_shared_content/operations_center/integrations/generated/d626fec3-473a-44b3-9e3d-587fdd99a421.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `access` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 500000000, - "kind": "event", "type": [ "access" ] @@ -194,7 +193,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "web" ], - "kind": "event", "type": [ "access" ] @@ -343,7 +341,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "web" ], - "kind": "event", "type": [ "access" ] @@ -492,7 +489,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "web" ], "duration": 28000000, - "kind": "event", "type": [ "access" ] @@ -598,7 +594,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.os.full` | `keyword` | Operating system name, including the version or code name. | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md index a68c0fd41d..138f9b4b40 100644 --- a/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md +++ b/_shared_content/operations_center/integrations/generated/d6d15297-e977-4584-9bb3-f0290b99f014.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `authentication`, `network`, `session` | | Type | `connection`, `end`, `info`, `start` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth", - "kind": "event", "reason": "Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4", "type": [ "info" @@ -76,7 +75,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "auth", - "kind": "event", "reason": "User 'john.doe' logged in from 1.2.3.4 to SSH session", "type": [ "start" @@ -113,7 +111,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dhcp-snoop", - "kind": "event", "reason": "backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8", "type": [ "connection" @@ -144,7 +141,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dhcp-snoop", - "kind": "event", "reason": "backplane: Ceasing bad release logs for 5m", "type": [ "connection" @@ -166,7 +162,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "mgr", - "kind": "event", "reason": "SME SSH from 1.2.3.4 - MANAGER Mode", "type": [ "start" @@ -197,7 +192,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "crypto", - "kind": "event", "reason": "Certificate used by http-ssl application is expired.", "type": [ "connection" @@ -219,7 +213,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dhcp-server", - "kind": "event", "reason": "No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)", "type": [ "connection" @@ -241,7 +234,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dhcp-server", - "kind": "event", "reason": "High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0", "type": [ "connection" @@ -263,7 +255,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "FFI", - "kind": "event", "reason": "port 1/11-High collision or drop rate. See help.", "type": [ "connection" @@ -285,7 +276,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ports", - "kind": "event", "reason": "port 2/16 in Trk7 is now on-line", "type": [ "connection" @@ -307,7 +297,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ports", - "kind": "event", "reason": "port 2/16 is Blocked by LACP", "type": [ "connection" @@ -329,7 +318,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ports", - "kind": "event", "reason": "port 1/8 is now on-line", "type": [ "connection" @@ -351,7 +339,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "ports", - "kind": "event", "reason": "port 1/8 is now off-line", "type": [ "connection" @@ -435,7 +422,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "SNTP", - "kind": "event", "reason": "Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.", "type": [ "connection" @@ -466,7 +452,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "ssl", - "kind": "event", "reason": "User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)", "type": [ "info" @@ -497,7 +482,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "ssl", - "kind": "event", "reason": "SSL/TLS session closed for WEB-UI from 1.2.3.4.", "type": [ "end" diff --git a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md index 6b24c74d8b..866db46acc 100644 --- a/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md +++ b/_shared_content/operations_center/integrations/generated/d6f69e04-6ab7-40c0-9723-84060aeb5529.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication` | | Type | `end`, `start` | @@ -36,7 +36,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"category\": \"ADMIN\", \"modificationDiff\": \"\", \"serviceName\": \"MY-SERVICE\", \"serviceType\": \"https\", \"severity\": \"WARNING\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"172.17.0.30\", \"osInfo\": \"Windows(10)\", \"profiles\": [\"ADMINISTRATOR\"], \"protocol\": \"WEB\", \"realmName\": \"my-realm.local\", \"roles\": [\"PROVEIT-ADMINISTRATOR-PROFILE\"], \"sessionId\": \"6c036039-2ea0-4a12-bf54-98c827db986b\", \"softwareInfo\": \"Firefox (107.0)\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-08T21:37:18.323112+01:00\", \"type\": \"ADMIN_SERVICES_SERVICE_MODIFY\"}\n\n", "event": { "action": "admin_services_service_modify", - "kind": "event", "severity": 30 }, "@timestamp": "2022-12-08T20:37:18.323112Z", @@ -90,7 +89,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"category\": \"SYSTEM\", \"severity\": \"INFO\", \"source\": {\"componentId\": \"coremanager\", \"type\": \"SYSTEM\"}, \"timestamp\": \"2022-12-13T06:25:56.859488+01:00\", \"type\": \"SYSTEM_SIMM_UNLOCKED\"}\n\n", "event": { "action": "system_simm_unlocked", - "kind": "event", "severity": 10 }, "@timestamp": "2022-12-13T05:25:56.859488Z", @@ -120,7 +118,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"auditRecordsNumber\": 202, \"category\": \"SYSTEM\", \"severity\": \"INFO\", \"source\": {\"componentId\": \"coremanager\", \"type\": \"SYSTEM\"}, \"storageCurrentSpace\": 3336175616, \"storageFreeSpace\": 66275975168, \"storageId\": 1, \"storageName\": \"d\\\\u00e9faut\", \"storageTotalSpace\": 73386811392, \"timestamp\": \"2022-12-12T21:27:04.063158+01:00\", \"type\": \"SYSTEM_STORAGE_STATS\"}", "event": { "action": "system_storage_stats", - "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T20:27:04.063158Z", @@ -153,7 +150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "reason": "BAD_CREDENTIALS", "severity": 30, @@ -213,7 +209,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "severity": 10, "type": [ @@ -274,7 +269,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "severity": 10, "type": [ @@ -335,7 +329,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "success", "severity": 10, "type": [ @@ -393,7 +386,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"adminisitrateur\"}, \"reason\": \"AUTH_ERROR\", \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"10.1.0.26\", \"name\": \"AD2\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"WARNING\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"20ed63ad-cd6d-4bfa-9251-09cdb3a2133e\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T09:09:20.974448+01:00\", \"type\": \"USER_SERVICE_CONNECTION_FAILURE\"}\n", "event": { "action": "user_service_connection_failure", - "kind": "event", "reason": "AUTH_ERROR", "severity": 30 }, @@ -460,7 +452,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "action": "user_service_connection_summary", "end": "2022-12-11T17:27:37.690038Z", - "kind": "event", "severity": 10, "start": "2022-12-11T17:27:27.581333Z" }, @@ -526,7 +517,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"administrateur\"}, \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"10.1.0.26\", \"name\": \"AD2\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.5\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - RESTREINT\"], \"sessionId\": \"7b4b9364-fa4a-4507-8976-f75056a3a546\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.user\"}, \"timestamp\": \"2022-12-12T16:58:58.072633+01:00\", \"type\": \"USER_SERVICE_DISCONNECTION\"}", "event": { "action": "user_service_disconnection", - "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T15:58:58.072633Z", @@ -591,7 +581,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "\ufeff@cee: {\"category\": \"USER\", \"context\": {\"authMode\": \"PASSWORD\", \"authUserName\": \"my.other.user\"}, \"service\": {\"groupName\": \"Prod-Serveurs\", \"host\": \"serveur1.my-realm.local\", \"name\": \"titan\", \"port\": 3389, \"protocol\": \"rdp\"}, \"severity\": \"INFO\", \"source\": {\"authenticationMode\": \"PASSWORD\", \"ip\": \"10.1.2.7\", \"osInfo\": \"Unknown Unknown\", \"profiles\": [\"USER\"], \"protocol\": \"rdp\", \"realmName\": \"my-realm.local\", \"roles\": [\"DSI - ALL\"], \"sessionId\": \"e4cc4c66-e7cd-4c13-b626-200016b048c5\", \"softwareInfo\": \"\", \"type\": \"HB\", \"userName\": \"my.other.user\"}, \"timestamp\": \"2022-12-12T11:34:35.608171+01:00\", \"type\": \"USER_SERVICE_DISCONNECTION_ON_INACTIVITY\"}\n", "event": { "action": "user_service_disconnection_on_inactivity", - "kind": "event", "severity": 10 }, "@timestamp": "2022-12-12T10:34:35.608171Z", @@ -660,7 +649,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | diff --git a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md index 0046c92354..dc08acb125 100644 --- a/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md +++ b/_shared_content/operations_center/integrations/generated/d719e8b5-85a1-4dad-bf71-46155af56570.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `malware`, `network`, `session` | | Type | `end`, `info`, `start` | @@ -29,6 +29,57 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "auth_was_rejected.json" + + ```json + + { + "message": "1.0|WatchGuard|XTM|12.10.2.B692269|11000005|host_name=Member2#011serial=AAAAAAAAAAAAA#011msg=Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was rejected, Recv timeout", + "event": { + "category": [ + "authentication" + ], + "code": "11000005", + "outcome": "failure", + "reason": "Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was rejected, Recv timeout", + "type": [ + "start" + ] + }, + "observer": { + "product": "XTM", + "serial_number": "AAAAAAAAAAAAA", + "type": "firewall", + "vendor": "WatchGuard", + "version": "12.10.2.B692269" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "john.doe" + }, + "watchguard": { + "firebox": { + "dhcp": { + "operation": "none" + } + } + } + } + + ``` + + === "connection.json" ```json @@ -41,7 +92,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000148", - "kind": "event", "type": [ "allowed", "connection" @@ -118,7 +168,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000151", - "kind": "event", "type": [ "allowed", "connection" @@ -197,7 +246,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000148", - "kind": "event", "type": [ "allowed", "connection" @@ -269,7 +317,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000151", - "kind": "event", "type": [ "allowed", "connection" @@ -340,7 +387,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000148", - "kind": "event", "reason": "tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead).", "type": [ "connection", @@ -421,7 +467,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "16000065", - "kind": "event", "reason": "DHCPACK on 10.0.2.52 to 00:01:21:30:0f:a0 (Lab001) via vlan2", "type": [ "info" @@ -471,7 +516,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "16000066", - "kind": "event", "reason": "DHCPREQUEST for 10.0.2.52 from 00:01:21:30:0f:a0 (Lab001) via vlan2", "type": [ "info" @@ -522,7 +566,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1AFF0024", - "kind": "event", "reason": "HTTP request", "type": [ "allowed", @@ -624,7 +667,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "2CFF0009", - "kind": "event", "reason": "ProxyInspect: HTTPS content inspection", "type": [ "allowed", @@ -702,7 +744,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1AFF0021", - "kind": "event", "reason": "ProxyDeny: HTTP Request categories", "type": [ "connection", @@ -788,7 +829,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000149", - "kind": "event", "reason": "Application identified", "type": [ "allowed", @@ -882,7 +922,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000173", - "kind": "event", "reason": "blocked sites (geolocation source)", "type": [ "connection", @@ -964,7 +1003,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "30000148", - "kind": "event", "type": [ "connection", "denied" @@ -1045,7 +1083,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1DFF000F", - "kind": "event", "reason": "DNS request", "type": [ "allowed", @@ -1121,7 +1158,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "11000004", - "kind": "event", + "outcome": "success", "reason": "Authentication of SSLVPN user [john.doe@example.org@radius] from 1.2.3.4 was accepted", "type": [ "start" @@ -1172,7 +1209,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "code": "3E000004", - "kind": "event", "reason": "SSL VPN user john.doe@example.org@radius from 1.2.3.4 logged out assigned virtual IP is 4.3.2.1", "type": [ "end" @@ -1224,10 +1260,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "50000001", - "kind": "event", + "outcome": "failure", "reason": "WSM User @Firebox-DB from 1.2.3.4 log in attempt was rejected - unknown reason.", "type": [ - "end" + "start" ] }, "observer": { @@ -1269,10 +1305,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "code": "50000001", - "kind": "event", + "outcome": "failure", "reason": "WebUI User page@Firebox-DB from 127.0.0.1 log in attempt was rejected - invalid credentials or user doesn't exist.", "type": [ - "end" + "start" ] }, "observer": { @@ -1321,7 +1357,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "1AFF0018", - "kind": "event", "reason": "ProxyAvScan: HTTP Content Type match", "type": [ "info" @@ -1401,7 +1436,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | diff --git a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md index 48cb1132a0..28f0d08c7c 100644 --- a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md +++ b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `["connection", "access"]`, `["connection", "allowed"]`, `["connection", "denied"]`, `["connection", "error"]` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 100000000.0, "end": "2040-10-23T01:18:10Z", - "kind": "event", "module": "imperva.waf", "start": "2009-02-13T23:31:30Z", "type": [ @@ -155,7 +154,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "reason": "The HTTP request was malformated", "start": "2022-04-12T14:09:58.763000Z", @@ -251,7 +249,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "reason": "The destination was blacklisted", "start": "2022-04-12T14:09:58.763000Z", @@ -347,7 +344,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "reason": "The connection was blocked", "start": "2022-04-12T14:09:58.763000Z", @@ -443,7 +439,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "start": "2022-04-12T14:09:58.763000Z", "type": [ @@ -538,7 +533,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 100000000.0, "end": "2040-10-23T01:18:10Z", - "kind": "event", "module": "imperva.waf", "reason": "A challenge was submitted to the client", "start": "2009-02-13T23:31:30Z", @@ -680,7 +674,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "reason": "The destination doesn't support IPv6 addresses", "start": "2022-04-12T14:09:58.763000Z", @@ -776,7 +769,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "start": "2022-04-12T14:09:58.763000Z", "type": [ @@ -871,7 +863,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "dataset": "imperva-waf", "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", - "kind": "event", "module": "imperva.waf", "reason": "The proxy failed to resolve the destination", "start": "2022-04-12T14:09:58.763000Z", @@ -971,7 +962,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.dataset` | `keyword` | Name of the dataset. | |`event.duration` | `long` | Duration of the event in nanoseconds. | |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | diff --git a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md index d4c27bfcf3..7b439832e4 100644 --- a/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md +++ b/_shared_content/operations_center/integrations/generated/da3555f9-8213-41b8-8659-4cb814431e29.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `host` | | Type | `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "type": [ "info" ] @@ -104,7 +103,6 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.id` | `keyword` | Unique host id. | |`host.name` | `keyword` | Name of the host. | diff --git a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md index 6b1c430e82..d8dcfbb7d3 100644 --- a/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md +++ b/_shared_content/operations_center/integrations/generated/dbebefdd-dd2e-48a9-89e6-ee5a00ee0956.md @@ -15,14 +15,6 @@ The following table lists the data source offered by this integration. -In details, the following table denotes the type of events produced by this integration. - -| Name | Values | -| ---- | ------ | -| Kind | `event` | -| Category | `` | -| Type | `` | - @@ -41,7 +33,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Backup server general options have been changed", "type": [ "change" @@ -80,7 +71,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Backup server general options have been changed", "type": [ "change" @@ -119,7 +109,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Credentials MyMachine\\jdoe have been added", "type": [ "creation" @@ -161,7 +150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1' has been created.", "type": [ "creation" @@ -196,7 +184,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "'1' objects has been created for 'Agent Backup Job 1'.", "type": [ "creation" @@ -240,7 +227,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1' has been started by user .\\SYSTEM.", "type": [ "start" @@ -274,7 +260,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Rescan job 'Rescan of Agent Backup Job 1' has been started.", "type": [ "start" @@ -308,7 +293,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Component [Veeam Agent for Windows] on the host [127.0.0.1] has been updated", "type": [ "change" @@ -351,7 +335,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1 - 127.0.0.1' has been created.", "type": [ "creation" @@ -386,7 +369,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1 - 127.0.0.1' has been started by user NT AUTHORITY\\SYSTEM.", "type": [ "start" @@ -420,7 +402,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "The Rescan job 'Rescan of Agent Backup Job 1' has finished with Success state.", "type": [ "end" @@ -454,7 +435,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "malware" ], - "kind": "event", "reason": "Malware detection settings have been changed.", "type": [ "info" @@ -493,7 +473,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "file" ], - "kind": "event", "reason": "VM '127.0.0.1' restore point has been created.", "type": [ "creation" @@ -538,7 +517,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "VM 127.0.0.1 task has finished with 'InProgress' state.", "type": [ "end" @@ -585,7 +563,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1' finished with Success. All objects have been backed up successfully.", "type": [ "end" @@ -619,7 +596,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Rescan job 'Rescan of 127.0.0.1' has been started.", "type": [ "start" @@ -653,7 +629,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "The Rescan job 'Rescan of 127.0.0.1' has finished with Success state.", "type": [ "end" @@ -687,7 +662,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "configuration" ], - "kind": "event", "reason": "Protection Group Protection Group 1 has been added.", "type": [ "creation" @@ -732,7 +706,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Rescan job 'Rescan of Protection Group 1' has been started by user MyMachine\\jdoe.", "type": [ "start" @@ -766,7 +739,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "The Rescan job 'Rescan of Protection Group 1' has finished with Success state.", "type": [ "end" @@ -800,7 +772,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1' has been started.", "type": [ "start" @@ -834,7 +805,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1 - 127.0.0.1' has been started.", "type": [ "start" @@ -868,7 +838,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "process" ], - "kind": "event", "reason": "Agent Backup job 'Agent Backup Job 1' finished with Success. All objects have been backed up successfully.", "type": [ "end" @@ -902,7 +871,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "file" ], - "kind": "event", "reason": "Restore point for VM '127.0.0.1' has been removed by user MyMachine\\jdoe.", "type": [ "deletion" @@ -949,7 +917,6 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`agent.name` | `keyword` | Custom name of the agent. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.ip` | `ip` | Host ip addresses. | diff --git a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md index 188fb8c215..bf9c2395f1 100644 --- a/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md +++ b/_shared_content/operations_center/integrations/generated/dc0f339f-5dbe-4e68-9fa0-c63661820941.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `configuration`, `network`, `process` | | Type | `change`, `connection`, `info`, `start` | @@ -42,7 +42,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "dataset": "audit", - "kind": "event", "type": [ "change" ] @@ -88,7 +87,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "audit", - "kind": "event", "type": [ "start" ] @@ -133,7 +131,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "casb", - "kind": "event", "type": [ "info" ] @@ -168,7 +165,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "dns", - "kind": "event", "type": [ "info" ] @@ -236,7 +232,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "dataset": "firewall", "duration": 340, - "kind": "event", "type": [ "connection" ] @@ -301,7 +296,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "web", - "kind": "event", "type": [ "info" ] @@ -402,7 +396,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "web", - "kind": "event", "type": [ "info" ] @@ -505,7 +498,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "dataset": "casb", - "kind": "event", "type": [ "info" ] @@ -565,7 +557,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "tunnel", - "kind": "event", "type": [ "connection" ] @@ -622,7 +613,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "tunnel", - "kind": "event", "type": [ "connection" ] @@ -677,7 +667,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "tunnel", - "kind": "event", "type": [ "connection" ] @@ -742,7 +731,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.directory` | `keyword` | Directory where the file is located. | |`file.hash.md5` | `keyword` | MD5 hash. | diff --git a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md index 952a77e4bc..0a492a43c6 100644 --- a/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md +++ b/_shared_content/operations_center/integrations/generated/e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email`, `network` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "dataset": "maillog", - "kind": "event", "type": [ "info" ] @@ -89,7 +88,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "message", - "kind": "event", "type": [ "allowed" ] @@ -196,7 +194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "message", - "kind": "event", "type": [ "denied" ] @@ -311,7 +308,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "message", - "kind": "event", "type": [ "allowed" ] @@ -398,7 +394,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "dataset": "msgPartsUrl", - "kind": "event", "type": [ "info" ] @@ -445,7 +440,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "email" ], "dataset": "msgParts", - "kind": "event", "type": [ "info" ] @@ -538,7 +532,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.md5` | `keyword` | MD5 hash. | |`file.hash.sha256` | `keyword` | SHA256 hash. | diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index 9aae1d5001..94afe749b3 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email` | | Type | `change`, `deletion`, `denied`, `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -126,7 +125,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -199,7 +197,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "change" ] @@ -285,7 +282,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -353,7 +349,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence", "type": [ "info" @@ -389,7 +384,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -432,7 +426,6 @@ The following table lists the fields that are extracted, normalized under the EC |`email.to.address` | `keyword` | email.to.address | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`source.ip` | `ip` | IP address of the source. | diff --git a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md index 2005edaad3..f60c15f8b2 100644 --- a/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md +++ b/_shared_content/operations_center/integrations/generated/e6bb2404-8fc8-4124-a785-c1276277b5d7.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `iam`, `session` | | Type | `change`, `start` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "Authenticate user via IDP", "type": [ "start" @@ -153,7 +152,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "Authentication of user via MFA", "type": [ "start" @@ -259,7 +257,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "User single sign on to app", "type": [ "start" @@ -363,7 +360,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "User single sign on to app", "type": [ "start" @@ -468,7 +464,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "session" ], "dataset": "system-log", - "kind": "event", "reason": "User login to Okta", "type": [ "start" @@ -534,7 +529,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "A push was sent to a user for verification", "type": [ "start" @@ -634,7 +628,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "authentication" ], "dataset": "system-log", - "kind": "event", "reason": "User single sign on to app", "type": [ "start" @@ -741,7 +734,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "iam" ], "dataset": "system-log", - "kind": "event", "reason": "User update password for Okta", "type": [ "change" @@ -840,7 +832,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`observer.vendor` | `keyword` | Vendor name of the observer. | diff --git a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md index e3436fb49c..f1bd96d30f 100644 --- a/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md +++ b/_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `authentication`, `network` | | Type | `info`, `start` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -75,7 +74,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -114,7 +112,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -153,7 +150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -188,7 +184,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "VERIFY OK: depth=1, CN=Easy-RSA CA", "type": [ "info" @@ -220,7 +215,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "VERIFY OK: depth=0, CN=client01", "type": [ "info" @@ -252,7 +246,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_COMP_STUB=1", "type": [ "info" @@ -284,7 +277,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_COMP_STUBv2=1", "type": [ "info" @@ -316,7 +308,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)", "type": [ "info" @@ -338,7 +329,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Diffie-Hellman initialized with 2048 bit key", "type": [ "info" @@ -360,7 +350,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "net_route_v4_best_gw query: dst 0.0.0.0", "type": [ "info" @@ -382,7 +371,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Could not determine IPv4/IPv6 protocol. Using AF_INET", "type": [ "info" @@ -404,7 +392,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "Socket Buffers: R=[212992->212992] S=[212992->212992]", "type": [ "info" @@ -426,7 +413,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "UDPv4 link local (bound): [AF_INET][undef]:1194", "type": [ "info" @@ -448,7 +434,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "UDPv4 link remote: [AF_UNSPEC]", "type": [ "info" @@ -470,7 +455,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "MULTI: multi_init called, r=256 v=256", "type": [ "info" @@ -492,7 +476,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_VER=2.6.6", "type": [ "info" @@ -524,7 +507,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "IFCONFIG POOL IPv4", "type": [ "info" @@ -555,7 +537,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "ifconfig_pool_read", "type": [ "info" @@ -590,7 +571,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "succeeded -> ifconfig_pool_set(hand=0)", "type": [ "info" @@ -612,7 +592,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "IFCONFIG POOL LIST", "type": [ "info" @@ -634,7 +613,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "event_wait : Interrupted system call (code=4)", "type": [ "info" @@ -656,7 +634,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_PLAT=linux", "type": [ "info" @@ -688,7 +665,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_TCPNL=1", "type": [ "info" @@ -720,7 +696,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_MTU=1600", "type": [ "info" @@ -752,7 +727,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_NCP=2", "type": [ "info" @@ -784,7 +758,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305", "type": [ "info" @@ -816,7 +789,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_PROTO=990", "type": [ "info" @@ -848,7 +820,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "reason": "peer info: IV_LZO_STUB=1", "type": [ "info" @@ -880,7 +851,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -909,7 +879,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -937,7 +906,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -967,7 +935,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -989,7 +956,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -1011,7 +977,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -1040,7 +1005,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "authentication" ], - "kind": "event", "outcome": "failure", "type": [ "start" @@ -1069,7 +1033,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1104,7 +1067,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1132,7 +1094,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1160,7 +1121,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1188,7 +1148,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1227,7 +1186,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event", "type": [ "info" ] @@ -1258,7 +1216,6 @@ The following table lists the fields that are extracted, normalized under the EC |`client.nat.ip` | `ip` | Client NAT ip address | |`client.port` | `long` | Port of the client. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | diff --git a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md index 32aed6a465..9167e3cb31 100644 --- a/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md +++ b/_shared_content/operations_center/integrations/generated/e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6.md @@ -19,7 +19,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `process` | | Type | `` | @@ -41,8 +41,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "AUD_It", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -84,8 +83,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "AUD_Proc", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -119,8 +117,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "CRON_Finish", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -154,8 +151,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "CRON_Start", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -189,8 +185,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Link", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -234,8 +229,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Link", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -278,8 +272,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Pipe", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -319,8 +312,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Read", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -356,8 +348,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Rename", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -401,8 +392,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "SRC_Start", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -438,8 +428,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FILE_Unlink", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -482,8 +471,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FS_Chroot", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -519,8 +507,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FS_Mkdir", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -563,8 +550,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FS_Rmdir", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -600,8 +586,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_Adjtime", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -634,8 +619,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_Execute", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "FAIL", @@ -676,8 +660,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_Kill", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -711,8 +694,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_LoadError", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "target": "process" @@ -744,8 +726,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_RealGID", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -778,8 +759,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_SetGroups", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -812,8 +792,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_SetUserIDs", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -846,8 +825,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_SetUserIDs", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -880,8 +858,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "PROC_Sysconfig", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -914,8 +891,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "S_PASSWD_READ", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -958,8 +934,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "S_USER_WRITE", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1000,8 +975,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "TCP_kaccept", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1049,8 +1023,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "TCP_kbind", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1093,8 +1066,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "TCP_klisten", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1134,8 +1106,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "USER_Login", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1171,8 +1142,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "USER_Login", "category": [ "process" - ], - "kind": "event" + ] }, "action": { "status": "OK", @@ -1222,7 +1192,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`file.directory` | `keyword` | Directory where the file is located. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.path` | `keyword` | Full path to the file, including the file name. | diff --git a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md index 739a21bdd2..f24f224324 100644 --- a/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md +++ b/_shared_content/operations_center/integrations/generated/eb727929-6a06-4e68-a09d-cf0e5daf3ccd.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `email` | | Type | `info` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -71,7 +70,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -116,7 +114,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -154,7 +151,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "reason": "Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information.", "type": [ @@ -203,7 +199,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -235,7 +230,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -271,7 +265,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -305,7 +298,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -357,7 +349,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -409,7 +400,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -456,7 +446,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -496,7 +485,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -523,7 +511,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -571,7 +558,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -598,7 +584,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "reason": "SASL LOGIN authentication failed: authentication failure", "type": [ "info" @@ -628,7 +613,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -664,7 +648,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "outcome": "success", "type": [ "info" @@ -712,7 +695,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -745,7 +727,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -788,7 +769,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "email" ], - "kind": "event", "type": [ "info" ] @@ -835,7 +815,6 @@ The following table lists the fields that are extracted, normalized under the EC |`email.message_id` | `wildcard` | Value from the Message-ID header. | |`email.to.address` | `keyword` | Email address of recipient | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.created` | `date` | File creation time. | diff --git a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md index 277f3cf04d..cd487767d6 100644 --- a/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md +++ b/_shared_content/operations_center/integrations/generated/ee0b3023-524c-40f6-baf5-b69c7b679887.md @@ -21,7 +21,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `alert`, `event` | +| Kind | `alert` | | Category | `network` | | Type | `allowed`, `denied`, `error`, `protocol` | @@ -136,7 +136,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "537", - "kind": "event", "severity": 4, "type": [ "protocol" @@ -230,7 +229,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "98", - "kind": "event", "severity": 4, "type": [ "protocol" @@ -329,7 +327,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1460", - "kind": "event", "reason": "Gateway Anti-Virus Status: SMB file restart detected. File forwarding to Sandbox truncated for filename: hello.xlsx.", "severity": 5, "type": [ @@ -414,7 +411,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1574", - "kind": "event", "reason": "Filename: FILENAME", "severity": 5, "type": [ @@ -517,7 +513,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "97", - "kind": "event", "severity": 4, "type": [ "denied" diff --git a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md index 4a7d7499d9..cca4ab58c2 100644 --- a/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md +++ b/_shared_content/operations_center/integrations/generated/ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb.md @@ -16,4 +16,318 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "account_modification.json" + + ```json + + { + "message": "Un compte d\u2019utilisateur a \u00e9t\u00e9 modifi\u00e9.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011CORPDOMAIN$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Compte cible :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-21-241366212-796369622-1890169025-500#015#012#011Nom du compte :#011#011USERNAME#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#015#012Attributs modifi\u00e9s :#015#012#011Nom du compte SAM :#011USERNAME#015#012#011Nom complet :#011#011#015#012#011Nom principal de l\u2019utilisateur :#011-#015#012#011R\u00e9pertoire de base :#011#011#015#012#011Lecteur de base :#011#011#015#012#011Chemin d\u2019acc\u00e8s au script :#011#011#015#012#011Chemin d\u2019acc\u00e8s au profil :#011#011#015#012#011Stations de travail utilisateurs :#011#015#012#011Derni\u00e8re modification du mot de passe le :#01110/06/2020 14:27:09#015#012#011Le compte expire le :#011#011#015#012#011ID de groupe principal :#011513#015#012#011D\u00e9l\u00e9gu\u00e9 autoris\u00e9 :#011-#015#012#011Ancienne valeur UAC :#011#0110x210#015#012#011Nouvelle valeur UAC :#011#0110x210#015#012#011Contr\u00f4le du compte d\u2019utilisateur :#011-#015#012#011Param\u00e8tres utilisateur :#011-#015#012#011Historique SID :#011#011-#015#012#011Horaire d\u2019acc\u00e8s :#011#011Tout#015#012#015#012Informations suppl\u00e9mentaires :#015#012#011Privil\u00e8ges:#011#011-", + "event": { + "code": "4738", + "outcome": "success" + }, + "action": { + "id": 4738, + "name": "Un compte d\u2019utilisateur a \u00e9t\u00e9 modifi\u00e9.", + "properties": { + "domain": "CORPDOMAIN", + "id": "S-1-5-21-241366212-796369622-1890169025-500", + "name": "USERNAME", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "CORPDOMAIN$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "logoff_mess.json" + + ```json + + { + "message": "An account was logged off.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x523d454d#015#012#015#012Logon Type:#011#011#0115#015#012#015#012This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "event": { + "code": "4634", + "outcome": "success" + }, + "action": { + "id": 4634, + "name": "An account was logged off.", + "properties": { + "logon_type": 5, + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "COMPUTERNAME-PC", + "id": "0x523d454d", + "name": "username", + "sid": "S-1-5-21-1494196517-2992400115-1379426628-1000" + } + } + } + + ``` + + +=== "logon_mess.json" + + ```json + + { + "message": "An account was successfully logged on.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x1bc9bbee#015#012#015#012Logon Type:#011#011#0115#015#012#015#012New Logon:#015#012#011Security ID:#011#011S-1-5-21-1494196517-2992400115-1379426628-1000#015#012#011Account Name:#011#011username#015#012#011Account Domain:#011#011COMPUTERNAME-PC#015#012#011Logon ID:#011#0110x222c4f34#015#012#011Logon GUID:#011#011{00000000-0000-0000-0000-000000000000}#015#012#015#012Process Information:#015#012#011Process ID:#011#0110x5df8#015#012#011Process Name:#011#011C:\\ABSciex\\drm\\xGate.exe#015#012#015#012Network Information:#015#012#011Workstation Name:#011COMPUTERNAME-PC#015#012#011Source Network Address:#011-#015#012#011Source Port:#011#011-#015#012#015#012Detailed Authentication Information:#015#012#011Logon Process:#011#011Advapi #015#012#011Authentication Package:#011Negotiate#015#012#011Transited Services:#011-#015#012#011Package Name (NTLM only):#011-#015#012#011Key Length:#011#0110#015#012#015#012This event is generated when a logon session is created. It is generated on the computer that was accessed.#015#012#015#012The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.#015#012#015#012The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).#015#012#015#012The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.#015#012#015#012The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.#015#012#015#012The authentication information fields provide detailed information about this specific logon request.#015#012#011- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.#015#012#011- Transited services indicate which intermediate services have participated in this logon request.#015#012#011- Package name indicates which sub-protocol was used among the NTLM protocols.#015#012#011- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "event": { + "category": [ + "authentication" + ], + "code": "4624", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "id": 4624, + "name": "An account was successfully logged on.", + "outcome": "success", + "properties": { + "domain": "COMPUTERNAME-PC", + "id": "S-1-5-21-1494196517-2992400115-1379426628-1000", + "logon_guid": "00000000-0000-0000-0000-000000000000", + "logon_id": "0x222c4f34", + "logon_type": 5, + "name": "username", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": "0x5df8", + "name": "C:\\ABSciex\\drm\\xGate.exe" + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "C:\\ABSciex\\drm\\xGate.exe" + } + }, + "server": { + "os": { + "type": "windows" + } + } + }, + "user": { + "target": { + "domain": "COMPUTERNAME-PC", + "id": "0x1bc9bbee", + "name": "username", + "sid": "S-1-5-21-1494196517-2992400115-1379426628-1000" + } + } + } + + ``` + + +=== "logon_mess_fr.json" + + ```json + + { + "message": "L\u2019ouverture de session d\u2019un compte s\u2019est correctement d\u00e9roul\u00e9e.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011USERNAME$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Type d\u2019ouverture de session :#011#011#0115#015#012#015#012Nouvelle ouverture de session :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011Syst\u00e8me#015#012#011Domaine du compte :#011#011AUTORITE NT#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#011GUID d\u2019ouverture de session :#011#011{00000000-0000-0000-0000-000000000000}#015#012#015#012Informations sur le processus :#015#012#011ID du processus :#011#0110x1d0#015#012#011Nom du processus :#011#011C:\\Windows\\System32\\services.exe#015#012#015#012Informations sur le r\u00e9seau :#015#012#011Nom de la station de travail :#011#015#012#011Adresse du r\u00e9seau source :#011-#015#012#011Port source :#011#011-#015#012#015#012Informations d\u00e9taill\u00e9es sur l\u2019authentification :#015#012#011Processus d\u2019ouverture de session :#011#011Advapi #015#012#011Package d\u2019authentification :#011Negotiate#015#012#011Services en transit :#011-#015#012#011Nom du package (NTLM uniquement) :#011-#015#012#011Longueur de la cl\u00e9 :#011#0110#015#012#015#012Cet \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 lors de la cr\u00e9ation d\u2019une ouverture de session. Il est g\u00e9n\u00e9r\u00e9 sur l\u2019ordinateur sur lequel l\u2019ouverture de session a \u00e9t\u00e9 effectu\u00e9e.#015#012#015#012Le champ Objet indique le compte sur le syst\u00e8me local qui a demand\u00e9 l\u2019ouverture de session. Il s\u2019agit le plus souvent d\u2019un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.#015#012#015#012Le champ Type d\u2019ouverture de session indique le type d\u2019ouverture de session qui s\u2019est produit. Les types les plus courants sont 2 (interactif) et 3 (r\u00e9seau).#015#012#015#012Le champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a \u00e9t\u00e9 cr\u00e9\u00e9e, par exemple, le compte qui s\u2019est connect\u00e9.#015#012#015#012Les champs relatifs au r\u00e9seau indiquent la provenance d\u2019une demande d\u2019ouverture de session \u00e0 distance. Le nom de la station de travail n\u2019\u00e9tant pas toujours disponible, peut \u00eatre laiss\u00e9 vide dans certains cas.#015#012#015#012Les champs relatifs aux informations d\u2019authentification fournissent des d\u00e9tails sur cette demande d\u2019ouverture de session sp\u00e9cifique.#015#012#011- Le GUID d\u2019ouverture de session est un identificateur unique pouvant servir \u00e0 associer cet \u00e9v\u00e9nement \u00e0 un \u00e9v\u00e9nement KDC .#015#012#011- Les services en transit indiquent les services interm\u00e9diaires qui ont particip\u00e9 \u00e0 cette demande d\u2019ouverture de session.#015#012#011- Nom du package indique quel est le sous-protocole qui a \u00e9t\u00e9 utilis\u00e9 parmi les protocoles NTLM.#015#012#011- La longueur de la cl\u00e9 indique la longueur de la cl\u00e9 de session g\u00e9n\u00e9r\u00e9e", + "event": { + "category": [ + "authentication" + ], + "code": "4624", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "id": 4624, + "name": "L\u2019ouverture de session d\u2019un compte s\u2019est correctement d\u00e9roul\u00e9e.", + "outcome": "success", + "properties": { + "domain": "AUTORITE NT", + "id": "S-1-5-18", + "logon_guid": "00000000-0000-0000-0000-000000000000", + "logon_id": "0x3e7", + "logon_type": 5, + "name": "Syst\u00e8me", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "process": { + "id": "0x1d0", + "name": "C:\\Windows\\System32\\services.exe" + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "C:\\Windows\\System32\\services.exe" + } + }, + "server": { + "os": { + "type": "windows" + } + } + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "USERNAME$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "pass_ch.json" + + ```json + + { + "message": "Une tentative de r\u00e9initialisation de mot de passe d\u2019un compte a \u00e9t\u00e9 effectu\u00e9e.#015#012#015#012Sujet :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-18#015#012#011Nom du compte :#011#011USERNAME$#015#012#011Domaine du compte :#011#011CORPDOMAIN#015#012#011ID d\u2019ouverture de session :#011#0110x3e7#015#012#015#012Compte cible :#015#012#011ID de s\u00e9curit\u00e9 :#011#011S-1-5-21-1563151732-852262966-262546994-500#015#012#011Nom du compte :#011#011USERNAME#015#012#011Domaine du compte :#011#011CORPDOMAIN", + "event": { + "code": "4724", + "outcome": "success" + }, + "action": { + "id": 4724, + "name": "Une tentative de r\u00e9initialisation de mot de passe d\u2019un compte a \u00e9t\u00e9 effectu\u00e9e.", + "properties": { + "domain": "CORPDOMAIN", + "id": "S-1-5-21-1563151732-852262966-262546994-500", + "name": "USERNAME", + "type": "targetedUser" + }, + "target": "user", + "type": "Security" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "user": { + "target": { + "domain": "CORPDOMAIN", + "id": "0x3e7", + "name": "USERNAME$", + "sid": "S-1-5-18" + } + } + } + + ``` + + +=== "process2.json" + + ```json + + { + "message": "D\u00e9marrage de Self-Service Plug-in (utilisateur=CORPDOMAIN\\user.name).", + "event": { + "outcome": "success" + }, + "action": { + "name": "D\u00e9marrage de Self-Service Plug-in", + "properties": { + "type": "targetedUser" + }, + "target": "user" + }, + "os": { + "family": "windows", + "platform": "windows" + }, + "related": { + "user": [ + "user.name" + ] + }, + "user": { + "domain": "CORPDOMAIN", + "name": "user.name" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.domain` | `keyword` | | +|`action.properties.id` | `keyword` | | +|`action.properties.logon_guid` | `keyword` | | +|`action.properties.logon_id` | `keyword` | | +|`action.properties.logon_type` | `number` | | +|`action.properties.name` | `keyword` | | +|`action.properties.target` | `keyword` | | +|`action.properties.type` | `keyword` | | +|`action.target` | `keyword` | | +|`event.code` | `keyword` | Identification code for this event. | +|`event.outcome` | `keyword` | The outcome of the event. The lowest level categorization field in the hierarchy. | +|`process.id` | `keyword` | | +|`process.name` | `keyword` | Process name. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user.sid` | `keyword` | | +|`user.target.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.target.id` | `keyword` | Unique identifier of the user. | +|`user.target.name` | `keyword` | Short name or login of the user. | +|`user.target.sid` | `keyword` | | diff --git a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md index 772d7dcc41..bd2a851692 100644 --- a/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md +++ b/_shared_content/operations_center/integrations/generated/ee6364a1-9e3c-4363-9cb6-2f574bd4ce51.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event`, `metric` | +| Kind | `metric` | | Category | `host` | | Type | `info` | @@ -92,7 +92,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "type": [ "info" ] @@ -148,7 +147,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "type": [ "info" ] @@ -204,7 +202,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "reason": "Malware URLs detected", "type": [ "info" @@ -306,7 +303,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "reason": "Malware detected", "type": [ "info" @@ -364,7 +360,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "reason": "Indicators of Attack", "type": [ "info" @@ -480,7 +475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "host" ], - "kind": "event", "reason": "Exploits", "type": [ "info" diff --git a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md index bda73652dc..90bfefef13 100644 --- a/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md +++ b/_shared_content/operations_center/integrations/generated/f0f95532-9928-4cde-a399-ddd992d48472.md @@ -17,7 +17,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `` | @@ -41,7 +41,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1025", - "kind": "event", "reason": "Category blocked", "severity": 7, "type": [ @@ -145,7 +144,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "1026", - "kind": "event", "reason": "Category permitted", "severity": 1, "type": [ @@ -273,7 +271,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | |`event.duration` | `long` | Duration of the event in nanoseconds. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.severity` | `long` | Numeric severity of the event. | |`forcepoint.cef.version` | `keyword` | The version of the CEF message | |`forcepoint.webgateway.category` | `keyword` | The category determined by real-time content analysis | diff --git a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md index 1059fd8828..e140a2b0af 100644 --- a/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md +++ b/_shared_content/operations_center/integrations/generated/f570dd30-854b-4a22-9c2d-e2cfa46bf0e5.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `network` | | Type | `allowed`, `denied`, `info` | @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_http", - "kind": "event", "type": [ "info" ] @@ -158,7 +157,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "dataset": "gateway_http", - "kind": "event", "type": [ "allowed", "info" @@ -258,7 +256,6 @@ The following table lists the fields that are extracted, normalized under the EC |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`file.hash.sha256` | `keyword` | SHA256 hash. | |`file.name` | `keyword` | Name of the file including the extension, without the directory. | diff --git a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md index 77eb699561..21a462d406 100644 --- a/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md +++ b/_shared_content/operations_center/integrations/generated/f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0.md @@ -18,7 +18,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `` | | Type | `denied` | @@ -38,7 +38,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1000,\"TypeComputedMap\":\"LostBuffers\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E997D-0D6B-40A9-81F1-7C21E9B8AAD3}\",\"Timestamp\":\"2023-06-15T06:30:00.0000000+01:00\",\"TimestampRaw\":133232454000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LostBuffersCount\":35}}", "event": { "code": "LostBuffers", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T05:30:00Z", @@ -60,7 +59,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1001,\"TypeComputedMap\":\"RulesEngCriticalError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD054D09-4231-4A21-8BA1-440AEBAC0CC9}\",\"Timestamp\":\"2023-06-15T06:40:00.0000000+01:00\",\"TimestampRaw\":133232460000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "RulesEngCriticalError", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T05:40:00Z", @@ -82,7 +80,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1002,\"TypeComputedMap\":\"RulesEngIdentifierCollectionError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD060B75-CD2D-4F29-9E23-8F45C47772BA}\",\"Timestamp\":\"2023-06-15T06:50:00.0000000+01:00\",\"TimestampRaw\":133232466000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "RulesEngIdentifierCollectionError", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T05:50:00Z", @@ -104,7 +101,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1003,\"TypeComputedMap\":\"RulesEngRulesPackageError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0969EB-BA6D-481A-B96D-730EC18FE560}\",\"Timestamp\":\"2023-06-15T07:00:00.0000000+01:00\",\"TimestampRaw\":133232472000000000,\"GenerateIncident\":false,\"SpecificData\":{\"RulesPackageKeyPath\":\"HKLM\\\\TestPath\\\\Here\"}}", "event": { "code": "RulesEngRulesPackageError", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:00:00Z", @@ -126,7 +122,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1004,\"TypeComputedMap\":\"RulesEngInvalidParameter\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD075EE1-778C-4E3E-81E5-A565E4A4FF68}\",\"Timestamp\":\"2023-06-15T07:10:00.0000000+01:00\",\"TimestampRaw\":133232478000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "RulesEngInvalidParameter", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:10:00Z", @@ -151,7 +146,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "TemporaryWebAccessStart", - "kind": "event", "severity": 0, "type": [ "start" @@ -189,7 +183,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "TemporaryWebAccessStartFailed", - "kind": "event", "severity": 0, "type": [ "end" @@ -227,7 +220,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "TemporaryWebAccessStop", - "kind": "event", "severity": 0, "type": [ "end" @@ -258,7 +250,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "TemporaryWebAccessStopFailed", - "kind": "event", "severity": 0, "type": [ "end" @@ -286,7 +277,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":1010,\"TypeComputedMap\":\"AgentInternalLogExceedMaxSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F16E5-852C-4686-9979-AA5A859D50F2}\",\"Timestamp\":\"2023-06-15T08:00:00.0000000+01:00\",\"TimestampRaw\":133232508000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FaultyLogType\":1010,\"FaultyLogTypeComputedMap\":null}}", "event": { "code": "AgentInternalLogExceedMaxSize", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:00:00Z", @@ -311,7 +301,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "TemporaryWebAccessMaxCountReached", - "kind": "event", "severity": 0, "type": [ "denied" @@ -349,7 +338,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryKeyCreate", - "kind": "event", "severity": 4, "type": [ "creation" @@ -420,7 +408,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryKeyRead", - "kind": "event", "severity": 4, "type": [ "access" @@ -491,7 +478,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryKeyWrite", - "kind": "event", "severity": 4, "type": [ "change" @@ -562,7 +548,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "ProcessExecution", - "kind": "event", "severity": 2, "type": [ "start" @@ -652,7 +637,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryKeyDelete", - "kind": "event", "severity": 0, "type": [ "deletion" @@ -723,7 +707,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryValueCreate", - "kind": "event", "severity": 4, "type": [ "creation" @@ -794,7 +777,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryValueRead", - "kind": "event", "severity": 0, "type": [ "access" @@ -865,7 +847,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryValueWrite", - "kind": "event", "severity": 4, "type": [ "change" @@ -936,7 +917,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "RegistryValueDelete", - "kind": "event", "severity": 0, "type": [ "deletion" @@ -1007,7 +987,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "ProcessExecution", - "kind": "event", "reason": "The 'ragnarlocker.exe' process attempted to run the 'cmd.exe' process", "severity": 0, "type": [ @@ -1101,7 +1080,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "FileCreate", - "kind": "event", "severity": 1, "type": [ "creation" @@ -1172,7 +1150,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "FileExecute", - "kind": "event", "severity": 0, "type": [ "info" @@ -1247,7 +1224,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "FileRead", - "kind": "event", "severity": 1, "type": [ "access" @@ -1318,7 +1294,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "FileWrite", - "kind": "event", "severity": 1, "type": [ "change" @@ -1389,7 +1364,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "FileDelete", - "kind": "event", "severity": 0, "type": [ "deletion" @@ -1461,7 +1435,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20002,\"TypeComputedMap\":\"LostBuffers\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD084103-F26D-49EA-8890-70C7DB7A63A6}\",\"Timestamp\":\"2023-06-15T08:20:00.0000000+01:00\",\"TimestampRaw\":133232520000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LostBuffersCount\":30}}", "event": { "code": "LostBuffers", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:20:00Z", @@ -1486,7 +1459,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "configuration" ], "code": "NewPolicyNotification", - "kind": "event", "severity": 4, "type": [ "change" @@ -1514,7 +1486,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20004,\"TypeComputedMap\":\"ServiceDidNotEndCorrectly\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD021EAE-7C29-4B3F-852E-553B95D26471}\",\"Timestamp\":\"2023-06-15T08:40:00.0000000+01:00\",\"TimestampRaw\":133232532000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ServiceName\":\"EsaAppIdSvc\"}}", "event": { "code": "ServiceDidNotEndCorrectly", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:40:00Z", @@ -1536,7 +1507,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20006,\"TypeComputedMap\":\"EndUpgradeAgentSucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CD620-F5A8-430B-8FA3-BEC8E204DC74}\",\"Timestamp\":\"2023-06-15T08:50:00.0000000+01:00\",\"TimestampRaw\":133232538000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndUpgradeAgentSucceeded", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:50:00Z", @@ -1558,7 +1528,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20007,\"TypeComputedMap\":\"EndUpgradeAgentFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD091E59-399B-4A0B-BB1F-7326C55502ED}\",\"Timestamp\":\"2023-06-15T09:00:00.0000000+01:00\",\"TimestampRaw\":133232544000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { "code": "EndUpgradeAgentFailed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:00:00Z", @@ -1580,7 +1549,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20008,\"TypeComputedMap\":\"NewPolicyErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD025B90-CBE6-4DF3-8F4B-BFD11E38270C}\",\"Timestamp\":\"2023-06-15T09:10:00.0000000+01:00\",\"TimestampRaw\":133232550000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyName\":null}}", "event": { "code": "NewPolicyErrorNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:10:00Z", @@ -1602,7 +1570,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20009,\"TypeComputedMap\":\"InvalidHivePackage\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0951E4-DF4A-4D4A-A636-ABEB310BB6E0}\",\"Timestamp\":\"2023-06-15T09:20:00.0000000+01:00\",\"TimestampRaw\":133232556000000000,\"GenerateIncident\":false,\"SpecificData\":{\"HivePackageFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\maliviousHive.hive\",\"LoadingOperationStatus\":5}}", "event": { "code": "InvalidHivePackage", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:20:00Z", @@ -1627,7 +1594,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "StartUninstallAgent", - "kind": "event", "severity": 0, "type": [ "start" @@ -1652,7 +1618,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20011,\"TypeComputedMap\":\"EndUninstallAgentSucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DB33A-2194-4800-AB4E-C2BBCCFDE65D}\",\"Timestamp\":\"2023-06-15T09:40:00.0000000+01:00\",\"TimestampRaw\":133232568000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndUninstallAgentSucceeded", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:40:00Z", @@ -1674,7 +1639,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20012,\"TypeComputedMap\":\"EndUninstallAgentFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD075976-1881-4C1C-AB5F-ABE0E0430C9A}\",\"Timestamp\":\"2023-06-15T09:50:00.0000000+01:00\",\"TimestampRaw\":133232574000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndUninstallAgentFailed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:50:00Z", @@ -1696,7 +1660,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20013,\"TypeComputedMap\":\"InvalidPolicyPackageCab\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B6BB8-6422-478E-93D7-1D9DD7A61EC3}\",\"Timestamp\":\"2023-06-15T00:00:00.0000000+01:00\",\"TimestampRaw\":133232580000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyPackageCabFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\",\"LoadingOperationStatus\":5}}", "event": { "code": "InvalidPolicyPackageCab", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:00:00Z", @@ -1718,7 +1681,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20014,\"TypeComputedMap\":\"EsScriptHostCreateFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C4A06-F13C-47F1-BF3C-FD7136C519A4}\",\"Timestamp\":\"2023-06-15T00:10:00.0000000+01:00\",\"TimestampRaw\":133232586000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ImplementationType\":0,\"StatusCode\":5}}", "event": { "code": "EsScriptHostCreateFailure", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:10:00Z", @@ -1740,7 +1702,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20015,\"TypeComputedMap\":\"KernelCorruptionBugcheck\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0AA66F-5A03-4CE9-ABCD-86988444224C}\",\"Timestamp\":\"2023-06-15T00:20:00.0000000+01:00\",\"TimestampRaw\":133232592000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Bugcheck\":\"0x00000109 (0x00000000, 0x00000000, 0x00000000, 0x00000000)\"}}", "event": { "code": "KernelCorruptionBugcheck", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:20:00Z", @@ -1762,7 +1723,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20016,\"TypeComputedMap\":\"InvalidPolicyPackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0CDBE2-1FD9-43B4-80A3-219638B5C585}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232598000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"PolicyPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\"}}", "event": { "code": "InvalidPolicyPackageSignature", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:30:00Z", @@ -1784,7 +1744,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20017,\"TypeComputedMap\":\"StartAgentUpgrade\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09E443-8DC7-4315-98A7-1C48312B835E}\",\"Timestamp\":\"2023-06-15T00:40:00.0000000+01:00\",\"TimestampRaw\":133232604000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VersionFrom\":\"1.0.0.0\",\"VersionTo\":\"2.0.0.0\"}}", "event": { "code": "StartAgentUpgrade", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:40:00Z", @@ -1806,7 +1765,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20018,\"TypeComputedMap\":\"PolicyPackageSignerExpired\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FE5D0-593B-41FA-B642-98F1CC214FB8}\",\"Timestamp\":\"2023-06-15T00:50:00.0000000+01:00\",\"TimestampRaw\":133232610000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsPolicy.hive\"}}", "event": { "code": "PolicyPackageSignerExpired", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:50:00Z", @@ -1828,7 +1786,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20019,\"TypeComputedMap\":\"SelfProtectionLrpcFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A7F5A-905E-4E0B-AE2C-F1DA2D610788}\",\"Timestamp\":\"2023-06-15T01:00:00.0000000+01:00\",\"TimestampRaw\":133232616000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ServerServiceName\":\"EsaAppIdSvc\",\"SelfProtectionModuleName\":\"EsaGuardSvc\",\"StatusCode\":5}}", "event": { "code": "SelfProtectionLrpcFailure", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:00:00Z", @@ -1850,7 +1807,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20020,\"TypeComputedMap\":\"NewPolicyFromUpdateErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0167A2-3042-453F-8E0C-F0B8BC76C13B}\",\"Timestamp\":\"2023-06-15T01:10:00.0000000+01:00\",\"TimestampRaw\":133232622000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyName\":null}}", "event": { "code": "NewPolicyFromUpdateErrorNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:10:00Z", @@ -1872,7 +1828,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20021,\"TypeComputedMap\":\"NewPolicyFromUpdateNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0AEC3D-BAB1-4680-827B-FAB47FF00C8E}\",\"Timestamp\":\"2023-06-15T01:20:00.0000000+01:00\",\"TimestampRaw\":133232628000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"PolicyName\":null}}", "event": { "code": "NewPolicyFromUpdateNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:20:00Z", @@ -1894,7 +1849,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20022,\"TypeComputedMap\":\"NewConfigurationNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0533A5-A3D3-4F7E-A7B9-000FF784F592}\",\"Timestamp\":\"2023-06-15T01:30:00.0000000+01:00\",\"TimestampRaw\":133232634000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "NewConfigurationNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:30:00Z", @@ -1916,7 +1870,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20023,\"TypeComputedMap\":\"NewConfigurationErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0369FB-ED19-4402-A1E7-900E95350EB8}\",\"Timestamp\":\"2023-06-15T01:40:00.0000000+01:00\",\"TimestampRaw\":133232640000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5}}", "event": { "code": "NewConfigurationErrorNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:40:00Z", @@ -1938,7 +1891,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20024,\"TypeComputedMap\":\"NewConfigurationFromUpdateErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C916A-4D69-416B-8014-BB8C8E461CFB}\",\"Timestamp\":\"2023-06-15T01:50:00.0000000+01:00\",\"TimestampRaw\":133232646000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "NewConfigurationFromUpdateErrorNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T00:50:00Z", @@ -1960,7 +1912,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20025,\"TypeComputedMap\":\"NewConfigurationFromUpdateNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A125B-DF69-440B-B388-B1A9477E7D92}\",\"Timestamp\":\"2023-06-15T02:00:00.0000000+01:00\",\"TimestampRaw\":133232652000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "NewConfigurationFromUpdateNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:00:00Z", @@ -1982,7 +1933,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20026,\"TypeComputedMap\":\"InvalidConfigurationPackageCab\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F5A8B-5487-4B22-981A-885363295252}\",\"Timestamp\":\"2023-06-15T02:10:00.0000000+01:00\",\"TimestampRaw\":133232658000000000,\"GenerateIncident\":false,\"SpecificData\":{\"PackageCabFullPath\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsConfig.hive\",\"LoadingOperationStatus\":5}}", "event": { "code": "InvalidConfigurationPackageCab", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:10:00Z", @@ -2004,7 +1954,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20027,\"TypeComputedMap\":\"DowngradeIsNotAuthorized\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD010390-5326-4D21-9673-CD1B80EF7562}\",\"Timestamp\":\"2023-06-15T02:20:00.0000000+01:00\",\"TimestampRaw\":133232664000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "DowngradeIsNotAuthorized", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:20:00Z", @@ -2026,7 +1975,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20028,\"TypeComputedMap\":\"SafeModeSessionNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0EF160-1AE3-47C3-8F2C-BA626C3D04C7}\",\"Timestamp\":\"2023-06-15T02:30:00.0000000+01:00\",\"TimestampRaw\":133232670000000000,\"GenerateIncident\":false,\"SpecificData\":{\"LoginName\":\"User1\",\"Timestamp\":\"2023-03-13T10:54:24.6100962+01:00\"}}", "event": { "code": "SafeModeSessionNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:30:00Z", @@ -2048,7 +1996,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20030,\"TypeComputedMap\":\"MaintenanceModeStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B53D9-A9FF-4257-8A47-BA73FD9798EE}\",\"Timestamp\":\"2023-06-15T02:40:00.0000000+01:00\",\"TimestampRaw\":133232676000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "MaintenanceModeStart", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:40:00Z", @@ -2080,7 +2027,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20031,\"TypeComputedMap\":\"MaintenanceModeStop\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD067EED-CA85-4D98-8C35-8DC58D0943C3}\",\"Timestamp\":\"2023-06-15T02:50:00.0000000+01:00\",\"TimestampRaw\":133232682000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "MaintenanceModeStop", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T01:50:00Z", @@ -2102,7 +2048,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20032,\"TypeComputedMap\":\"MaintenanceModeAgentUpgradePostponed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0871CA-224C-4600-A48A-B562DB058C09}\",\"Timestamp\":\"2023-06-15T03:00:00.0000000+01:00\",\"TimestampRaw\":133232688000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "MaintenanceModeAgentUpgradePostponed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:00:00Z", @@ -2124,7 +2069,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20033,\"TypeComputedMap\":\"BfeIsStoppedNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E7607-D279-4188-BE30-E2A887B80D32}\",\"Timestamp\":\"2023-06-15T03:10:00.0000000+01:00\",\"TimestampRaw\":133232694000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "BfeIsStoppedNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:10:00Z", @@ -2146,7 +2090,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20034,\"TypeComputedMap\":\"RepairFailureNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0D4655-336D-4DD9-9532-78433F39364A}\",\"Timestamp\":\"2023-06-15T03:20:00.0000000+01:00\",\"TimestampRaw\":133232700000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"Result\":5}}", "event": { "code": "RepairFailureNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:20:00Z", @@ -2178,7 +2121,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20035,\"TypeComputedMap\":\"RepairSuccessNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0BBCE5-0299-4F04-9858-756036BCBFBC}\",\"Timestamp\":\"2023-06-15T03:30:00.0000000+01:00\",\"TimestampRaw\":133232706000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "RepairSuccessNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:30:00Z", @@ -2210,7 +2152,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20036,\"TypeComputedMap\":\"EndAgentModularityFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD071DC0-58B6-4166-93AC-5E53F025C724}\",\"Timestamp\":\"2023-06-15T03:40:00.0000000+01:00\",\"TimestampRaw\":133232712000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { "code": "EndAgentModularityFailed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:40:00Z", @@ -2232,7 +2173,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20037,\"TypeComputedMap\":\"EndAgentModularitySucceeded\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD016C2D-6BA8-4348-BA6D-92FB1CE190A8}\",\"Timestamp\":\"2023-06-15T03:50:00.0000000+01:00\",\"TimestampRaw\":133232718000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndAgentModularitySucceeded", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T02:50:00Z", @@ -2254,7 +2194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20038,\"TypeComputedMap\":\"CommFinishFailedState\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD05A0F2-7163-4A09-9F2D-AB6EA6171047}\",\"Timestamp\":\"2023-06-15T04:00:00.0000000+01:00\",\"TimestampRaw\":133232724000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5,\"State\":8,\"StateName\":\"PreviousStateName\"}}", "event": { "code": "CommFinishFailedState", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:00:00Z", @@ -2276,7 +2215,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20039,\"TypeComputedMap\":\"ForcedPatchApplication\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09E4CF-09F4-4E78-A3E9-C4CB48471D46}\",\"Timestamp\":\"2023-06-15T04:10:00.0000000+01:00\",\"TimestampRaw\":133232730000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "ForcedPatchApplication", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:10:00Z", @@ -2298,7 +2236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20040,\"TypeComputedMap\":\"ChallengeStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04C00F-2052-440A-9E43-E685F60E2ACF}\",\"Timestamp\":\"2023-06-15T04:20:00.0000000+01:00\",\"TimestampRaw\":133232736000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Duration\":0,\"ChallengeAction\":3}}", "event": { "code": "ChallengeStart", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:20:00Z", @@ -2320,7 +2257,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20041,\"TypeComputedMap\":\"ChallengeStop\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F233B-3CCE-470B-9312-A760E05C5065}\",\"Timestamp\":\"2023-06-15T04:30:00.0000000+01:00\",\"TimestampRaw\":133232742000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Manual\":true,\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"ChallengeAction\":0}}", "event": { "code": "ChallengeStop", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:30:00Z", @@ -2352,7 +2288,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20042,\"TypeComputedMap\":\"ChallengeStopFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01D6E5-6517-4E2C-B029-8A4668B9A2BE}\",\"Timestamp\":\"2023-06-15T04:40:00.0000000+01:00\",\"TimestampRaw\":133232748000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { "code": "ChallengeStopFailure", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:40:00Z", @@ -2374,7 +2309,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20043,\"TypeComputedMap\":\"WrongCabinetVersion\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD052689-74F5-4E19-A0CE-13246249763C}\",\"Timestamp\":\"2023-06-15T04:50:00.0000000+01:00\",\"TimestampRaw\":133232754000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "WrongCabinetVersion", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T03:50:00Z", @@ -2396,7 +2330,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20044,\"TypeComputedMap\":\"MultipleNetworkInterfacesMatchingTest\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07AF61-2014-44FF-83D1-FAFDEBA00A20}\",\"Timestamp\":\"2023-06-15T05:00:00.0000000+01:00\",\"TimestampRaw\":133232760000000000,\"GenerateIncident\":false,\"SpecificData\":{\"InterfaceName\":\"DEV\",\"InterfaceDescription\":\"Lorem Iterfacum\"}}", "event": { "code": "MultipleNetworkInterfacesMatchingTest", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:00:00Z", @@ -2418,7 +2351,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20045,\"TypeComputedMap\":\"ChallengeStartFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04CFB2-80E8-4237-9345-B73E76623445}\",\"Timestamp\":\"2023-06-15T05:10:00.0000000+01:00\",\"TimestampRaw\":133232766000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":5}}", "event": { "code": "ChallengeStartFailure", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:10:00Z", @@ -2440,7 +2372,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20048,\"TypeComputedMap\":\"External\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A2E72-1187-4BF6-8773-235285060E82}\",\"Timestamp\":\"2023-06-15T05:20:00.0000000+01:00\",\"TimestampRaw\":133232772000000000,\"GenerateIncident\":false,\"SpecificData\":{\"Description\":\"localized:EventForwarding_WinDefender_MalwareProtectionRealTimeProtectionFeatureConfigured\",\"OriginType\":2,\"ExtraData\":{\"Message\":\"This is a message\",\"_OriginalText\":\"2021 Mar 24 17:54:54 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(5007): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: W102004X64: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\\r\\n \\tOld value: HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\ServiceStartStates = 0x1\\r\\n \\tNew value: Default\\\\ServiceStartStates = 0x0\"},\"Fields\":{\"BaseRuleGuid\":\"64a298f2-c9e8-451f-9637-84254d2d8332\"},\"Action\":{\"PolicyGuid\":\"00000000-0000-0000-0000-000000000000\",\"PolicyVersion\":0,\"RuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"BaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"IdentifierGuid\":\"00000000-0000-0000-0000-000000000000\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false}}}", "event": { "code": "External", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:20:00Z", @@ -2472,7 +2403,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20049,\"TypeComputedMap\":\"ChallengeTooManyFailedAttempts\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C6027-57C5-40B8-9A45-34C3259FD352}\",\"Timestamp\":\"2023-06-15T05:30:00.0000000+01:00\",\"TimestampRaw\":133232778000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "ChallengeTooManyFailedAttempts", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:30:00Z", @@ -2504,7 +2434,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20050,\"TypeComputedMap\":\"MaintenanceModeAgentModularityPostponed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0BF97F-A000-4C5E-B2FD-A9673DB49C79}\",\"Timestamp\":\"2023-06-15T05:40:00.0000000+01:00\",\"TimestampRaw\":133232784000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "MaintenanceModeAgentModularityPostponed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:40:00Z", @@ -2526,7 +2455,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20051,\"TypeComputedMap\":\"EndUpgradeAgentNothingToDo\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD077BE1-8717-4796-AA97-4E4684223298}\",\"Timestamp\":\"2023-06-15T05:50:00.0000000+01:00\",\"TimestampRaw\":133232790000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndUpgradeAgentNothingToDo", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T04:50:00Z", @@ -2548,7 +2476,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20052,\"TypeComputedMap\":\"EndUpgradeAgentGuidUpdated\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD02DCFD-B400-42C2-BE32-B96BB54D4C10}\",\"Timestamp\":\"2023-06-15T06:00:00.0000000+01:00\",\"TimestampRaw\":133232796000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "EndUpgradeAgentGuidUpdated", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T05:00:00Z", @@ -2570,7 +2497,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20053,\"TypeComputedMap\":\"MaintenanceModeStopFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07C559-BEF6-40F8-9624-C716A0F37F67}\",\"Timestamp\":\"2023-06-15T06:10:00.0000000+01:00\",\"TimestampRaw\":133232802000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ErrorCode\":0}}", "event": { "code": "MaintenanceModeStopFailed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T05:10:00Z", @@ -2595,7 +2521,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "KerberosPassTheTicket", - "kind": "event", "severity": 0, "type": [ "info" @@ -2661,7 +2586,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "ArpSpoofing", - "kind": "event", "severity": 0, "type": [ "info" @@ -2699,7 +2623,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationCertutilDecodeMaliciousUsage", - "kind": "event", "severity": 2, "type": [ "info" @@ -2789,7 +2712,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationCertutilDownloadMaliciousUsage", - "kind": "event", "severity": 0, "type": [ "info" @@ -2885,7 +2807,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20059,\"TypeComputedMap\":\"AgentInternalScriptRuntimeError\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09A421-A13C-49BF-AB67-B48A5884C559}\",\"Timestamp\":\"2023-06-15T07:00:00.0000000+01:00\",\"TimestampRaw\":133232832000000000,\"GenerateIncident\":false,\"SpecificData\":{\"ExecutionStatus\":0,\"ScriptGuid\":\"00000000-0000-0000-0000-000000000000\"}}", "event": { "code": "AgentInternalScriptRuntimeError", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:00:00Z", @@ -2910,7 +2831,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "WmiPersistence", - "kind": "event", "severity": 1, "type": [ "info" @@ -2948,7 +2868,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "Discovery", - "kind": "event", "severity": 1, "type": [ "info" @@ -3011,7 +2930,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20062,\"TypeComputedMap\":\"AgentInternalUninstallForbidden\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04A57F-EE9F-4D86-AAD5-E7FC20313376}\",\"Timestamp\":\"2023-06-15T07:30:00.0000000+01:00\",\"TimestampRaw\":133232850000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UninstallAttemptDateTime\":\"2020-07-07T09:29:06.066110400Z\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "AgentInternalUninstallForbidden", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:30:00Z", @@ -3043,7 +2961,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20063,\"TypeComputedMap\":\"AgentInternalLogExceedMaxSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD062E12-865A-4B16-B57B-37205E59277B}\",\"Timestamp\":\"2023-06-15T07:40:00.0000000+01:00\",\"TimestampRaw\":133232856000000000,\"GenerateIncident\":false,\"SpecificData\":{\"FaultyLogType\":1010,\"FaultyLogTypeComputedMap\":null}}", "event": { "code": "AgentInternalLogExceedMaxSize", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:40:00Z", @@ -3065,7 +2982,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20064,\"TypeComputedMap\":\"StartModularityAgent\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0F3A16-4E4E-4790-B3EB-5558D437C77E}\",\"Timestamp\":\"2023-06-15T07:50:00.0000000+01:00\",\"TimestampRaw\":133232862000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "StartModularityAgent", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T06:50:00Z", @@ -3087,7 +3003,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20065,\"TypeComputedMap\":\"StartRepairAgent\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD000F33-953C-49B2-9E91-A9D0D16FABFB}\",\"Timestamp\":\"2023-06-15T08:00:00.0000000+01:00\",\"TimestampRaw\":133232868000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "StartRepairAgent", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:00:00Z", @@ -3109,7 +3024,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20066,\"TypeComputedMap\":\"AgentInternalVolumeWithoutShadowStorage\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07B4CE-114A-42D1-8080-3E10EAAF1F3A}\",\"Timestamp\":\"2023-06-15T08:10:00.0000000+01:00\",\"TimestampRaw\":133232874000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VolumePath\":\"\\\\\\\\?\\\\Volume{3799cd4d-464b-4908-9537-3984827f7c29}\\\\\",\"DriveLetter\":\"C:\\\\\",\"VolumeLabel\":\"some label\"}}", "event": { "code": "AgentInternalVolumeWithoutShadowStorage", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:10:00Z", @@ -3131,7 +3045,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20067,\"TypeComputedMap\":\"AgentInternalShadowCopyCreationFailure\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD04DBA1-AC27-47D4-ABBF-588CD950C127}\",\"Timestamp\":\"2023-06-15T08:20:00.0000000+01:00\",\"TimestampRaw\":133232880000000000,\"GenerateIncident\":false,\"SpecificData\":{\"VolumePath\":\"\\\\\\\\?\\\\Volume{a14d9f90-5db7-4b3c-8cf1-d9bd2f9f1a64}\\\\\",\"DriveLetter\":\"C:\\\\\",\"VolumeLabel\":\"some label\",\"ErrorCode\":5}}", "event": { "code": "AgentInternalShadowCopyCreationFailure", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:20:00Z", @@ -3156,7 +3069,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "Ransomware", - "kind": "event", "severity": 1, "type": [ "info" @@ -3219,7 +3131,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20069,\"TypeComputedMap\":\"AgentInternalResourcePackageDownloadFailed\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD09591B-3AF8-4605-96DE-64B269B9173E}\",\"Timestamp\":\"2023-06-15T08:40:00.0000000+01:00\",\"TimestampRaw\":133232892000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"ResourceGuid\":\"28110024-5807-45eb-9b7b-3aed55cb3f04\"}}", "event": { "code": "AgentInternalResourcePackageDownloadFailed", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:40:00Z", @@ -3241,7 +3152,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20070,\"TypeComputedMap\":\"AgentInternalInvalidResourcePackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD018FE1-B276-4EB6-9E00-9A1CE516E02E}\",\"Timestamp\":\"2023-06-15T08:50:00.0000000+01:00\",\"TimestampRaw\":133232898000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"ResourceGuid\":\"ce78187e-1062-4075-9bce-d8c92ee2b99e\",\"ResourcePackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\EsResource.cab\"}}", "event": { "code": "AgentInternalInvalidResourcePackageSignature", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T07:50:00Z", @@ -3263,7 +3173,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20071,\"TypeComputedMap\":\"AgentInternalSecOpsInvalidPackageSignature\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0B84DD-18EA-4C30-8D5B-91D288F9368A}\",\"Timestamp\":\"2023-06-15T09:00:00.0000000+01:00\",\"TimestampRaw\":133232904000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":5,\"SecOpsGuid\":\"b9092244-2249-44bb-ae2d-f9e50a2b0b10\",\"SecOpsPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\SecOpsTask.cab\"}}", "event": { "code": "AgentInternalSecOpsInvalidPackageSignature", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:00:00Z", @@ -3285,7 +3194,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20072,\"TypeComputedMap\":\"AgentInternalSecOpsInvalidJsonSize\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0E2013-BED1-4DC5-95FB-A881DB5F386A}\",\"Timestamp\":\"2023-06-15T09:10:00.0000000+01:00\",\"TimestampRaw\":133232910000000000,\"GenerateIncident\":false,\"SpecificData\":{\"StatusCode\":-1609564141,\"SecOpsGuid\":\"fbba1fb1-efda-4bba-9929-2d5eae03344e\",\"SecOpsPackageFile\":\"C:\\\\Users\\\\User1\\\\Desktop\\\\SecOpsTask.cab\",\"JsonSize\":10241}}", "event": { "code": "AgentInternalSecOpsInvalidJsonSize", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:10:00Z", @@ -3307,7 +3215,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20073,\"TypeComputedMap\":\"AgentInternalDowngradeWithPivotVersion223IsRequired\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD02148D-0FE6-4428-805C-3B1A58BB1E1D}\",\"Timestamp\":\"2023-06-15T09:20:00.0000000+01:00\",\"TimestampRaw\":133232916000000000,\"GenerateIncident\":false,\"SpecificData\":{}}", "event": { "code": "AgentInternalDowngradeWithPivotVersion223IsRequired", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:20:00Z", @@ -3329,7 +3236,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":2,\"Type\":20079,\"TypeComputedMap\":\"AgentOperationYaraProcessAnalysisMatch\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FD776-0C61-4946-BA0C-185518A0361C}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:58:14.4201973+02:00\",\"TimestampRaw\":133300870944201973,\"SpecificData\":{\"SourceProcess\":{\"PID\":5848,\"ProcessGuid\":\"{36C8E9F1-41B8-44FF-B482-FD11D323D5C7}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"C6CD12BF63E9B9B4478E6F975E7C293D\",\"HashSha1\":\"FE02128E2A9AF073DB5D6B3843469CA87391C22A\",\"HashSha256\":\"E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2023-01-06T12:27:04.6400000+02:00\",\"ValidityStart\":\"2022-05-05T21:23:15.0000000+02:00\",\"ValidityEnd\":\"2023-05-04T21:23:15.0000000+02:00\"}],\"ProcessStartTime\":\"2023-05-31T13:05:25.0959518+02:00\",\"ProcessStartTimeRaw\":133300047250959518},\"Action\":{\"PolicyGuid\":\"{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}\",\"PolicyVersion\":4,\"RuleGuid\":\"{6D01E214-075E-472C-A56D-3C6042DEA832}\",\"BaseRuleGuid\":\"{CF2EB1A3-0A18-4406-B284-F72A4E21D34F}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{919C4A6A-F381-4D01-A159-34C85152B5DF}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{41FD7022-DCDA-4ECE-983D-C780EC4315CA}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7243}\",\"AssociatedRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7245}\"},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\explorer.exe\",\"FileCreateTime\":\"2023-01-12T10:52:38.2994281+02:00\",\"LastModified\":\"2023-01-12T10:52:38.4088025+02:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"C6CD12BF63E9B9B4478E6F975E7C293D\",\"HashSha1\":\"FE02128E2A9AF073DB5D6B3843469CA87391C22A\",\"HashSha256\":\"E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C\",\"HashSSDeep\":\"49152:JFV7+LB3mKxTLHWBwPvfb0xer5TaNFLGO3LL6Y6IEF98C21rf2JGno/n7w8A7/eE:obULwVw8a0cDl\"},\"MatchedYaraRules\":[{\"MatchedRule\":\"test_yaralib_pe_module_is_pe_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_pe_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]},{\"MatchedRule\":\"test_yaralib_pe_module_is_x64_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_x64_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]}]}}", "event": { "code": "AgentOperationYaraProcessAnalysisMatch", - "kind": "event", "severity": 1 }, "@timestamp": "2023-06-14T23:58:14.420197Z", @@ -3389,7 +3295,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":2,\"Type\":20080,\"TypeComputedMap\":\"AgentOperationYaraFileAnalysisMatch\",\"Severity\":1,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD08DEF4-1B0B-4DA3-8DDE-AAB23C392453}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T01:43:47.9837872+02:00\",\"TimestampRaw\":133300862279837872,\"SpecificData\":{\"SourceProcess\":{\"PID\":2520,\"ProcessGuid\":\"{A9344FD4-981C-4460-84B3-6649405DAF60}\",\"ProcessImageName\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"MediumMandatoryLevel\",\"IntegrityLevelDomainLookup\":\"MandatoryLabel\",\"SessionID\":2,\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1\",\"SubjectCN\":\"Notepad++\",\"SigningTime\":\"2023-05-15T06:12:16.0000000+02:00\",\"ValidityStart\":\"2022-05-13T02:00:00.0000000+02:00\",\"ValidityEnd\":\"2025-05-15T01:59:59.0000000+02:00\"}],\"ProcessStartTime\":\"2023-05-31T13:17:23.8002785+02:00\",\"ProcessStartTimeRaw\":133300054438002785},\"Action\":{\"PolicyGuid\":\"{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}\",\"PolicyVersion\":2,\"RuleGuid\":\"{41314BB5-45D2-4878-812A-6ED813D00D0B}\",\"BaseRuleGuid\":\"{5D368004-E074-42FA-8674-B35BA3C1FA89}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{68A0C3B1-05C5-4508-B22C-E87526EB8CB9}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{31BEA723-FB51-4461-A812-F7B379F09E8A}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7243}\",\"AssociatedRuleGuid\":\"{BD00BBE6-3264-46D6-A010-AF9419FD7245}\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"FileCreateTime\":\"2023-05-15T06:12:14.0000000+02:00\",\"LastModified\":\"2023-05-15T06:12:14.0000000+02:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"HashSSDeep\":\"49152:5d9VFXdEK1BPN2efc5bjaMOoDsKEj45gvV+/QFw935Gt4/fDT5dOotDVhJJao0gB:p26UcvVUDDxD2MdpU/KGHiLUiRt/moD\"},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\ProgramFiles\\\\Notepad++\\\\notepad++.exe\",\"FileCreateTime\":\"2023-05-15T06:12:14.0000000+02:00\",\"LastModified\":\"2023-05-15T06:12:14.0000000+02:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"B7E5E966EBB9C302155D6B6E0DA21721\",\"HashSha1\":\"ECA5EA2F815C856C22F8A9BA4C2C4C0713DADED0\",\"HashSha256\":\"31AC7D30E550EEE5F28E1A04F1E7E9346BA91849B27F24C700F098654C054A8B\",\"HashSSDeep\":\"49152:5d9VFXdEK1BPN2efc5bjaMOoDsKEj45gvV+/QFw935Gt4/fDT5dOotDVhJJao0gB:p26UcvVUDDxD2MdpU/KGHiLUiRt/moD\"},\"MatchedYaraRules\":[{\"MatchedRule\":\"test_yaralib_pe_module_is_pe_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_pe_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]},{\"MatchedRule\":\"test_yaralib_pe_module_is_x64_rule\",\"Tags\":[],\"Metadatas\":[{\"MetadataKey\":\"description\",\"MetadataValue\":\"module_is_x64_rule\"},{\"MetadataKey\":\"author\",\"MetadataValue\":\"SESQAManuel\"}],\"MatchedStrings\":[]}]}}", "event": { "code": "AgentOperationYaraFileAnalysisMatch", - "kind": "event", "severity": 1 }, "@timestamp": "2023-06-14T23:43:47.983787Z", @@ -3449,7 +3354,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20081,\"TypeComputedMap\":\"AgentOperationYaraFileAnalysisMatchNoSourceProcess\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD06C8B7-7883-4C8B-862F-D9F67EA08BE7}\",\"Timestamp\":\"2023-06-15T09:50:00.0000000+01:00\",\"TimestampRaw\":133232934000000000,\"GenerateIncident\":false,\"SpecificData\":{\"MatchedYaraRules\":[{\"MatchedRule\":\"First Yara rule\",\"Tags\":null,\"Metadatas\":[{\"MetadataKey\":\"First metadata key\",\"MetadataValue\":\"First metadata value\"},{\"MetadataKey\":\"Second metadata key\",\"MetadataValue\":\"Second metadata value\"}]},{\"MatchedRule\":\"Second Yara rule\",\"Tags\":[\"First tag\",\"Second tag\",\"Third tag\"],\"Metadatas\":null},{\"MatchedRule\":\"Third Yara rule\",\"Tags\":[\"First tag\",\"Second tag\",\"Third tag\"],\"Metadatas\":[{\"MetadataKey\":\"First metadata key\",\"MetadataValue\":\"First metadata value\"},{\"MetadataKey\":\"Second metadata key\",\"MetadataValue\":\"Second metadata value\"}]}],\"FileDetails\":{\"FileFullPath\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\\\\Notepad\\\\Notepad.exe\",\"FileCreateTime\":\"2021-06-05T15:33:12.3858496+01:00\",\"LastModified\":\"2021-06-05T15:33:12.3858496+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrators\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"0EB8934F47F01E59CAC3FE0E946EE516\",\"HashSha1\":\"B4CF1A5A6577BA51971B7B7094F0EED281B29223\",\"HashSha256\":\"D36B2DC6907940B9FDBDFEFCDCD49C9F1224922E77F1374C807C961E346239C8\",\"HashSSDeep\":\"384:m7Oi2cWe/2Hnd+GQW6bbA2WinQW6j32UkXLsK6QW6cI2i+eQW6fC26rjNfQW67AV:m7+nSRPXHQS+h9pxvxQfiRW8m1pPBWa\"},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"00000000-0000-0000-0000-000000000000\",\"Triggers\":8,\"AssociatedRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedBaseRuleGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedEventGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedScheduledTaskGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedSecOpsGuid\":\"00000000-0000-0000-0000-000000000000\",\"AssociatedSecOpsRequestGuid\":\"00000000-0000-0000-0000-000000000000\"}}}", "event": { "code": "AgentOperationYaraFileAnalysisMatchNoSourceProcess", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-15T08:50:00Z", @@ -3474,7 +3378,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "PpidSpoofing", - "kind": "event", "severity": 0, "type": [ "info" @@ -3572,7 +3475,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20083,\"TypeComputedMap\":\"IntegrityStart\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0DDBD7-BAC9-4F75-932D-8B68A34A6A7F}\",\"Timestamp\":\"2023-06-15T00:10:00.0000000+01:00\",\"TimestampRaw\":133232946000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "IntegrityStart", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:10:00Z", @@ -3597,7 +3499,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20084,\"TypeComputedMap\":\"IntegritySuccessNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0ED49D-9AA5-4470-A585-65B8A8DDAF49}\",\"Timestamp\":\"2023-06-15T00:20:00.0000000+01:00\",\"TimestampRaw\":133232952000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "IntegritySuccessNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:20:00Z", @@ -3629,7 +3530,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20085,\"TypeComputedMap\":\"RepairSuccessWithRebootNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0A53CA-5607-4B5C-A69D-BBE54085E159}\",\"Timestamp\":\"2023-06-15T00:30:00.0000000+01:00\",\"TimestampRaw\":133232958000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":null,\"UserDomainLookup\":null,\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "RepairSuccessWithRebootNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:30:00Z", @@ -3654,7 +3554,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20086,\"TypeComputedMap\":\"RepairSuccessWithoutRebootNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD07A96B-A47A-49A7-9430-D87EE24D362B}\",\"Timestamp\":\"2023-06-15T00:40:00.0000000+01:00\",\"TimestampRaw\":133232964000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\"}}", "event": { "code": "RepairSuccessWithoutRebootNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:40:00Z", @@ -3686,7 +3585,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20087,\"TypeComputedMap\":\"IntegrityErrorNotification\",\"Severity\":0,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0FEB10-4AEA-4290-B09D-C89FE4025222}\",\"Timestamp\":\"2023-06-15T00:50:00.0000000+01:00\",\"TimestampRaw\":133232970000000000,\"GenerateIncident\":false,\"SpecificData\":{\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"Result\":5}}", "event": { "code": "IntegrityErrorNotification", - "kind": "event", "severity": 0 }, "@timestamp": "2023-06-14T23:50:00Z", @@ -3721,7 +3619,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "AgentRemediationRemoveFile", - "kind": "event", "severity": 3, "type": [ "deletion" @@ -3749,7 +3646,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "AgentRemediationKillProcess", - "kind": "event", "severity": 3, "type": [ "end" @@ -3777,7 +3673,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "AgentRemediationRemoveRegistryKey", - "kind": "event", "severity": 3, "type": [ "deletion" @@ -3810,7 +3705,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "AgentRemediationRemoveRegistryValue", - "kind": "event", "severity": 3, "type": [ "deletion" @@ -3843,7 +3737,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "registry" ], "code": "AgentRemediationSetRegistryValue", - "kind": "event", "severity": 3, "type": [ "change" @@ -3876,7 +3769,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentRemediationExecutePowershellScript", - "kind": "event", "severity": 3, "type": [ "info" @@ -3913,7 +3805,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "AgentRemediationExtractFilesFromShadowCopy", - "kind": "event", "severity": 3, "type": [ "info" @@ -3941,7 +3832,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocAnalysisNamedObjectMatch", - "kind": "event", "severity": 4, "type": [ "info" @@ -3984,7 +3874,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocAnalysisEventLogMatch", - "kind": "event", "provider": "Microsoft-Windows-Security-Auditing", "severity": 4, "type": [ @@ -4023,7 +3912,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocAnalysisFilenameMatch", - "kind": "event", "severity": 4, "type": [ "info" @@ -4089,7 +3977,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocAnalysisFilenameMatchNoSourceProcess", - "kind": "event", "severity": 4, "type": [ "info" @@ -4132,7 +4019,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocAnalysisDnsRequestMatch", - "kind": "event", "severity": 4, "type": [ "info" @@ -4170,7 +4056,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocFileSearchByHashFile", - "kind": "event", "severity": 4, "type": [ "info" @@ -4231,7 +4116,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "AgentOperationIocFileSearchByHashProcess", - "kind": "event", "severity": 4, "type": [ "info" @@ -4303,7 +4187,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20107,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchProcessMatch\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD01D628-71C0-4432-A358-142306F65E42}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T04:49:04.5989765+02:00\",\"TimestampRaw\":133311341445989765,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"RequestMoveToQuarantine\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{C6F96B4B-22E1-4F77-B74B-BBB94E7DCEC5}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{D4782D23-E46A-462E-8934-BFDC32920706}\",\"AssociatedSecOpsRequestGuid\":\"{F5B8FBB4-9B35-45E7-80B6-2D6B81BDB126}\",\"AssociatedBaseRuleGuid\":\"{BB1C16CA-8916-4891-9A65-078284B20EA1}\",\"AssociatedRuleGuid\":\"{8CFC6AE9-E111-403E-90AF-1912774CBEC4}\"},\"SourceProcess\":{\"PID\":4032,\"ProcessGuid\":\"{358F6CB9-1326-469E-807D-9742D7799F1F}\",\"ProcessImageName\":\"C:\\\\Windows\\\\explorer.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-8192\",\"IntegrityLevelNameLookup\":\"Niveauobligatoiremoyen\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"AC4C51EB24AA95B77F705AB159189E24\",\"HashSha1\":\"4583DAF9442880204730FB2C8A060430640494B1\",\"HashSha256\":\"6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA1\",\"IssuerCN\":\"MicrosoftWindowsVerificationPCA\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2010-11-20T21:37:13.0000000+02:00\",\"ValidityStart\":\"2009-12-07T23:57:40.0000000+02:00\",\"ValidityEnd\":\"2011-03-07T23:57:40.0000000+02:00\"}],\"ProcessStartTime\":\"2023-06-13T14:21:19.3323750+02:00\",\"ProcessStartTimeRaw\":133311324793323750},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\explorer.exe\",\"FileCreateTime\":\"2010-11-21T05:24:35.3136502+02:00\",\"LastModified\":\"2010-11-21T05:24:35.3448503+02:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"AC4C51EB24AA95B77F705AB159189E24\",\"HashSha1\":\"4583DAF9442880204730FB2C8A060430640494B1\",\"HashSha256\":\"6A671B92A69755DE6FD063FCBE4BA926D83B49F78C42DBAEED8CDB6BBC57576A\",\"HashSSDeep\":\"49152:jxrceI/lIRYraisQhFCUCAvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:FrcPlIWFvYYYYYYYYYYYRYYYYYYYYYY4\"},\"MatchedStrings\":[\"fichiertexte.txt\",\"hello\",\"qa_custom_dll_caller.exe\",\"toto\"]}}", "event": { "code": "AgentOperationIocAnalysisTextualSearchProcessMatch", - "kind": "event", "severity": 4 }, "@timestamp": "2023-06-15T02:49:04.598976Z", @@ -4363,7 +4246,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20108,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchFileMatch\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0882E8-4A4E-4427-BDF6-F93C68BC2CDB}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:31:29.6673890+01:00\",\"TimestampRaw\":133229142896673890,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{ACF0AC80-F5CC-4358-8CF9-3F8656637608}\",\"PolicyVersion\":2,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{4C7AAAF5-7BD4-4390-B43A-482695D9F2C8}\",\"Triggers\":8,\"TriggersComputedBitMap\":[\"TRIGGER_RULE_EVENT\"],\"AssociatedEventGuid\":\"{DCBFD32B-23DA-44DC-A50F-CCC0CFFE36BD}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsRequestGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedBaseRuleGuid\":\"{488C741A-6311-484B-8B99-2AE642629CA2}\",\"AssociatedRuleGuid\":\"{3A361A3F-BA50-4C5F-94EC-EF57E5ECF5DD}\"},\"SourceProcess\":{\"PID\":1580,\"ProcessGuid\":\"{66722ED3-5C92-49CB-919F-F8F710D2A7F6}\",\"ProcessImageName\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"VolumeZone\":1,\"VolumeZoneComputedBitMap\":[\"Operating system\"],\"ProcessCommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"\",\"User\":\"S-1-5-21-2222222-33333333-44444444-555\",\"UserNameLookup\":\"JOHNDOE\",\"UserDomainLookup\":\"TEST\",\"IntegrityLevel\":\"S-1-16-12288\",\"IntegrityLevelNameLookup\":\"Niveauobligatoire\u00e9lev\u00e9\",\"IntegrityLevelDomainLookup\":\"\u00c9tiquetteobligatoire\",\"SessionID\":2,\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"IsProtectedOrCritical\":false,\"CertificateSignatureState\":1,\"CertificateSignatureStateComputedMap\":\"SignatureStateTrusted\",\"Certificates\":[{\"Algorithm\":\"SHA256\",\"IssuerCN\":\"MicrosoftWindowsProductionPCA2011\",\"SubjectCN\":\"MicrosoftWindows\",\"SigningTime\":\"2018-09-15T08:03:08.1030000+01:00\",\"ValidityStart\":\"2018-07-03T21:45:50.0000000+01:00\",\"ValidityEnd\":\"2019-07-26T21:45:50.0000000+01:00\"}],\"ProcessStartTime\":\"2023-03-10T10:30:15.9993999+01:00\",\"ProcessStartTimeRaw\":133229142159993999},\"SourceProcessImageFileDetails\":{\"FileFullPath\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"FileCreateTime\":\"2018-09-15T08:14:14.4547673+01:00\",\"LastModified\":\"2018-09-15T08:14:14.4547673+01:00\",\"Owner\":\"S-1-5-21-2222222-33333333-44444444-555-2271478464\",\"OwnerNameLookup\":\"TrustedInstaller\",\"OwnerDomainLookup\":\"NTSERVICE\",\"HashMd5\":\"7353F60B1739074EB17C5F4DDDEFE239\",\"HashSha1\":\"6CBCE4A295C163791B60FC23D285E6D84F28EE4C\",\"HashSha256\":\"DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C\",\"HashSSDeep\":\"6144:+srKopvMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:BrKopEW2KXzJ4pdd3klnnWosPhnzq\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\testfile1.txt\",\"FileCreateTime\":\"2023-03-10T10:31:28.6944664+01:00\",\"LastModified\":\"2023-03-10T10:31:28.6974654+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"F5A4425F79015B506FD72DEC488FECAA\",\"HashSha1\":\"7AC7F7D77BA681397E6F81E343562F43D315143D\",\"HashSha256\":\"F7ED90A977D853D055AAED809EAF0733C160E60F27461F04A59CE21B0D996A35\",\"HashSSDeep\":\"3:QswlSxuQaal:QswlS5j\"},\"MatchedStrings\":[\"IOC_event_app\"]}}", "event": { "code": "AgentOperationIocAnalysisTextualSearchFileMatch", - "kind": "event", "severity": 4 }, "@timestamp": "2023-06-14T23:31:29.667389Z", @@ -4423,7 +4305,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "message": "{\"Version\":1,\"Type\":20109,\"TypeComputedMap\":\"AgentOperationIocAnalysisTextualSearchFileMatchNoSourceProcess\",\"Category\":4,\"CategoryComputedMap\":\"Other\",\"Severity\":4,\"ServerReserved\":0,\"Attributes\":2,\"AttributesComputedBitMap\":[\"Protection\"],\"EventGuid\":\"{AD0C7323-D0B6-492F-B6DC-B503DFE65054}\",\"GenerateIncident\":false,\"Timestamp\":\"2023-06-15T00:22:46.7229516+01:00\",\"TimestampRaw\":133229137667229516,\"SpecificData\":{\"Action\":{\"PolicyGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"PolicyVersion\":0,\"RuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"BaseRuleGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"IdentifierGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"Blocked\":false,\"UserDecision\":false,\"SourceProcessKilled\":false},\"AnalysisProperties\":{\"AnalysisUnitGuid\":\"{8D1643D7-0358-4D5D-B5DE-2FF3A68AE55D}\",\"Triggers\":128,\"TriggersComputedBitMap\":[\"TRIGGER_SECOPS\"],\"AssociatedEventGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedScheduledTaskGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"AssociatedSecOpsGuid\":\"{C309C9F5-8BAB-42A0-BBE2-A912143FB308}\",\"AssociatedSecOpsRequestGuid\":\"{36C30206-83CB-4B22-A80E-F32F55B1B793}\",\"AssociatedBaseRuleGuid\":\"{73F4E7F0-49CA-42E7-94E7-9CF7B5F07C93}\",\"AssociatedRuleGuid\":\"{8CFC6AE9-E111-403E-90AF-1912774CBEC4}\"},\"FileDetails\":{\"FileFullPath\":\"C:\\\\tmp\\\\Dataset\\\\IOC_filename_type_match.txt\",\"FileCreateTime\":\"2023-03-09T14:32:39.0955996+01:00\",\"LastModified\":\"2023-03-09T14:44:10.9444734+01:00\",\"Owner\":\"S-1-5-32-544\",\"OwnerNameLookup\":\"Administrateurs\",\"OwnerDomainLookup\":\"BUILTIN\",\"HashMd5\":\"0369387A3D15EA774708761AC1B15146\",\"HashSha1\":\"CE2C4F63864E3173A9D4C94A88A5061BE890F3D9\",\"HashSha256\":\"0E2D8F90D85A86BA544BDC868CD06F90C49CB3227496ABD3ABC52B0AB83680A9\",\"HashSSDeep\":\"3:S6LnhR:JLnH\"},\"MatchedStrings\":[\"IOC_event_app\"]}}", "event": { "code": "AgentOperationIocAnalysisTextualSearchFileMatchNoSourceProcess", - "kind": "event", "severity": 4 }, "@timestamp": "2023-06-14T23:22:46.722951Z", @@ -4458,7 +4339,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "Floppy", - "kind": "event", "severity": 0, "type": [ "info" @@ -4499,7 +4379,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "CDRom", - "kind": "event", "severity": 0, "type": [ "info" @@ -4540,7 +4419,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "ComPort", - "kind": "event", "severity": 0, "type": [ "info" @@ -4581,7 +4459,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "UsbDevice", - "kind": "event", "severity": 1, "type": [ "info" @@ -4622,7 +4499,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "UsbVolumeScanSuccess", - "kind": "event", "severity": 0, "type": [ "info" @@ -4653,7 +4529,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "UsbVolumeScanError", - "kind": "event", "severity": 0, "type": [ "info" @@ -4684,7 +4559,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "driver" ], "code": "UsbVolumeFootprintComputationError", - "kind": "event", "severity": 0, "type": [ "info" @@ -4715,7 +4589,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "BluetoothAccess", - "kind": "event", "severity": 1, "type": [ "connection" @@ -4753,7 +4626,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "file" ], "code": "RawVolumeAccess", - "kind": "event", "severity": 3, "type": [ "access" @@ -4824,7 +4696,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkAccessBind", - "kind": "event", "severity": 0, "type": [ "info" @@ -4898,7 +4769,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "WifiAccessConnectedNetwork", - "kind": "event", "severity": 4, "type": [ "connection" @@ -4939,7 +4809,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "WifiAccessFunctionnality", - "kind": "event", "severity": 0, "type": [ "info" @@ -4978,7 +4847,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkAccessAccept", - "kind": "event", "severity": 4, "type": [ "access" @@ -5062,7 +4930,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkAccessConnect", - "kind": "event", "severity": 0, "type": [ "denied" @@ -5142,7 +5009,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "ProcessHollowing", - "kind": "event", "severity": 0, "type": [ "info" @@ -5208,7 +5074,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "StackPivot", - "kind": "event", "severity": 0, "type": [ "info" @@ -5274,7 +5139,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "DriverLoading", - "kind": "event", "severity": 0, "type": [ "info" @@ -5349,7 +5213,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "DriverGuard", - "kind": "event", "severity": 0, "type": [ "info" @@ -5421,7 +5284,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "HoneyPot", - "kind": "event", "severity": 0, "type": [ "info" @@ -5487,7 +5349,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "TokenGuard", - "kind": "event", "severity": 1, "type": [ "info" @@ -5553,7 +5414,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "Keylogging", - "kind": "event", "severity": 4, "type": [ "info" @@ -5631,7 +5491,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "HeapSpray", - "kind": "event", "severity": 0, "type": [ "info" @@ -5697,7 +5556,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "LrpcAccess", - "kind": "event", "severity": 0, "type": [ "info" @@ -5763,7 +5621,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "CreateRemoteThread", - "kind": "event", "severity": 0, "type": [ "info" @@ -5841,7 +5698,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "CreateRemoteThread", - "kind": "event", "reason": "The 'WmiPrvSE.exe' process injected code into the 'lsass.exe' process", "severity": 1, "type": [ @@ -5926,7 +5782,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "ProcessExit", - "kind": "event", "severity": 0, "type": [ "end" @@ -5992,7 +5847,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "SetWindowsHookExAll", - "kind": "event", "severity": 3, "type": [ "info" @@ -6058,7 +5912,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "SetWindowsHookEx", - "kind": "event", "severity": 3, "type": [ "info" @@ -6136,7 +5989,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "malware" ], "code": "ProcessAccessWithPrivilegeEscalation", - "kind": "event", "severity": 0, "type": [ "info" @@ -6215,7 +6067,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "process" ], "code": "ProcessAccess", - "kind": "event", "severity": 4, "type": [ "access" @@ -6299,7 +6150,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.port` | `long` | Port of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.code` | `keyword` | Identification code for this event. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.provider` | `keyword` | Source of the event. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | diff --git a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md index 051ff2b3fe..0f0a73ea81 100644 --- a/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md +++ b/_shared_content/operations_center/integrations/generated/fc99c983-3e6c-448c-97e6-7e0948e12415.md @@ -16,7 +16,7 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `event` | +| Kind | `` | | Category | `web` | | Type | `access` | @@ -39,7 +39,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "web" ], - "kind": "event", "type": [ "access" ] @@ -122,7 +121,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "web" ], - "kind": "event", "type": [ "access" ] @@ -209,7 +207,6 @@ The following table lists the fields that are extracted, normalized under the EC |`destination.domain` | `keyword` | The domain name of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | -|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.method` | `keyword` | HTTP request method. | |`http.response.status_code` | `long` | HTTP response status code. |