Skip to content

Commit

Permalink
Merge pull request #1380 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@otetard
otetard authored Oct 17, 2023
2 parents 351177a + 5fb84bd commit 4ab029c
Showing 1 changed file with 206 additions and 1 deletion.
207 changes: 206 additions & 1 deletion ...perations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,46 @@ In details, the following table denotes the type of events produced by this inte
Find below few samples of events and how they are normalized by Sekoia.io.


=== "test_ignoring_request.json"

```json

{
"message": " Ignoring request to auth address * port 1812 bound to server default from unknown client 1.2.3.4 port 9459 proto udp",
"event": {
"kind": "event",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "freeradius.authentication"
},
"source": {
"port": 9459,
"ip": "1.2.3.4",
"address": "1.2.3.4"
},
"destination": {
"port": 1812
},
"network": {
"transport": "udp"
},
"freeradius": {
"outcome": "Ignoring request to auth address"
},
"related": {
"ip": [
"1.2.3.4"
]
}
}
```


=== "test_invalid_user.json"

```json
Expand Down Expand Up @@ -70,7 +110,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_login_incorrect.json"
=== "test_login_incorrect1.json"

```json

Expand Down Expand Up @@ -109,6 +149,47 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_login_incorrect2.json"

```json

{
"message": "(15350502) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [domain\\username] (from client RX-WIFI-CISCO-5520-491 port 0 cli 0a3253427066)",
"event": {
"kind": "event",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "freeradius.authentication",
"reason": "The users session was previously rejected: returning reject (again.)"
},
"user": {
"name": "username",
"domain": "domain"
},
"network": {
"name": "RX-WIFI-CISCO-5520-491"
},
"source": {
"port": 0,
"mac": "0a-32-53-42-70-66"
},
"freeradius": {
"outcome": "Login incorrect"
},
"related": {
"user": [
"username"
]
}
}
```


=== "test_login_ok1.json"

```json
Expand Down Expand Up @@ -316,6 +397,126 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_login_ok6.json"

```json

{
"message": "(737467) Login OK: [username] (from client ccsma port 0)",
"event": {
"kind": "event",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "freeradius.authentication"
},
"user": {
"name": "username"
},
"network": {
"name": "ccsma"
},
"source": {
"port": 0
},
"freeradius": {
"outcome": "Login OK"
},
"related": {
"user": [
"username"
]
}
}
```


=== "test_login_ok7.json"

```json

{
"message": "(12403060) Login OK: [domain\\username] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-84-92-6c-48-1e)",
"event": {
"kind": "event",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "freeradius.authentication"
},
"user": {
"name": "username",
"domain": "domain"
},
"network": {
"name": "RX-WIFI-CISCO-5520"
},
"source": {
"port": 8,
"mac": "0a-84-92-6c-48-1e"
},
"freeradius": {
"outcome": "Login OK"
},
"related": {
"user": [
"username"
]
}
}
```


=== "test_login_ok8.json"

```json

{
"message": "(16634082) Login OK: [host/username.example.org] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-44-5b-4f-04-cf via TLS tunnel)",
"event": {
"kind": "event",
"category": [
"authentication"
],
"type": [
"info"
],
"dataset": "freeradius.authentication"
},
"network": {
"name": "RX-WIFI-CISCO-5520",
"protocol": "TLS"
},
"source": {
"port": 8,
"mac": "0a-44-5b-4f-04-cf",
"domain": "username.example.org",
"address": "username.example.org",
"top_level_domain": "org",
"subdomain": "username",
"registered_domain": "example.org"
},
"freeradius": {
"outcome": "Login OK"
},
"related": {
"hosts": [
"username.example.org"
]
}
}
```





Expand All @@ -325,6 +526,8 @@ The following table lists the fields that are extracted, normalized under the EC

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.dataset` | `keyword` | Name of the dataset. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
Expand All @@ -333,11 +536,13 @@ The following table lists the fields that are extracted, normalized under the EC
|`freeradius.outcome` | `keyword` | The outcome of the event |
|`network.name` | `keyword` | Name given by operators to sections of their network. |
|`network.protocol` | `keyword` | Application protocol name. |
|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. |
|`source.domain` | `keyword` | The domain name of the source. |
|`source.ip` | `ip` | IP address of the source. |
|`source.mac` | `keyword` | MAC address of the source. |
|`source.port` | `long` | Port of the source. |
|`user.domain` | `keyword` | Name of the directory the user is a member of. |
|`user.email` | `keyword` | User email address. |
|`user.id` | `keyword` | Unique identifier of the user. |
|`user.name` | `keyword` | Short name or login of the user. |

0 comments on commit 4ab029c

Please sign in to comment.