From 5fb84bd480707acd05efe184ee3ac5485145ec4c Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 17 Oct 2023 08:11:47 +0000 Subject: [PATCH] Refresh intakes documentation --- .../aeb7d407-db57-44b2-90b6-7df6738d5d7f.md | 207 +++++++++++++++++- 1 file changed, 206 insertions(+), 1 deletion(-) diff --git a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md index 5f788ae4a3..a1e03200a6 100644 --- a/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md +++ b/_shared_content/operations_center/integrations/generated/aeb7d407-db57-44b2-90b6-7df6738d5d7f.md @@ -28,6 +28,46 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "test_ignoring_request.json" + + ```json + + { + "message": " Ignoring request to auth address * port 1812 bound to server default from unknown client 1.2.3.4 port 9459 proto udp", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "info" + ], + "dataset": "freeradius.authentication" + }, + "source": { + "port": 9459, + "ip": "1.2.3.4", + "address": "1.2.3.4" + }, + "destination": { + "port": 1812 + }, + "network": { + "transport": "udp" + }, + "freeradius": { + "outcome": "Ignoring request to auth address" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } + + ``` + + === "test_invalid_user.json" ```json @@ -70,7 +110,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` -=== "test_login_incorrect.json" +=== "test_login_incorrect1.json" ```json @@ -109,6 +149,47 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_login_incorrect2.json" + + ```json + + { + "message": "(15350502) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [domain\\username] (from client RX-WIFI-CISCO-5520-491 port 0 cli 0a3253427066)", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "info" + ], + "dataset": "freeradius.authentication", + "reason": "The users session was previously rejected: returning reject (again.)" + }, + "user": { + "name": "username", + "domain": "domain" + }, + "network": { + "name": "RX-WIFI-CISCO-5520-491" + }, + "source": { + "port": 0, + "mac": "0a-32-53-42-70-66" + }, + "freeradius": { + "outcome": "Login incorrect" + }, + "related": { + "user": [ + "username" + ] + } + } + + ``` + + === "test_login_ok1.json" ```json @@ -316,6 +397,126 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_login_ok6.json" + + ```json + + { + "message": "(737467) Login OK: [username] (from client ccsma port 0)", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "info" + ], + "dataset": "freeradius.authentication" + }, + "user": { + "name": "username" + }, + "network": { + "name": "ccsma" + }, + "source": { + "port": 0 + }, + "freeradius": { + "outcome": "Login OK" + }, + "related": { + "user": [ + "username" + ] + } + } + + ``` + + +=== "test_login_ok7.json" + + ```json + + { + "message": "(12403060) Login OK: [domain\\username] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-84-92-6c-48-1e)", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "info" + ], + "dataset": "freeradius.authentication" + }, + "user": { + "name": "username", + "domain": "domain" + }, + "network": { + "name": "RX-WIFI-CISCO-5520" + }, + "source": { + "port": 8, + "mac": "0a-84-92-6c-48-1e" + }, + "freeradius": { + "outcome": "Login OK" + }, + "related": { + "user": [ + "username" + ] + } + } + + ``` + + +=== "test_login_ok8.json" + + ```json + + { + "message": "(16634082) Login OK: [host/username.example.org] (from client RX-WIFI-CISCO-5520 port 8 cli 0a-44-5b-4f-04-cf via TLS tunnel)", + "event": { + "kind": "event", + "category": [ + "authentication" + ], + "type": [ + "info" + ], + "dataset": "freeradius.authentication" + }, + "network": { + "name": "RX-WIFI-CISCO-5520", + "protocol": "TLS" + }, + "source": { + "port": 8, + "mac": "0a-44-5b-4f-04-cf", + "domain": "username.example.org", + "address": "username.example.org", + "top_level_domain": "org", + "subdomain": "username", + "registered_domain": "example.org" + }, + "freeradius": { + "outcome": "Login OK" + }, + "related": { + "hosts": [ + "username.example.org" + ] + } + } + + ``` + + @@ -325,6 +526,8 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.port` | `long` | Port of the destination. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | @@ -333,11 +536,13 @@ The following table lists the fields that are extracted, normalized under the EC |`freeradius.outcome` | `keyword` | The outcome of the event | |`network.name` | `keyword` | Name given by operators to sections of their network. | |`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | |`source.domain` | `keyword` | The domain name of the source. | |`source.ip` | `ip` | IP address of the source. | |`source.mac` | `keyword` | MAC address of the source. | |`source.port` | `long` | Port of the source. | |`user.domain` | `keyword` | Name of the directory the user is a member of. | |`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. |