Skip to content

Commit

Permalink
Merge pull request #1735 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Apr 16, 2024
2 parents 6e3fb58 + bf4fdd5 commit 5aa8b31
Show file tree
Hide file tree
Showing 11 changed files with 3,089 additions and 29 deletions.
70 changes: 68 additions & 2 deletions ...perations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -742,9 +742,16 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"10.79.48.3"
],
"user": [
"VMware vim-java 1.0"
"VMware vim-java 1.0",
"vpxd-extension-3876e603-9146-4105-90ff-075afdf17160"
]
},
"source": {
"user": {
"domain": "VSPHERE.LOCAL",
"name": "vpxd-extension-3876e603-9146-4105-90ff-075afdf17160"
}
},
"user": {
"name": "VMware vim-java 1.0"
},
Expand Down Expand Up @@ -787,9 +794,15 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"127.0.0.1"
],
"user": [
"pyvmomi"
"pyvmomi",
"root"
]
},
"source": {
"user": {
"name": "root"
}
},
"user": {
"name": "pyvmomi"
},
Expand Down Expand Up @@ -980,6 +993,58 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "session_logs_type_1_2.json"

```json

{
"message": "Event [22091524] [1-1] [2023-11-29T15:51:06.726839Z] [vim.event.UserLoginSessionEvent] [info] [EXAMPLE\\john_doe] [] [22091524] [User EXAMPLE\\[email protected] logged in as JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c]",
"event": {
"category": [
"authentication"
],
"code": "vim.event.UserLoginSessionEvent",
"type": [
"start"
]
},
"@timestamp": "2023-11-29T15:51:06.726839Z",
"host": {
"ip": "1.2.3.4"
},
"log": {
"level": "info"
},
"observer": {
"product": "VCenter",
"vendor": "VMWare"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c",
"john_doe"
]
},
"source": {
"user": {
"domain": "EXAMPLE",
"name": "john_doe"
}
},
"user": {
"name": "JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c"
},
"vmware_vcenter": {
"event_id": "22091524"
}
}
```





Expand Down Expand Up @@ -1010,6 +1075,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.address` | `keyword` | Source network address. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
|`source.user.domain` | `keyword` | Name of the directory the user is a member of. |
|`source.user.name` | `keyword` | Short name or login of the user. |
|`url.path` | `wildcard` | Path of the request, such as "/search". |
|`user.name` | `keyword` | Short name or login of the user. |
Expand Down
151 changes: 151 additions & 0 deletions ...perations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
],
"kind": "alert",
"severity": 3,
"start": "2024-01-07T19:54:41.492407Z",
"type": [
"connection"
]
Expand Down Expand Up @@ -82,6 +83,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"1.2.3.4",
Expand Down Expand Up @@ -115,6 +123,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
],
"kind": "alert",
"severity": 3,
"start": "2024-01-16T15:31:05.667442Z",
"type": [
"connection"
]
Expand Down Expand Up @@ -152,6 +161,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"hosts": [
"169.254.169.254"
Expand Down Expand Up @@ -219,6 +235,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "ens192"
}
}
},
"related": {
"ip": [
"10.200.52.1",
Expand Down Expand Up @@ -302,6 +325,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "UDP",
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"172.31.0.2",
Expand Down Expand Up @@ -379,6 +409,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "UDP",
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"hosts": [
"org.repo.release.build.test.com"
Expand Down Expand Up @@ -443,6 +480,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "UDP",
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"172.31.0.2",
Expand Down Expand Up @@ -501,6 +545,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "UDP",
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"hosts": [
"rp1.sekoia.io"
Expand Down Expand Up @@ -530,6 +581,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"category": [
"network"
],
"end": "2024-01-09T15:07:44.740950Z",
"reason": "timeout",
"start": "2024-01-09T15:07:44.721525Z",
"type": [
"connection"
]
Expand All @@ -550,6 +604,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"1.2.3.4",
Expand Down Expand Up @@ -597,6 +658,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"1.2.3.4",
Expand Down Expand Up @@ -625,6 +693,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
],
"kind": "alert",
"severity": 2,
"start": "2020-01-27T21:11:16.708763Z",
"type": [
"connection"
]
Expand Down Expand Up @@ -697,6 +766,67 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "icmp.json"

```json

{
"message": "{\"timestamp\": \"2020-10-14T10:03:17.006417+0000\", \"flow_id\": 896178426658321, \"in_iface\": \"ens3\", \"event_type\": \"flow\", \"src_ip\": \"fe80:0000:0000:0000:fc16:3eff:fe01:3dd2\", \"dest_ip\": \"ff02:0000:0000:0000:0000:0000:0000:0002\", \"proto\": \"IPv6-ICMP\", \"icmp_type\": 133, \"icmp_code\": 0, \"flow\": {\"pkts_toserver\": 1, \"pkts_toclient\": 0, \"bytes_toserver\": 70, \"bytes_toclient\": 0, \"start\": \"2020-10-14T10:02:46.245265+0000\", \"end\": \"2020-10-14T10:02:46.245265+0000\", \"age\": 0, \"state\": \"new\", \"reason\": \"timeout\", \"alerted\": false}}",
"event": {
"category": [
"network"
],
"end": "2020-10-14T10:02:46.245265Z",
"reason": "timeout",
"start": "2020-10-14T10:02:46.245265Z",
"type": [
"connection"
]
},
"@timestamp": "2020-10-14T10:03:17.006417Z",
"action": {
"type": "flow"
},
"destination": {
"address": "ff02::2",
"ip": "ff02::2"
},
"host": {
"ip": "fe80::fc16:3eff:fe01:3dd2"
},
"network": {
"protocol": "IPv6-ICMP",
"transport": "IPv6-ICMP"
},
"observer": {
"ingress": {
"interface": {
"name": "ens3"
}
}
},
"related": {
"ip": [
"fe80::fc16:3eff:fe01:3dd2",
"ff02::2"
]
},
"source": {
"address": "fe80::fc16:3eff:fe01:3dd2",
"bytes": 70,
"ip": "fe80::fc16:3eff:fe01:3dd2"
},
"suricata": {
"icmp": {
"code": "0",
"type": "133"
}
}
}
```


=== "smb.json"

```json
Expand Down Expand Up @@ -727,6 +857,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"1.2.3.4",
Expand Down Expand Up @@ -773,6 +910,13 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"protocol": "TCP",
"transport": "TCP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
}
},
"related": {
"ip": [
"1.2.3.4",
Expand Down Expand Up @@ -823,6 +967,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"network"
],
"severity": 3,
"start": "2020-01-27T21:27:09.705465Z",
"type": [
"connection"
]
Expand Down Expand Up @@ -902,8 +1047,11 @@ The following table lists the fields that are extracted, normalized under the EC
|`dns.type` | `keyword` | The type of DNS event captured, query or answer. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.severity` | `long` | Numeric severity of the event. |
|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.ip` | `ip` | Host ip addresses. |
|`host.name` | `keyword` | Name of the host. |
Expand All @@ -916,9 +1064,12 @@ The following table lists the fields that are extracted, normalized under the EC
|`network.community_id` | `keyword` | A hash of source and destination IPs and ports. |
|`network.protocol` | `keyword` | Application protocol name. |
|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. |
|`observer.ingress.interface.name` | `keyword` | Interface name |
|`source.bytes` | `long` | Bytes sent from the source to the destination. |
|`source.ip` | `ip` | IP address of the source. |
|`source.port` | `long` | Port of the source. |
|`suricata.icmp.code` | `keyword` | |
|`suricata.icmp.type` | `keyword` | |
|`tls.client.issuer` | `keyword` | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. |
|`tls.client.ja3` | `keyword` | A hash that identifies clients based on how they perform an SSL/TLS handshake. |
|`tls.client.not_after` | `date` | Date/Time indicating when client certificate is no longer considered valid. |
Expand Down
Loading

0 comments on commit 5aa8b31

Please sign in to comment.