diff --git a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md index 55c9faee23..80f1d6d5ab 100644 --- a/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md +++ b/_shared_content/operations_center/integrations/generated/0642b03a-9d4a-4c88-a5e2-4597e366b8c4.md @@ -742,9 +742,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "10.79.48.3" ], "user": [ - "VMware vim-java 1.0" + "VMware vim-java 1.0", + "vpxd-extension-3876e603-9146-4105-90ff-075afdf17160" ] }, + "source": { + "user": { + "domain": "VSPHERE.LOCAL", + "name": "vpxd-extension-3876e603-9146-4105-90ff-075afdf17160" + } + }, "user": { "name": "VMware vim-java 1.0" }, @@ -787,9 +794,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "127.0.0.1" ], "user": [ - "pyvmomi" + "pyvmomi", + "root" ] }, + "source": { + "user": { + "name": "root" + } + }, "user": { "name": "pyvmomi" }, @@ -980,6 +993,58 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "session_logs_type_1_2.json" + + ```json + + { + "message": "Event [22091524] [1-1] [2023-11-29T15:51:06.726839Z] [vim.event.UserLoginSessionEvent] [info] [EXAMPLE\\john_doe] [] [22091524] [User EXAMPLE\\john_doe@1.2.3.4 logged in as JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c]", + "event": { + "category": [ + "authentication" + ], + "code": "vim.event.UserLoginSessionEvent", + "type": [ + "start" + ] + }, + "@timestamp": "2023-11-29T15:51:06.726839Z", + "host": { + "ip": "1.2.3.4" + }, + "log": { + "level": "info" + }, + "observer": { + "product": "VCenter", + "vendor": "VMWare" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c", + "john_doe" + ] + }, + "source": { + "user": { + "domain": "EXAMPLE", + "name": "john_doe" + } + }, + "user": { + "name": "JAAA-WS RI 2.3.0 svn-revision#3528ea595bd29309f69172d231bbce272d21999c" + }, + "vmware_vcenter": { + "event_id": "22091524" + } + } + + ``` + + @@ -1010,6 +1075,7 @@ The following table lists the fields that are extracted, normalized under the EC |`source.address` | `keyword` | Source network address. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`source.user.domain` | `keyword` | Name of the directory the user is a member of. | |`source.user.name` | `keyword` | Short name or login of the user. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md index bf311501dc..1e9a29ab91 100644 --- a/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md +++ b/_shared_content/operations_center/integrations/generated/331fa58d-8cf9-454a-a87f-48a3dc07d4d3.md @@ -45,6 +45,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "alert", "severity": 3, + "start": "2024-01-07T19:54:41.492407Z", "type": [ "connection" ] @@ -82,6 +83,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "1.2.3.4", @@ -115,6 +123,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "alert", "severity": 3, + "start": "2024-01-16T15:31:05.667442Z", "type": [ "connection" ] @@ -152,6 +161,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "hosts": [ "169.254.169.254" @@ -219,6 +235,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "ens192" + } + } + }, "related": { "ip": [ "10.200.52.1", @@ -302,6 +325,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "UDP", "transport": "UDP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "172.31.0.2", @@ -379,6 +409,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "UDP", "transport": "UDP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "hosts": [ "org.repo.release.build.test.com" @@ -443,6 +480,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "UDP", "transport": "UDP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "172.31.0.2", @@ -501,6 +545,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "UDP", "transport": "UDP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "hosts": [ "rp1.sekoia.io" @@ -530,6 +581,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], + "end": "2024-01-09T15:07:44.740950Z", + "reason": "timeout", + "start": "2024-01-09T15:07:44.721525Z", "type": [ "connection" ] @@ -550,6 +604,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "1.2.3.4", @@ -597,6 +658,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "1.2.3.4", @@ -625,6 +693,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "kind": "alert", "severity": 2, + "start": "2020-01-27T21:11:16.708763Z", "type": [ "connection" ] @@ -697,6 +766,67 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "icmp.json" + + ```json + + { + "message": "{\"timestamp\": \"2020-10-14T10:03:17.006417+0000\", \"flow_id\": 896178426658321, \"in_iface\": \"ens3\", \"event_type\": \"flow\", \"src_ip\": \"fe80:0000:0000:0000:fc16:3eff:fe01:3dd2\", \"dest_ip\": \"ff02:0000:0000:0000:0000:0000:0000:0002\", \"proto\": \"IPv6-ICMP\", \"icmp_type\": 133, \"icmp_code\": 0, \"flow\": {\"pkts_toserver\": 1, \"pkts_toclient\": 0, \"bytes_toserver\": 70, \"bytes_toclient\": 0, \"start\": \"2020-10-14T10:02:46.245265+0000\", \"end\": \"2020-10-14T10:02:46.245265+0000\", \"age\": 0, \"state\": \"new\", \"reason\": \"timeout\", \"alerted\": false}}", + "event": { + "category": [ + "network" + ], + "end": "2020-10-14T10:02:46.245265Z", + "reason": "timeout", + "start": "2020-10-14T10:02:46.245265Z", + "type": [ + "connection" + ] + }, + "@timestamp": "2020-10-14T10:03:17.006417Z", + "action": { + "type": "flow" + }, + "destination": { + "address": "ff02::2", + "ip": "ff02::2" + }, + "host": { + "ip": "fe80::fc16:3eff:fe01:3dd2" + }, + "network": { + "protocol": "IPv6-ICMP", + "transport": "IPv6-ICMP" + }, + "observer": { + "ingress": { + "interface": { + "name": "ens3" + } + } + }, + "related": { + "ip": [ + "fe80::fc16:3eff:fe01:3dd2", + "ff02::2" + ] + }, + "source": { + "address": "fe80::fc16:3eff:fe01:3dd2", + "bytes": 70, + "ip": "fe80::fc16:3eff:fe01:3dd2" + }, + "suricata": { + "icmp": { + "code": "0", + "type": "133" + } + } + } + + ``` + + === "smb.json" ```json @@ -727,6 +857,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "1.2.3.4", @@ -773,6 +910,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "TCP", "transport": "TCP" }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, "related": { "ip": [ "1.2.3.4", @@ -823,6 +967,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "severity": 3, + "start": "2020-01-27T21:27:09.705465Z", "type": [ "connection" ] @@ -902,8 +1047,11 @@ The following table lists the fields that are extracted, normalized under the EC |`dns.type` | `keyword` | The type of DNS event captured, query or answer. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | |`event.severity` | `long` | Numeric severity of the event. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.ip` | `ip` | Host ip addresses. | |`host.name` | `keyword` | Name of the host. | @@ -916,9 +1064,12 @@ The following table lists the fields that are extracted, normalized under the EC |`network.community_id` | `keyword` | A hash of source and destination IPs and ports. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.ingress.interface.name` | `keyword` | Interface name | |`source.bytes` | `long` | Bytes sent from the source to the destination. | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | +|`suricata.icmp.code` | `keyword` | | +|`suricata.icmp.type` | `keyword` | | |`tls.client.issuer` | `keyword` | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | |`tls.client.ja3` | `keyword` | A hash that identifies clients based on how they perform an SSL/TLS handshake. | |`tls.client.not_after` | `date` | Date/Time indicating when client certificate is no longer considered valid. | diff --git a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md index 9df7663af9..c5ea866592 100644 --- a/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md +++ b/_shared_content/operations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md @@ -19,9 +19,9 @@ In details, the following table denotes the type of events produced by this inte | Name | Values | | ---- | ------ | -| Kind | `` | +| Kind | `event` | | Category | `network` | -| Type | `` | +| Type | `allowed`, `denied` | @@ -31,6 +31,72 @@ In details, the following table denotes the type of events produced by this inte Find below few samples of events and how they are normalized by Sekoia.io. +=== "continue.json" + + ```json + + { + "message": "{\"macAddress\": \"000D124564789\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/12345674-1234-1234-1234-12345646546875/RESOURCEGROUPS/FOO/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZNTDC02-NSG\", \"time\": \"2024-03-18T13:21:42.6259228Z\", \"rule\": \"DefaultRule_AllowVnetInBound\", \"flow.0\": \"1710768066,1.1.1.1,2.2.2.2,35336,53,U,I,A,C,1,99,1,167\"}", + "event": { + "action": "accept", + "category": [ + "network" + ], + "code": "NetworkSecurityGroupFlowEvents", + "kind": "event", + "outcome": "success", + "start": "2024-03-18T13:21:42.625922Z", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-03-18T13:21:42.625922Z", + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "FlowState": "continue", + "OperationName": "NetworkSecurityGroupFlowEvents" + }, + "target": "network-traffic", + "type": "DefaultRule_AllowVnetInBound" + }, + "destination": { + "address": "2.2.2.2", + "bytes": 167, + "ip": "2.2.2.2", + "packets": 1, + "port": 53 + }, + "host": { + "name": "/SUBSCRIPTIONS/12345674-1234-1234-1234-12345646546875/RESOURCEGROUPS/FOO/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZNTDC02-NSG" + }, + "network": { + "direction": "inbound", + "transport": "udp" + }, + "related": { + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "rule": { + "name": "DefaultRule_AllowVnetInBound" + }, + "source": { + "address": "1.1.1.1", + "bytes": 99, + "ip": "1.1.1.1", + "mac": "000D124564789", + "packets": 1, + "port": 35336 + } + } + + ``` + + === "test_begin.json" ```json @@ -43,19 +109,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", + "kind": "event", + "outcome": "success", + "start": "2020-12-14T22:16:46.352816Z", "type": [ "allowed" ] }, + "@timestamp": "2020-12-14T22:16:46.352816Z", "action": { "name": "accept", - "properties": [ - { - "FlowState": "begin", - "OperationName": "NetworkSecurityGroupFlowEvents", - "Version": "2" - } - ], + "outcome": "success", + "properties": { + "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents", + "Version": "2" + }, "target": "network-traffic", "type": "DefaultRule_AllowVnetOutBound" }, @@ -103,19 +172,22 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", + "kind": "event", + "outcome": "success", + "start": "2020-12-14T22:16:46.352816Z", "type": [ "allowed" ] }, + "@timestamp": "2020-12-14T22:16:46.352816Z", "action": { "name": "accept", - "properties": [ - { - "FlowState": "end", - "OperationName": "NetworkSecurityGroupFlowEvents", - "Version": "2" - } - ], + "outcome": "success", + "properties": { + "FlowState": "end", + "OperationName": "NetworkSecurityGroupFlowEvents", + "Version": "2" + }, "target": "network-traffic", "type": "DefaultRule_AllowVnetOutBound" }, @@ -167,18 +239,21 @@ Find below few samples of events and how they are normalized by Sekoia.io. "network" ], "code": "NetworkSecurityGroupFlowEvents", + "kind": "event", + "outcome": "success", + "start": "2021-03-24T10:55:03.068074Z", "type": [ "allowed" ] }, + "@timestamp": "2021-03-24T10:55:03.068074Z", "action": { "name": "accept", - "properties": [ - { - "FlowState": "begin", - "OperationName": "NetworkSecurityGroupFlowEvents" - } - ], + "outcome": "success", + "properties": { + "FlowState": "begin", + "OperationName": "NetworkSecurityGroupFlowEvents" + }, "target": "network-traffic", "type": "DefaultRule_AllowInternetOutBound" }, @@ -191,7 +266,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG" }, "network": { - "direction": "inbound", + "direction": "outbound", "transport": "tcp" }, "related": { @@ -224,14 +299,20 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | -|`action.properties` | `array` | action.properties | +|`action.properties.FlowState` | `keyword` | | +|`action.properties.OperationName` | `keyword` | | +|`action.properties.Version` | `keyword` | | |`action.target` | `keyword` | The target of the action | |`destination.bytes` | `long` | Bytes sent from the destination to the source. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.packets` | `long` | Packets sent from the destination to the source. | |`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.code` | `keyword` | Identification code for this event. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | |`rule.name` | `keyword` | Rule name | |`source.bytes` | `long` | Bytes sent from the source to the destination. | diff --git a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md index 6cbeed8aff..173baa545e 100644 --- a/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md +++ b/_shared_content/operations_center/integrations/generated/3c7057d3-4689-4fae-8033-6f1f887a70f2.md @@ -2143,6 +2143,78 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "wineventlog5.json" + + ```json + + { + "message": "{\"@event_create_date\": \"2024-03-28T14:53:32.521Z\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"record_number\": 1654064176, \"thread_id\": 14260, \"tenant\": \"1111111111111111\", \"destination\": \"syslog\", \"event_id\": 4698, \"computer_name\": \"DS01.example.org\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"event_data\": {\"SubjectDomainName\": \"EXAMPLE\", \"ClientProcessStartKey\": \"11111111111111111\", \"TaskName\": \"\\\\GPO_C_LSI_Deploy\", \"ParentProcessId\": \"984\", \"SubjectLogonId\": \"0x3e7\", \"RpcCallClientLocality\": \"0\", \"SubjectUserName\": \"DS01$\", \"TaskContent\": \"\\r\\n\\r\\n \\r\\n EXAMPLE\\\\jdoe\\r\\n \\\\GPO_C_LSI_Deploy\\r\\n \\r\\n \\r\\n \\r\\n 2021-05-11T16:53:52\\r\\n true\\r\\n \\r\\n \\r\\n \\r\\n \\r\\n HighestAvailable\\r\\n AUTORITE NT\\\\Syst\\u00e8me\\r\\n S4U\\r\\n \\r\\n \\r\\n \\r\\n IgnoreNew\\r\\n false\\r\\n false\\r\\n false\\r\\n false\\r\\n false\\r\\n \\r\\n PT5M\\r\\n PT1H\\r\\n false\\r\\n false\\r\\n \\r\\n false\\r\\n true\\r\\n false\\r\\n false\\r\\n false\\r\\n false\\r\\n false\\r\\n PT0S\\r\\n 7\\r\\n \\r\\n \\r\\n \\r\\n powershell.exe\\r\\n -ExecutionPolicy Bypass -File \\\"\\\\\\\\srvmcfiles01\\\\path\\\\LSI.ps1\\\"\\r\\n \\r\\n \\r\\n\", \"ClientProcessId\": \"23428\", \"FQDN\": \"NB248.AVANGARDE.local\", \"SubjectUserSid\": \"S-1-5-18\"}, \"user_data\": {}, \"@version\": \"1\", \"log_name\": \"Security\", \"log_type\": \"eventlog\", \"level\": \"log_always\", \"agent\": {\"ostype\": \"windows\", \"hostname\": \"DS01\", \"osproducttype\": \"Windows 10 Pro\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"version\": \"3.6.4\", \"additional_info\": {}, \"dnsdomainname\": \"EXAMPLE.org\", \"agentid\": \"dbf3c620-47ac-453a-a9f3-383eca1b0ce8\", \"osversion\": \"10.0.19045\", \"domain\": null}, \"process_id\": 992, \"groups\": [{\"name\": \"CS SUPPORT\", \"id\": \"b45f22af-9166-4d36-bac4-500aefbcbffe\"}], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"user\": {\"type\": \"unknown\", \"identifier\": \"\", \"name\": \"\", \"domain\": \"\"}, \"@timestamp\": \"2024-03-28T14:53:43.717922930Z\", \"type\": \"wineventlog\"}", + "event": { + "code": "4698", + "dataset": "eventlog", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info" + ] + }, + "@timestamp": "2024-03-28T14:53:32.521000Z", + "action": { + "id": 4698, + "properties": { + "ClientProcessId": "23428", + "ClientProcessStartKey": "11111111111111111", + "FQDN": "NB248.AVANGARDE.local", + "ParentProcessId": "984", + "RpcCallClientLocality": "0", + "SubjectDomainName": "EXAMPLE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DS01$", + "SubjectUserSid": "S-1-5-18", + "TaskContent": "\r\n\r\n \r\n EXAMPLE\\jdoe\r\n \\GPO_C_LSI_Deploy\r\n \r\n \r\n \r\n 2021-05-11T16:53:52\r\n true\r\n \r\n \r\n \r\n \r\n HighestAvailable\r\n AUTORITE NT\\Syst\u00e8me\r\n S4U\r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n false\r\n false\r\n false\r\n false\r\n \r\n PT5M\r\n PT1H\r\n false\r\n false\r\n \r\n false\r\n true\r\n false\r\n false\r\n false\r\n false\r\n false\r\n PT0S\r\n 7\r\n \r\n \r\n \r\n powershell.exe\r\n -ExecutionPolicy Bypass -File \"\\\\srvmcfiles01\\path\\LSI.ps1\"\r\n \r\n \r\n", + "TaskContentNew_Args": "-ExecutionPolicy Bypass -File \"\\\\srvmcfiles01\\path\\LSI.ps1\"", + "TaskContentNew_Command": "powershell.exe", + "TaskName": "\\GPO_C_LSI_Deploy" + } + }, + "agent": { + "id": "dbf3c620-47ac-453a-a9f3-383eca1b0ce8", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [ + "{\"id\": \"b45f22af-9166-4d36-bac4-500aefbcbffe\", \"name\": \"CS SUPPORT\"}" + ] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "DS01", + "name": "DS01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "DS01" + }, + "related": { + "hosts": [ + "DS01" + ], + "user": [ + "DS01$" + ] + }, + "user": { + "domain": "EXAMPLE", + "name": "DS01$", + "roles": "CSSUPPORT" + } + } + + ``` + + @@ -2154,6 +2226,8 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.properties` | `object` | A detailed set of attributes associated with a specific action, typically involving user authentication or a network event. It contains the following keys: | +|`action.properties.TaskContentNew_Args` | `keyword` | | +|`action.properties.TaskContentNew_Command` | `keyword` | | |`agent.id` | `keyword` | Unique identifier of this agent. | |`agent.name` | `keyword` | Custom name of the agent. | |`agent.version` | `keyword` | Version of the agent. | diff --git a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md index 3401e63240..2f8fbf8406 100644 --- a/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md +++ b/_shared_content/operations_center/integrations/generated/5d9e261a-944c-4a76-8c61-6794fd44d9a8.md @@ -15,4 +15,251 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "domain.json" + + ```json + + { + "message": "2019-10-08T11:29:05+02:00 hostfoo unbound[17265]: [17265:13] info: 127.0.0.1 reachms.corp.com. A IN", + "dns": { + "question": { + "class": "IN", + "name": "reachms.corp.com", + "registered_domain": "corp.com", + "subdomain": "reachms", + "top_level_domain": "com", + "type": "A" + }, + "size_in_char": 16, + "type": "query" + }, + "host": { + "name": "hostfoo" + }, + "related": { + "hosts": [ + "reachms.corp.com" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "error.json" + + ```json + + { + "message": "[3483:15] error: internal error: looping module stopped", + "error": { + "message": "looping module stopped", + "type": "internal error" + } + } + + ``` + + +=== "error2.json" + + ```json + + { + "message": "[1678:6] error: failed to find an open port, drop msg", + "error": { + "message": "failed to find an open port, drop msg" + } + } + + ``` + + +=== "generate_keytag.json" + + ```json + + { + "message": "2019-10-08T11:29:05+02:00 hostfoo unbound[17265]: [265456:0] info: generate keytag query _ta-4f66. NULL IN", + "host": { + "name": "hostfoo" + } + } + + ``` + + +=== "info_recursion.json" + + ```json + + { + "message": "2019-10-08T11:29:05+02:00 hostfoo unbound[17265]: [27060:0] info: average recursion processing time 0.007562 sec", + "host": { + "name": "hostfoo" + } + } + + ``` + + +=== "ip.json" + + ```json + + { + "message": "2019-10-08T11:29:04+02:00 hostfoo unbound[17265]: [17265:18] info: 192.168.1.1 1.1.1.1.in-addr.arpa. PTR IN", + "dns": { + "question": { + "class": "IN", + "name": "1.1.1.1.in-addr.arpa", + "registered_domain": "1.in-addr.arpa", + "subdomain": "1.1.1", + "top_level_domain": "in-addr.arpa", + "type": "PTR" + }, + "size_in_char": 20, + "type": "query" + }, + "host": { + "name": "hostfoo" + }, + "related": { + "hosts": [ + "1.1.1.1.in-addr.arpa" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + } + } + + ``` + + +=== "ip_code.json" + + ```json + + { + "message": "2019-10-09T18:29:22+02:00 hostfoo unbound[3888]: [3888:1f] info: 192.168.1.1 1.1.168.192.in-addr.arpa. PTR IN", + "dns": { + "question": { + "class": "IN", + "name": "1.1.168.192.in-addr.arpa", + "registered_domain": "192.in-addr.arpa", + "subdomain": "1.1.168", + "top_level_domain": "in-addr.arpa", + "type": "PTR" + }, + "size_in_char": 24, + "type": "query" + }, + "host": { + "name": "hostfoo" + }, + "related": { + "hosts": [ + "1.1.168.192.in-addr.arpa" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + } + } + + ``` + + +=== "server_stats.json" + + ```json + + { + "message": "2019-10-08T11:29:05+02:00 hostfoo unbound[17265]: [6634:16] info: server stats for thread 0: 11982 queries, 9074 answers from cache, 2908 recursions, 1029 prefetch, 0 rejected by ip ratelimiting", + "host": { + "name": "hostfoo" + } + } + + ``` + + +=== "weird-hostname.json" + + ```json + + { + "message": "[16667:e] info: 192.168.1.1 _ldap._tcp.SXB._sites.dc._msdcs.key.corp.net. SRV IN", + "dns": { + "question": { + "class": "IN", + "name": "_ldap._tcp.SXB._sites.dc._msdcs.key.corp.net", + "registered_domain": "corp.net", + "subdomain": "_ldap._tcp.SXB._sites.dc._msdcs.key", + "top_level_domain": "net", + "type": "SRV" + }, + "size_in_char": 44, + "type": "query" + }, + "related": { + "hosts": [ + "_ldap._tcp.SXB._sites.dc._msdcs.key.corp.net" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`dns.question.class` | `keyword` | The class of records being queried. | +|`dns.question.name` | `keyword` | The name being queried. | +|`dns.question.type` | `keyword` | The type of record being queried. | +|`dns.size_in_char` | `number` | | +|`dns.type` | `keyword` | The type of DNS event captured, query or answer. | +|`error.message` | `match_only_text` | Error message. | +|`error.type` | `keyword` | The type of the error, for example the class name of the exception. | +|`host.name` | `keyword` | Name of the host. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`user.id` | `keyword` | Unique identifier of the user. | +|`user.name` | `keyword` | Short name or login of the user. | diff --git a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md index bd7b6e81f1..378e3f7846 100644 --- a/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md +++ b/_shared_content/operations_center/integrations/generated/6c2a44e3-a86a-4d98-97a6-d575ffcb29f7.md @@ -13,7 +13,456 @@ The following table lists the data source offered by this integration. +In details, the following table denotes the type of events produced by this integration. +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `web` | +| Type | `` | + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "access_combined.json" + + ```json + + { + "message": "127.0.0.1 - userfoo [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326 \"http://www.example.com/start.html\" \"Mozilla/4.08 [en] (Win98; I ;Nav)\"", + "event": { + "category": [ + "web" + ], + "outcome": "success", + "type": [ + "access" + ] + }, + "action": { + "name": "GET", + "outcome": "success", + "properties": { + "timestamp": "10/Oct/2000:13:55:36 -0700" + } + }, + "http": { + "request": { + "method": "GET", + "referrer": "\"http://www.example.com/start.html\"" + }, + "response": { + "bytes": 2326, + "status_code": 200 + }, + "version": "1.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "userfoo" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "url": { + "original": "/apache_pb.gif", + "path": "/apache_pb.gif" + }, + "user": { + "name": "userfoo" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "\"Mozilla/4.08 [en] (Win98; I ;Nav)\"", + "os": { + "name": "Windows", + "version": "98" + } + } + } + + ``` + + +=== "common_log_format.json" + + ```json + + { + "message": "127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] \"GET /apache_pb.gif HTTP/1.0\" 200 2326", + "event": { + "category": [ + "web" + ], + "outcome": "success", + "type": [ + "access" + ] + }, + "action": { + "name": "GET", + "outcome": "success", + "properties": { + "timestamp": "10/Oct/2000:13:55:36 -0700" + } + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 2326, + "status_code": 200 + }, + "version": "1.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "frank" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "url": { + "original": "/apache_pb.gif", + "path": "/apache_pb.gif" + }, + "user": { + "name": "frank" + } + } + + ``` + + +=== "error.json" + + ```json + + { + "message": "[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test", + "event": { + "category": [ + "web" + ], + "outcome": "failure", + "type": [ + "error" + ] + }, + "action": { + "name": "error", + "outcome": "failure", + "outcome_reason": "client denied by server configuration: /export/home/live/ap/htdocs/test" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + } + } + + ``` + + +=== "error_2.json" + + ```json + + { + "message": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 1.1.1.1] File does not exist: /usr/local/apache2/htdocs/favicon.ico ", + "event": { + "category": [ + "web" + ], + "outcome": "failure", + "type": [ + "error" + ] + }, + "action": { + "name": "error", + "outcome": "failure", + "outcome_reason": "/usr/local/apache2/htdocs/favicon.ico" + }, + "process": { + "id": 35708, + "thread": { + "id": 4328636416 + } + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "error_module.json" + + ```json + + { + "message": "[Mon Apr 15 15:44:09.056862 2024] [:error] [pid 2226090:tid 140123920336640] [client 1.2.3.4:53375] [client 1.2.3.4] ModSecurity: Warning. Match of \"rx ^OPTIONS$\" against \"REQUEST_METHOD\" required. [file \"/etc/apache2/modsecurity/coreruleset/modsecurity_crs_21_protocol_anomalies.conf\"] [line \"36\"] [id \"960015\"] [msg \"Request Missing an Accept Header\"] [severity \"CRITICAL\"] [hostname \"web.example.org\"] [uri \"/fsms/fsmsh.dll\"] [unique_id \"111111111111111111111111111\"]", + "event": { + "category": [ + "web" + ], + "outcome": "failure", + "type": [ + "error" + ] + }, + "action": { + "name": "error", + "outcome": "failure", + "outcome_reason": "Request Missing an Accept Header", + "properties": { + "modsecmessage": "Match of \"rx ^OPTIONS$\" against \"REQUEST_METHOD\" required.", + "rulefile": "/etc/apache2/modsecurity/coreruleset/modsecurity_crs_21_protocol_anomalies.conf", + "ruleid": "960015", + "ruleline": "36", + "ruleseverity": "CRITICAL", + "timestamp": "Mon Apr 15 15:44:09.056862 2024", + "uniqueid": "111111111111111111111111111" + }, + "type": "warning" + }, + "destination": { + "address": "web.example.org", + "domain": "web.example.org", + "registered_domain": "example.org", + "size_in_char": 15, + "subdomain": "web", + "top_level_domain": "org" + }, + "process": { + "id": 2226090, + "pid": 2226090, + "thread": { + "id": 140123920336640 + } + }, + "related": { + "hosts": [ + "web.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 53375 + }, + "url": { + "original": "/fsms/fsmsh.dll", + "path": "/fsms/fsmsh.dll" + } + } + + ``` + + +=== "modsecurity.json" + + ```json + + { + "message": "[security2:error] [pid 11852:tid 4036848496] [client 1.1.1.1:35323] [client 1.1.1.1] ModSecurity: Warning. Pattern match \"(?i)((?:=|U\\\\\\\\s*R\\\\\\\\s*L\\\\\\\\s*\\\\\\\\()\\\\\\\\s*[^>]*\\\\\\\\s*S\\\\\\\\s*C\\\\\\\\s*R\\\\\\\\s*I\\\\\\\\s*P\\\\\\\\s*T\\\\\\\\s*:|:|[\\\\\\\\s\\\\\\\\S]allowscriptaccess[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]src[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]data:text\\\\\\\\/html[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xlink:href[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]base64[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xmlns[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xht ...\" at ARGS:__EVENTVALIDATION. [file \"/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf\"] [line \"28\"] [id \"973338\"] [rev \"1\"] [msg \"XSS Filter - Category 3: Javascript URI Vector\"] [data \"Matched Data: kSrcX found within ARGS:__EVENTVALIDATION: /wEWZgKXrrj6DgKCwsjDDAKgoeW1DwKBkN74CAKv/cWXBgK//Oz1DQKM6ZIdApW x44CAon4rvAGAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs...\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/ [hostname \"website.corp.net\"] [uri \"/Liste.aspx\"] [unique_id \"Xt2vlKC-YX738FovDc0GkwAAAAs\"], referer: http://corp.net/Liste.aspx?ECRAN=REEL_MIXTE", + "event": { + "category": [ + "web" + ], + "outcome": "failure", + "type": [ + "error" + ] + }, + "action": { + "name": "error", + "outcome": "failure", + "outcome_reason": "XSS Filter - Category 3: Javascript URI Vector", + "properties": { + "modsecmessage": "Pattern match \"(?i)((?:=|U\\\\\\\\s*R\\\\\\\\s*L\\\\\\\\s*\\\\\\\\()\\\\\\\\s*[^>]*\\\\\\\\s*S\\\\\\\\s*C\\\\\\\\s*R\\\\\\\\s*I\\\\\\\\s*P\\\\\\\\s*T\\\\\\\\s*:|:|[\\\\\\\\s\\\\\\\\S]allowscriptaccess[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]src[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]data:text\\\\\\\\/html[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xlink:href[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]base64[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xmlns[\\\\\\\\s\\\\\\\\S]|[\\\\\\\\s\\\\\\\\S]xht ...\" at ARGS:__EVENTVALIDATION.", + "ruledata": "Matched Data: kSrcX found within ARGS:__EVENTVALIDATION: /wEWZgKXrrj6DgKCwsjDDAKgoeW1DwKBkN74CAKv/cWXBgK//Oz1DQKM6ZIdApW x44CAon4rvAGAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs9Q0CjOmSHQKv/cWXBgK//Oz1DQKM6ZIdAq/9xZcGAr/87PUNAozpkh0Cr/3FlwYCv/zs...", + "rulefile": "/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf", + "ruleid": "973338", + "ruleline": "28", + "rulerev": "1", + "ruleseverity": "CRITICAL", + "uniqueid": "Xt2vlKC-YX738FovDc0GkwAAAAs" + }, + "type": "warning" + }, + "destination": { + "address": "website.corp.net", + "domain": "website.corp.net", + "registered_domain": "corp.net", + "size_in_char": 16, + "subdomain": "website", + "top_level_domain": "net" + }, + "process": { + "id": 11852, + "pid": 11852, + "thread": { + "id": 4036848496 + } + }, + "related": { + "hosts": [ + "website.corp.net" + ], + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 35323 + }, + "url": { + "original": "/Liste.aspx", + "path": "/Liste.aspx" + } + } + + ``` + + +=== "needs_striping.json" + + ```json + + { + "message": " [Thu Feb 29 11:47:27.072780 2024] [ssl:info] [pid 12596] [client 1.1.1.1:57535] AH01964: Connection to child 114 established (server app.corp.com:443)\n", + "event": { + "category": [ + "web" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "info", + "outcome": "success", + "outcome_reason": "Connection to child 114 established (server app.corp.com:443)" + }, + "process": { + "id": 12596 + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 57535 + } + } + + ``` + + +=== "process_id.json" + + ```json + + { + "message": " [Thu Feb 29 14:23:43.643358 2024] [ssl:info] [pid 24237] (70014)End of file found: [client 1.1.1.1 :42114] AH01991: SSL input filter read failed.", + "event": { + "category": [ + "web" + ], + "outcome": "success", + "type": [ + "info" + ] + }, + "action": { + "name": "info", + "outcome": "success", + "outcome_reason": "SSL input filter read failed." + }, + "process": { + "id": 24237 + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.matchoffset` | `keyword` | | +|`action.properties.modsecmessage` | `keyword` | Modsecurity emitted message | +|`action.properties.ruledata` | `keyword` | Modsecurity rule data | +|`action.properties.rulefile` | `keyword` | Modsecurity rule file | +|`action.properties.ruleid` | `keyword` | Modsecurity rule line | +|`action.properties.ruleline` | `keyword` | Modsecurity rule line | +|`action.properties.rulerev` | `keyword` | Modsecurity rule revision | +|`action.properties.ruleseverity` | `keyword` | Modsecurity rule severity | +|`action.properties.timestamp` | `keyword` | Timestamp | +|`action.properties.uniqueid` | `keyword` | Unique ID | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.port` | `long` | Port of the destination. | +|`destination.size_in_char` | `number` | Size of the destination name | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.request.referrer` | `keyword` | Referrer for this HTTP request. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`process.id` | `number` | Process ID (legacy) | +|`process.pid` | `long` | Process id. | +|`process.thread.id` | `long` | Thread ID. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user.name` | `keyword` | Short name or login of the user. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. | + diff --git a/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md new file mode 100644 index 0000000000..8d924458d3 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/a2915a14-d1e9-4397-86fc-8f8b2c617466.md @@ -0,0 +1,231 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Network protocol analysis` | Olfeo provides network logs about user traffic | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `web` | +| Type | `access` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "network_log.json" + + ```json + + { + "message": "1.2.3.14 - username [15/04/2024 12:50:04] \"CONNECT https://test.com:443 HTTP/1.1\" 200 - - 1000 Business Services", + "event": { + "category": [ + "web" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-15T12:50:04Z", + "http": { + "request": { + "method": "CONNECT" + }, + "response": { + "bytes": 1000, + "status_code": 200 + }, + "version": "1.1" + }, + "observer": { + "product": "Olfeo Secure Web Gateway", + "type": "proxy", + "vendor": "Olfeo" + }, + "olfeo": { + "request": { + "type": "Business Services" + } + }, + "related": { + "ip": [ + "1.2.3.14" + ], + "user": [ + "username" + ] + }, + "source": { + "address": "1.2.3.14", + "ip": "1.2.3.14", + "user": { + "name": "username" + } + }, + "url": { + "domain": "test.com", + "original": "https://test.com:443", + "port": 443, + "registered_domain": "test.com", + "scheme": "https", + "top_level_domain": "com" + } + } + + ``` + + +=== "network_log_no_user.json" + + ```json + + { + "message": "1.2.3.4 - - [15/04/2024 12:50:04] \"POST https://test.com:443 HTTP/1.1\" 400 - - 12 Advertising", + "event": { + "category": [ + "web" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-15T12:50:04Z", + "http": { + "request": { + "method": "POST" + }, + "response": { + "bytes": 12, + "status_code": 400 + }, + "version": "1.1" + }, + "observer": { + "product": "Olfeo Secure Web Gateway", + "type": "proxy", + "vendor": "Olfeo" + }, + "olfeo": { + "request": { + "type": "Advertising" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "test.com", + "original": "https://test.com:443", + "port": 443, + "registered_domain": "test.com", + "scheme": "https", + "top_level_domain": "com" + } + } + + ``` + + +=== "network_log_space.json" + + ```json + + { + "message": " 1.2.3.4 - - [15/04/2024 12:50:04] \"PUT https://test.com:443 HTTP/1.1\" 300 - - 512 Shopping", + "event": { + "category": [ + "web" + ], + "type": [ + "access" + ] + }, + "@timestamp": "2024-04-15T12:50:04Z", + "http": { + "request": { + "method": "PUT" + }, + "response": { + "bytes": 512, + "status_code": 300 + }, + "version": "1.1" + }, + "observer": { + "product": "Olfeo Secure Web Gateway", + "type": "proxy", + "vendor": "Olfeo" + }, + "olfeo": { + "request": { + "type": "Shopping" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "test.com", + "original": "https://test.com:443", + "port": 443, + "registered_domain": "test.com", + "scheme": "https", + "top_level_domain": "com" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`http.request.method` | `keyword` | HTTP request method. | +|`http.response.bytes` | `long` | Total size in bytes of the response (body and headers). | +|`http.response.status_code` | `long` | HTTP response status code. | +|`http.version` | `keyword` | HTTP version. | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.type` | `keyword` | The type of the observer the data is coming from. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`olfeo.request.type` | `keyword` | Olfeo request url category | +|`source.ip` | `ip` | IP address of the source. | +|`source.user.name` | `keyword` | Short name or login of the user. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | + diff --git a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md index d99b7da6f5..c17403bb73 100644 --- a/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md +++ b/_shared_content/operations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md @@ -158,7 +158,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\"", + "message": " rdp.acme.com 1.2.3.4 - - [22/Aug/2019:08:28:30 +0200] \"GET /lib/example.txt?key1=111111&time=1566455309850 HTTP/1.1\" 200 2 \"http://rdp.acme.com/\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134\" \"1.2.3.4\" \"0.010\" \"-/-\" \"text/plain\"", "event": { "category": [ "web" diff --git a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md index f03282c2dc..66fd4303af 100644 --- a/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md +++ b/_shared_content/operations_center/integrations/generated/cf5c916e-fa26-11ed-a844-f7f4d7348199.md @@ -187,7 +187,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"19000\",\n \"driveUid\": \"4F1AB8245012413EBC182B80AAC1FFF3\",\n \"driveLabel\":\"Linux files\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"false\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", + "message": "{\n \"geoIp\": {\n \"countryCode\": \"FR\",\n \"longitude\": \"2.408\",\n \"latitude\": \"48.844\",\n \"cityName\": \"Paris\"\n },\n \"responseTimeMs\": 0,\n \"clusterId\": \"dd5a9ee4-fa4b-11ed-8505-8be10a9d80ae\",\n \"responseCode\": 200,\n \"site\": \"example.com\",\n \"requestHeaders\": {\n \"x-forwarded-proto\": \"http\",\n \"x-ogo-shield\": \"0487b7d5\",\n \"x-forwarded-port\": \"80\",\n \"x-forwarded-for\": [\n \"20.20.20.20\"\n ],\n \"accept\": \"text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8\",\n \"x-real-ip\": \"20.20.20.20\",\n \"x-forwarded-server\": \"677de812e565\",\n \"x-forwarded-host\": \"example.com\",\n \"host\": \"example.com\",\n \"connection\": \"keep-alive\",\n \"accept-encoding\": \"gzip, deflate, br\",\n \"user-agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\"\n },\n \"responseHeaders\": {\n \"content-encoding\": \"gzip\",\n \"content-type\": \"text/html; charset=UTF-8\",\n \"date\": \"Wed, 24 May 2023 13:58:44 GMT\",\n \"server\": \"nginx/1.6.2 (Ubuntu)\"\n },\n \"@timestamp\": \"2023-05-24T14:00:10.866225015Z\",\n \"requestUrl\": \"https://example.com/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"ogo\": {\n \"appliedAction\": \"brain\",\n \"credibility\":\"19000\",\n \"driveUid\": \"4F1AB8245012413EBC182B80AAC1FFF3\",\n \"driveLabel\":\"Linux files\",\n \"whitelistedIp\": \"false\",\n \"dryRun\": \"false\",\n \"geoBlocked\": \"false\",\n \"blocked\": \"true\"\n },\n \"clientIP\": \"20.20.20.20\",\n \"@version\": \"1\",\n \"requestInfo\": {\n \"query-string\": \"\",\n \"protocol\": \"HTTP/1.1\",\n \"method\": \"GET\",\n \"scheme\": \"http\",\n \"request-uri\": \"/%2F%2F/%2F%2F/%2F%2F/etc/passwd\",\n \"content-size\": \"0\"\n },\n \"responseContentSize\": 17,\n \"timestamp\": 1684936810291\n}", "event": { "action": "brain", "category": [ @@ -226,7 +226,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ogo": { "appliedAction": "brain", "auditMode": "false", - "blocked": "false", + "blocked": "true", "credibility": "19000", "drive": { "label": "Linux files", diff --git a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md index 28f0d08c7c..e08b2754b2 100644 --- a/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md +++ b/_shared_content/operations_center/integrations/generated/d9f337a4-1303-47d4-b15f-1f83807ff3cc.md @@ -43,6 +43,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "duration": 100000000.0, "end": "2040-10-23T01:18:10Z", "module": "imperva.waf", + "severity": 0, "start": "2009-02-13T23:31:30Z", "type": [ "access", @@ -60,6 +61,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "site123.abcd.info", + "domain": "site123.abcd.info", + "registered_domain": "abcd.info", + "subdomain": "site123", + "top_level_domain": "info" + }, "http": { "request": { "bytes": 54, @@ -72,6 +80,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "imperva": { + "event": { + "class_id": "Normal" + }, "pop": "mia", "request": { "headers": [ @@ -96,6 +107,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "network": { + "forwarded_ip": "44.44.44.44", "protocol": "http" }, "observer": { @@ -103,7 +115,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "CEFcustomer123" + }, "related": { + "hosts": [ + "site123.abcd.info" + ], "ip": [ "12.12.12.12" ] @@ -156,6 +174,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", "reason": "The HTTP request was malformated", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", @@ -173,6 +192,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -185,6 +211,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Blocked country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -204,7 +233,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -251,6 +286,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", "reason": "The destination was blacklisted", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", @@ -268,6 +304,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -280,6 +323,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Blocked country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -299,7 +345,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -346,6 +398,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", "reason": "The connection was blocked", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", @@ -363,6 +416,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -375,6 +435,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Blocked country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -394,7 +457,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -425,6 +494,124 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "access_security_blocked_2.json" + + ```json + + { + "message": "CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileId=1111111 sourceServiceName=source.example.org siteid=6562222 suid=1872333 requestClientApplication=Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 deviceFacility=deviceFacility cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=1320a44a-69e8-4497-b18e-65b3aaafc574 cs4Label=VID cs5=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b cs5Label=clapaaaa dproc=Unclassified cs6=Bot cs6Label=clapb ccode=FR cicode=Paris cs7=60.3379 cs7Label=latitude cs8=-10.2591 cs8Label=longitude Customer=Customer start=1681893621111 request=source.example.org/chakisg.htm?Sip\\=1.1.1.1 | cat /etc/passwd requestMethod=GET app=HTTPS act=REQ_BLOCKED_COOKIELESS_SESSION deviceExternalId=542440032913592222 cpt=56333 src=1.2.3.4 ver=TLSv1.3 TLS_AES_128_GCM_SHA256 end=1681893622111 fileType=900111 filePermission=0 cs9= cs9Label=Rule name", + "event": { + "action": "block", + "category": [ + "network" + ], + "dataset": "imperva-waf", + "duration": 1000.0, + "end": "2023-04-19T08:40:22.111000Z", + "module": "imperva.waf", + "reason": "The connection was blocked", + "severity": 3, + "start": "2023-04-19T08:40:21.111000Z", + "type": [ + "connection", + "denied" + ] + }, + "@timestamp": "2023-04-19T08:40:21.111000Z", + "client": { + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 60.3379, + "lon": -10.2591 + } + } + }, + "destination": { + "address": "source.example.org", + "domain": "source.example.org", + "registered_domain": "example.org", + "subdomain": "source", + "top_level_domain": "org" + }, + "http": { + "request": { + "id": "542440032913592222", + "method": "GET" + } + }, + "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": false, + "js_support": false + }, + "event": { + "class_id": "Illegal Resource Access" + }, + "pop": "deviceFacility", + "session": { + "id": 1111111 + }, + "user_agent": { + "type": "Unclassified" + }, + "visitor": { + "id": "1320a44a-69e8-4497-b18e-65b3aaafc574" + } + }, + "network": { + "protocol": "https" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, + "organization": { + "name": "Customer" + }, + "related": { + "hosts": [ + "source.example.org" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 56333 + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "version": "1.3", + "version_protocol": "tls" + }, + "url": { + "full": "source.example.org/chakisg.htm?Sip\\=1.1.1.1 | cat /etc/passwd", + "original": "source.example.org/chakisg.htm?Sip\\=1.1.1.1 | cat /etc/passwd", + "path": "source.example.org/chakisg.htm", + "query": "Sip\\=1.1.1.1 | cat /etc/passwd" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36", + "os": { + "name": "OpenBSD" + }, + "version": "36.0.1985" + } + } + + ``` + + === "access_security_cached.json" ```json @@ -440,6 +627,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "allowed", @@ -457,6 +645,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -469,6 +664,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Accepted country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -488,7 +686,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -519,6 +723,122 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "access_security_cached_2.json" + + ```json + + { + "message": "CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| fileId=687000970097065000 sourceServiceName=greetings.example.com siteid=4766000 suid=1872230 requestClientApplication=Android 11(70) | prodLalaland 1.47.9(162) | Redmi M2000K6G deviceFacility=war cs2=false cs2Label=Javascript Support cs3=false cs3Label=CO Support cs1=NA cs1Label=Cap Support cs4=1320a44a-69e8-4497-b18e-65b3aaafc574 cs4Label=VOD cs5=1ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b cs5Label=clappsog dproc=Feed Fetcha cs6=Android Dalvok VM cs6Label=clapea ccode=FR cicode=Paris cs7=50.6219 cs7Label=latitude cs10=10.2444 cs8Label=longitude Customer=Hercule start=1681755370111 request=greetings.example.com/build/img/email/header_fr.jpg requestMethod=GET cn1=200 app=HTTPS act=REQ_CACHED_FRESH deviceExternalId=444186935136557111 sip=0.0.0.0 spt=0 in=67888 xff=4.5.6.7 cpt=41148 src=92.140.985.97 ver=TLSv1.3 TLS_AES_128_GCM_SHA256 end=1681755111116", + "event": { + "action": "REQ_CACHED_FRESH", + "category": [ + "network" + ], + "dataset": "imperva-waf", + "duration": -258995.0, + "end": "2023-04-17T18:11:51.116000Z", + "module": "imperva.waf", + "severity": 0, + "start": "2023-04-17T18:16:10.111000Z", + "type": [ + "allowed", + "connection" + ] + }, + "@timestamp": "2023-04-17T18:16:10.111000Z", + "client": { + "geo": { + "city_name": "Paris", + "country_iso_code": "FR" + } + }, + "destination": { + "address": "greetings.example.com", + "domain": "greetings.example.com", + "registered_domain": "example.com", + "subdomain": "greetings", + "top_level_domain": "com" + }, + "http": { + "request": { + "bytes": 67888, + "id": "444186935136557111", + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "imperva": { + "client": { + "captcha_support": "NA", + "cookie_support": false, + "js_support": false + }, + "event": { + "class_id": "Normal" + }, + "pop": "war", + "request": { + "x_forwarded_for": "4.5.6.7" + }, + "session": { + "id": 687000970097065000 + }, + "user_agent": { + "type": "Feed Fetcha" + }, + "visitor": { + "id": "1320a44a-69e8-4497-b18e-65b3aaafc574" + } + }, + "network": { + "forwarded_ip": "4.5.6.7", + "protocol": "https" + }, + "observer": { + "product": "Web Application Firewall", + "type": "firewall", + "vendor": "Imperva" + }, + "organization": { + "name": "Hercule" + }, + "related": { + "hosts": [ + "greetings.example.com" + ] + }, + "source": { + "port": 41148 + }, + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256", + "version": "1.3", + "version_protocol": "tls" + }, + "url": { + "full": "greetings.example.com/build/img/email/header_fr.jpg", + "original": "greetings.example.com/build/img/email/header_fr.jpg", + "path": "greetings.example.com/build/img/email/header_fr.jpg" + }, + "user_agent": { + "device": { + "name": "Generic Smartphone" + }, + "name": "Android", + "original": "Android 11(70) | prodLalaland 1.47.9(162) | Redmi M2000K6G", + "os": { + "name": "Android", + "version": "11" + }, + "version": "11" + } + } + + ``` + + === "access_security_challenged.json" ```json @@ -535,6 +855,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2040-10-23T01:18:10Z", "module": "imperva.waf", "reason": "A challenge was submitted to the client", + "severity": 3, "start": "2009-02-13T23:31:30Z", "type": [ "connection", @@ -552,6 +873,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "site123.abcd.info", + "domain": "site123.abcd.info", + "registered_domain": "abcd.info", + "subdomain": "site123", + "top_level_domain": "info" + }, "http": { "request": { "bytes": 54, @@ -572,6 +900,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Illegal Resource Access" + }, "pop": "mia", "request": { "headers": [ @@ -612,6 +943,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "network": { + "forwarded_ip": "44.44.44.44", "protocol": "http" }, "observer": { @@ -619,7 +951,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "CEFcustomer123" + }, "related": { + "hosts": [ + "site123.abcd.info" + ], "ip": [ "12.12.12.12" ] @@ -676,6 +1014,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", "reason": "The destination doesn't support IPv6 addresses", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", @@ -693,6 +1032,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -705,6 +1051,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Accepted country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -724,7 +1073,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -770,6 +1125,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "duration": 2.0, "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "allowed", @@ -787,6 +1143,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -799,6 +1162,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Accepted country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -818,7 +1184,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -865,6 +1237,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "end": "2022-04-12T14:09:58.765000Z", "module": "imperva.waf", "reason": "The proxy failed to resolve the destination", + "severity": -1, "start": "2022-04-12T14:09:58.763000Z", "type": [ "connection", @@ -882,6 +1255,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. } } }, + "destination": { + "address": "www.test.com", + "domain": "www.test.com", + "registered_domain": "test.com", + "subdomain": "www", + "top_level_domain": "com" + }, "http": { "request": { "id": "195557299895996363", @@ -894,6 +1274,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cookie_support": true, "js_support": true }, + "event": { + "class_id": "Blocked country" + }, "pop": "cdg", "session": { "id": 393000630126853202 @@ -913,7 +1296,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "type": "firewall", "vendor": "Imperva" }, + "organization": { + "name": "mycustomer@example.org" + }, "related": { + "hosts": [ + "www.test.com" + ], "ip": [ "1.2.3.4" ] @@ -957,6 +1346,7 @@ The following table lists the fields that are extracted, normalized under the EC |`client.geo.city_name` | `keyword` | City name. | |`client.geo.country_iso_code` | `keyword` | Country ISO code. | |`client.geo.location` | `geo_point` | Longitude and latitude. | +|`destination.domain` | `keyword` | The domain name of the destination. | |`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | @@ -964,6 +1354,7 @@ The following table lists the fields that are extracted, normalized under the EC |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.severity` | `long` | Numeric severity of the event. | |`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`http.request.bytes` | `long` | Total size in bytes of the request (body and headers). | @@ -976,6 +1367,7 @@ The following table lists the fields that are extracted, normalized under the EC |`imperva.client.captcha_support` | `keyword` | Whether or not the client application supports Captcha. | |`imperva.client.cookie_support` | `boolean` | Whether or not the client application supports cookies. | |`imperva.client.js_support` | `boolean` | Whether or not the client application supports JavaScript. | +|`imperva.event.class_id` | `keyword` | The rule type that was triggered. | |`imperva.pop` | `keyword` | The Imperva PoP that handled the request. | |`imperva.request.headers` | `array` | Request headers in JSON format, with each field represented as a name-value pair. | |`imperva.request.x_forwarded_for` | `text` | The X-Forwarded-For request header. | @@ -985,10 +1377,12 @@ The following table lists the fields that are extracted, normalized under the EC |`imperva.session.id` | `long` | The unique identification. | |`imperva.user_agent.type` | `keyword` | The browser type. | |`imperva.visitor.id` | `keyword` | The ID of the visitor. | +|`network.forwarded_ip` | `ip` | Host IP address when the source IP address is the proxy. | |`network.protocol` | `keyword` | Application protocol name. | |`observer.product` | `keyword` | The product name of the observer. | |`observer.type` | `keyword` | The type of the observer the data is coming from. | |`observer.vendor` | `keyword` | Vendor name of the observer. | +|`organization.name` | `keyword` | Organization name. | |`rule.name` | `keyword` | Rule name | |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md index e88e00c11f..e84ad947c5 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md @@ -17,4 +17,1371 @@ The following table lists the data source offered by this integration. +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "CEF.json" + + ```json + + { + "message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|HTTP_and_HTTPS_proxy|Unknown|act=Redirect destinationTranslatedAddress=1.1.1.1 destinationTranslatedPort=11680 deviceDirection=0 rt=1593013776000 sourceTranslatedAddress=0.0.0.0 sourceTranslatedPort=0 spt=53782 dpt=8080 cs2Label=Rule Name cs2=Explicit Proxy Access layer_name=Firewall layer_uuid=b8bf0a16-a447-47c3-8e7d-5e0061e17486 match_id=121 parent_rule=0 rule_action=Redirect rule_uid=37c21d26-f155-407a-9958-8584c1fd3320 ifname=eth1.60 logid=0 loguid={0x5ef37610,0x8,0x4d3c03bf,0xf33d4984} origin=2.2.2.2 originsicname=CN\\\\=ertfw01,O\\=foomgmt.foobar.local.zazgch sequencenum=133 version=5 dst=3.3.3.3 inzone=External nat_addtnl_rulenum=0 dhost=4.4.4.4 nat_rulenum=0 outzone=External product=VPN-1 & FireWall-1 proto=6 service_id=HTTP_and_HTTPS_proxy src=5.5.5.5", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "redirect", + "outcome": "success", + "properties": { + "loguid": "{0x5ef37610,0x8,0x4d3c03bf,0xf33d4984}", + "nat_addtnl_rulenum": "0", + "nat_rulenum": "0", + "observer_type": "VPN-1 & FireWall-1", + "origin": "2.2.2.2", + "originsicname": "CN=ertfw01,O=foomgmt.foobar.local.zazgch", + "product": "VPN-1 & FireWall-1", + "rule_name": "Explicit Proxy Access" + }, + "target": "network-traffic" + }, + "destination": { + "address": "3.3.3.3", + "domain": "4.4.4.4", + "ip": "3.3.3.3", + "nat": { + "ip": "1.1.1.1", + "port": 11680 + }, + "port": 8080, + "size_in_char": 7 + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "External" + }, + "ingress": { + "interface": { + "name": "eth1.60" + }, + "zone": "External" + } + }, + "related": { + "hosts": [ + "4.4.4.4" + ], + "ip": [ + "0.0.0.0", + "1.1.1.1", + "3.3.3.3", + "5.5.5.5" + ] + }, + "rule": { + "uuid": "37c21d26-f155-407a-9958-8584c1fd3320", + "version": "5" + }, + "service": { + "id": "HTTP_and_HTTPS_proxy" + }, + "source": { + "address": "5.5.5.5", + "ip": "5.5.5.5", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 53782 + } + } + + ``` + + +=== "CEF_ApplicationControl.json" + + ```json + + { + "message": "CEF:0||Check Point|Application Control|Check Point|Log|Log|Unknown|act=Accept deviceDirection=0 rt=1708352128000 requestMethod=CONNECT request=https://foo.bar.com:443 \nconn_direction=Internal ifname=bond151.410 logid=321 loguid={0x65d3627f,0x303,0x1b6410ac,0x145ca8a5} origin=192.168.10.250 \noriginsicname=CN\\=baz-fw-internet-1,O\\=HOSTNAME.intranet.corp.xd4pc5 sequencenum=1455 version=5 connection_luuid=4ac54d05-4f56-a0da-65d3-628000000003 hll_key=2847161932960334825 \nproduct=Application Control", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0x65d3627f,0x303,0x1b6410ac,0x145ca8a5}", + "observer_type": "Application Control", + "origin": "192.168.10.250", + "originsicname": "CN=baz-fw-internet-1,O=HOSTNAME.intranet.corp.xd4pc5", + "product": "Application Control" + } + }, + "http": { + "request": { + "method": "CONNECT" + } + }, + "network": { + "direction": "internal" + }, + "observer": { + "ingress": { + "interface": { + "name": "bond151.410" + } + } + }, + "rule": { + "version": "5" + }, + "url": { + "domain": "foo.bar.com", + "full": "https://foo.bar.com:443", + "original": "https://foo.bar.com:443", + "port": 443, + "registered_domain": "bar.com", + "scheme": "https", + "subdomain": "foo", + "top_level_domain": "com" + } + } + + ``` + + +=== "CEF_allow.json" + + ```json + + { + "message": "0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=Allow deviceDirection=1 rt=1592559930000 spt=137 dpt=137 alert=Undefined contextnum=2 ifname=eth2 logid=15 loguid={0x5eec893a,0x1c,0x47e0a0a,0xc0000000} origin=1.1.1.1 originsicname=CN\\=foobarfw002,O\\=foomgmt.foobar.local.zazgch sequencenum=61 version=5 context_num=2 dst=2.2.2.2 hll_key=13306743300460385727 product=VPN-1 & FireWall-1 proto=17 reason=Firewall - Protocol violation detected with protocol:(NetBIOS Name Service), matched protocol sig_id:(8), violation sig_id:(17). (500) src=3.3.3.3", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "allow", + "outcome": "success", + "properties": { + "loguid": "{0x5eec893a,0x1c,0x47e0a0a,0xc0000000}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "1.1.1.1", + "originsicname": "CN=foobarfw002,O=foomgmt.foobar.local.zazgch", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 137 + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + "rule": { + "version": "5" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 137 + } + } + + ``` + + +=== "CEF_cs2_2_times.json" + + ```json + + { + "message": "CEF:0||Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept deviceDirection=0 rt=1708352128000 spt=63858 dpt=53 cs2Label=Rule Name cs2=Communication DNS \n cs2=vers les ressources internes layer_name=Network layer_name=Application layer_uuid=86db1685-ca63-4fcd-b296-c15c99acfc76 layer_uuid=1d7f95ec-0774-4916-a1b4-e8ab1d2d9cae match_id=169 \n match_id=738197621 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=713de10c-0d41-44af-a2e3-fa4d697c515a rule_uid=9ede1042-638a-45cb-bf2f-f72f1e1b7d97 \n ifname=bond150.240 logid=0 loguid={0xb6666b4,0x11fbf15b,0x98b64f96,0x6772cf4d} origin=192.168.10.242 originsicname=CN\\=cip-fw-core-1.intranet.corp,O\\=HOSTNAME.intranet.corp.xd4pc5 \n sequencenum=547 version=5 dst=172.16.111.111 inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=17 service_id=domain-udp src=10.0.11.11", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0xb6666b4,0x11fbf15b,0x98b64f96,0x6772cf4d}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "192.168.10.242", + "originsicname": "CN=cip-fw-core-1.intranet.corp,O=HOSTNAME.intranet.corp.xd4pc5", + "product": "VPN-1 & FireWall-1", + "rule_name": "Communication DNS" + }, + "target": "network-traffic" + }, + "destination": { + "address": "172.16.111.111", + "ip": "172.16.111.111", + "port": 53 + }, + "network": { + "direction": "inbound", + "transport": "udp" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "bond150.240" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "10.0.11.11", + "172.16.111.111" + ] + }, + "rule": { + "uuid": "713de10c-0d41-44af-a2e3-fa4d697c515a", + "version": "5" + }, + "service": { + "id": "domain-udp" + }, + "source": { + "address": "10.0.11.11", + "ip": "10.0.11.11", + "port": 63858 + } + } + + ``` + + +=== "CEF_decrypt.json" + + ```json + + { + "message": "0|Check Point|VPN-1 & FireWall-1|Check Point|Decrypt|https|Unknown|act=Decrypt cs2Label=Peer Gateway cs2=1.1.1.1 deviceDirection=0 dhost= hostname@group.corp \n duser=Firstname1, LASTNAME1 ( FLASTNAME1) Firstname2, Lastname2 (ADM) (FOO12345) duser=LASTNAME3, Firstname3 (ABC12345) rt=1708352039000 shost=hostname00100@group.corp spt=49967 dpt=443 suser=LASTNAME3, Firstname3 \n (ABC12345) cs2Label=Rule Name cs2=Implicit Cleanup layer_name=PROD_SEPTEMBRE_2020_QOS Security layer_name=PROD_SEPTEMBRE_2020_QOS Application layer_uuid=f3e58f17-af95-43fa-82a8-a10f86cd22 \n layer_uuid=aa29b5d0-08ef-4541-9c08-fe7335324262 match_id=129 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=310aff93-4aed-4616-a061-4aef36eebc \n ifname=eth1 logid=0 loguid={0xa2198857,0x26b6c7dd,0x93bd692b,0xa64ec6bf} origin=2.2.2.2 originsicname=CN\\=BODFW1,O\\=FWMGNT.corpsubdomain.corp.s65fuv sequencenum=207 version=5 \n community=VPN_FOO_434 dst=192.168.111.111 dst_user_dn=CN\\=Firstname1\\, LASTNAME1,OU\\=exterieur,OU\\=Migration exchange faite,OU\\=Migres_AD,OU\\=Users,OU\\=BOD,DC\\=group,DC\\=corp CN\\= Firstname2\\, \n Lastname2 (ADM),OU\\=Admin Accounts,OU\\=ADMIN,DC\\=group,DC\\=corp fw_subproduct=VPN-1 https_inspection_action=Bypass inzone=External methods:=ESP: AES-256 + SHA256 + PFS (group 14) \n nat_addtnl_rulenum=0 nat_rule_uid=a1fdbc3b-b993-4ea9-972c-07ae43e09acb nat_rulenum=61 outzone=Internal product=VPN-1 & FireWall-1 proto=6 scheme:=IKE service_id=https src=10.1.11.111 \n src_user_dn=CN\\=LASTNAME3\\, Firstname3,OU\\=Internes,OU\\=Users,OU\\=ORY,DC\\=group,DC\\=corp vpn_feature_name=VPN ", + "event": { + "code": "Decrypt", + "outcome": "success" + }, + "action": { + "name": "decrypt", + "outcome": "success", + "properties": { + "community": "VPN_FOO_434", + "loguid": "{0xa2198857,0x26b6c7dd,0x93bd692b,0xa64ec6bf}", + "nat_addtnl_rulenum": "0", + "nat_rulenum": "61", + "observer_type": "VPN-1 & FireWall-1", + "origin": "2.2.2.2", + "originsicname": "CN=BODFW1,O=FWMGNT.corpsubdomain.corp.s65fuv", + "product": "VPN-1 & FireWall-1", + "subproduct": "VPN-1", + "vpn_feature_name": "VPN" + }, + "target": "network-traffic" + }, + "destination": { + "address": "192.168.111.111", + "domain": "hostname@group.corp", + "ip": "192.168.111.111", + "port": 443, + "size_in_char": 19, + "user": { + "name": "Firstname1, LASTNAME1 ( FLASTNAME1) Firstname2, Lastname2 (ADM) (FOO12345)" + } + }, + "network": { + "direction": "inbound", + "transport": "6 scheme:=ike" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "eth1" + }, + "zone": "External methods:=ESP: AES-256 + SHA256 + PFS (group 14)" + } + }, + "related": { + "hosts": [ + "hostname00100@group.corp", + "hostname@group.corp" + ], + "ip": [ + "10.1.11.111", + "192.168.111.111" + ], + "user": [ + "Firstname1, LASTNAME1 ( FLASTNAME1) Firstname2, Lastname2 (ADM) (FOO12345)", + "LASTNAME3, Firstname3 (ABC12345)" + ] + }, + "rule": { + "uuid": "310aff93-4aed-4616-a061-4aef36eebc", + "version": "5" + }, + "service": { + "id": "https" + }, + "source": { + "address": "10.1.11.111", + "domain": "hostname00100@group.corp", + "ip": "10.1.11.111", + "port": 49967, + "size_in_char": 24, + "user": { + "name": "LASTNAME3, Firstname3 (ABC12345)" + } + } + } + + ``` + + +=== "CEF_drop.json" + + ```json + + { + "message": "CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|Log|UDP_443|Unknown|act=Drop deviceDirection=0 duser=FIRSTNAME LASTNAME (FILA10052418) rt=1592559931000 shost=footlt327@ad.mycorp.com spt=56379 dpt=443 suser=FIRSTNAME LASTNAME (FILA10052418) cs2Label=Rule Name layer_name=Firewall layer_uuid=b8bf0a16-a447-47c3-8e7d-5e0061e17486 match_id=139 parent_rule=0 rule_action=Drop rule_uid=9c6de769-d2ab-4f1c-bd3b-5d2180af9844 ifname=Mgmt.3 logid=0 loguid={0x5eec893c,0x3,0x46416ac,0x16efadda} origin=2.2.2.2 originsicname=CN\\=ertfw01,O\\=foomgmt.foobar.local.zazgch sequencenum=299 version=5 dst=4.4.4.4 inzone=Internal outzone=External product=VPN-1 & FireWall-1 proto=17 service_id=UDP_443 src=3.3.3.3 src_user_dn=CN\\=FIRSTNAME LASTNAME,OU\\=Users,OU\\=ServiceDesk,DC\\=ad,DC\\=mycorp,DC\\=com", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "drop", + "outcome": "success", + "properties": { + "loguid": "{0x5eec893c,0x3,0x46416ac,0x16efadda}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "2.2.2.2", + "originsicname": "CN=ertfw01,O=foomgmt.foobar.local.zazgch", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "4.4.4.4", + "ip": "4.4.4.4", + "port": 443, + "user": { + "name": "FIRSTNAME LASTNAME (FILA10052418)" + } + }, + "network": { + "direction": "inbound", + "transport": "udp" + }, + "observer": { + "egress": { + "zone": "External" + }, + "ingress": { + "interface": { + "name": "Mgmt.3" + }, + "zone": "Internal" + } + }, + "related": { + "hosts": [ + "footlt327@ad.mycorp.com" + ], + "ip": [ + "3.3.3.3", + "4.4.4.4" + ], + "user": [ + "FIRSTNAME LASTNAME (FILA10052418)" + ] + }, + "rule": { + "uuid": "9c6de769-d2ab-4f1c-bd3b-5d2180af9844", + "version": "5" + }, + "service": { + "id": "UDP_443" + }, + "source": { + "address": "3.3.3.3", + "domain": "footlt327@ad.mycorp.com", + "ip": "3.3.3.3", + "port": 56379, + "size_in_char": 23, + "user": { + "name": "FIRSTNAME LASTNAME (FILA10052418)" + } + } + } + + ``` + + +=== "CEF_geo_protection.json" + + ```json + + { + "message": "CEF:0||Check Point|VPN-1 & FireWall-1|Check Point|geo_protection|Log|Unknown|act=Accept \ncs3Label=Protection Type cs3=geo_protection deviceDirection=0 rt=1708352128000 spt=56935 dpt=53 \nifname=bond151.421 logid=65536 loguid={0x65d3627f,0x31d,0x1b6410ac,0x145ca8a5} origin=2.2.2.2 \noriginsicname=CN\\=cip-fw-internet-1,O\\=HOSTNAME.intranet.corp.xd4pc5 sequencenum=1496 version=5 \ndst=3.3.3.3 dst_country=Other inspection_information=Geo-location inbound enforcement \ninspection_profile=Block_Pays_a_Risque product=VPN-1 & FireWall-1 proto=17 src=1.1.1.1 \nsrc_country=Internal", + "event": { + "code": "geo_protection", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0x65d3627f,0x31d,0x1b6410ac,0x145ca8a5}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "2.2.2.2", + "originsicname": "CN=cip-fw-internet-1,O=HOSTNAME.intranet.corp.xd4pc5", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 53 + }, + "network": { + "direction": "inbound", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "bond151.421" + } + } + }, + "related": { + "ip": [ + "1.1.1.1", + "3.3.3.3" + ] + }, + "rule": { + "version": "5" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 56935 + } + } + + ``` + + +=== "CEF_https_bypass.json" + + ```json + + { + "message": "CEF: 0|Check Point|HTTPS Inspection|Check Point|Log|Log|Unknown|act=HTTPS Bypass cs5Label=Matched Category deviceDirection=0 duser=USER-LASTNAME USER-FIRSTNAME (ULUF10004820) rt=1592559938000 shost=FooHost@ad.mycorp.com spt=56891 dpt=443 suser=USER-LASTNAME USER-FIRSTNAME (ULUF10004820) ifname=Mgmt.3 loguid={0x5eec8942,0x13,0x46416ac,0x16efadda} origin=2.2.2.2 originsicname=CN\\=ertfw01,O\\=foomgmt.foobar.local.zazgch sequencenum=324 version=5 dst=3.3.3.3 https_inspection_action=Bypass https_inspection_rule_id={DD126F7C-B373-4331-8632-DBA1EFDD0D6A} https_inspection_rule_name=Bypass for FooBar product=HTTPS Inspection proto=6 snid=0 src=1.1.1.1 src_user_dn=CN\\=USER-LASTNAME USER-FIRSTNAME,OU\\=Users,OU\\=ServiceDesk,DC\\=ad,DC\\=mycorp,DC\\=com", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "https bypass", + "outcome": "success", + "properties": { + "loguid": "{0x5eec8942,0x13,0x46416ac,0x16efadda}", + "observer_type": "HTTPS Inspection", + "origin": "2.2.2.2", + "originsicname": "CN=ertfw01,O=foomgmt.foobar.local.zazgch", + "product": "HTTPS Inspection" + }, + "target": "network-traffic" + }, + "destination": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 443, + "user": { + "name": "USER-LASTNAME USER-FIRSTNAME (ULUF10004820)" + } + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "observer": { + "ingress": { + "interface": { + "name": "Mgmt.3" + } + } + }, + "related": { + "hosts": [ + "FooHost@ad.mycorp.com" + ], + "ip": [ + "1.1.1.1", + "3.3.3.3" + ], + "user": [ + "USER-LASTNAME USER-FIRSTNAME (ULUF10004820)" + ] + }, + "rule": { + "version": "5" + }, + "source": { + "address": "1.1.1.1", + "domain": "FooHost@ad.mycorp.com", + "ip": "1.1.1.1", + "port": 56891, + "size_in_char": 21, + "user": { + "name": "USER-LASTNAME USER-FIRSTNAME (ULUF10004820)" + } + } + } + + ``` + + +=== "CEF_network_protocol.json" + + ```json + + { + "message": "CEF:0||Check Point|VPN-1 & FireWall-1|Check Point|Log|https|Unknown|act=Accept app=HTTPS destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 \nduser=LASTNAME FIRSTNAME (CORP0000583) rt=1708352128000 sourceTranslatedAddress=1.1.1.1 sourceTranslatedPort=12435 spt=56688 dpt=443 suser=LASTNAME FIRSTNAME (CORP0000583) \ncs2Label=Rule Name cs2=Updatable Objects Services Microsoft layer_name=Network layer_name=Application layer_uuid=86db1685-ca63-4fcd-b296-c15c99acfc76 \nlayer_uuid=1d7f95ec-0774-4916-a1b4-e8ab1d2d9cae match_id=267 match_id=637534254 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept \nrule_uid=6426c486-c108-47b0-9c72-0adf917d7a0f rule_uid=bc9b26a7-f0fa-431d-81a2-6252f9f203a8 conn_direction=Outgoing contextnum=1 ifname=bond151.410 logid=0 \nloguid={0x611c9f51,0x8c73c182,0xe99e964e,0x2addea20} origin=192.168.111.111 originsicname=CN\\=cip-fw-internet-1,O\\=HOSTNAME.intranet.corp.xd4pc5 sequencenum=1271 version=5 \ncertificate_validity=Trusted context_num=1 dst=2.2.2.2 dst_uo_icon=@app/cp_azure_azure dst_uo_name=Azure Services hll_key=6406281760033809592 https_inspection_action=Bypass \ninzone=Internal nat_addtnl_rulenum=0 nat_rule_uid=1e99e081-d7f7-4bd8-b4fe-a40dc90e4230 nat_rulenum=114 needs_browse_time=1 outzone=External product=VPN-1 & FireWall-1 proto=6 \nservice_id=https sig_id=4 sni=eu-mobile.events.data.microsoft.com src=3.3.3.3 src_user_dn=CN\\=LASTNAME FIRSTNAME,OU\\=Service Medical et Detection des Fraudes,OU\\=Relations \nClient,OU\\=Direction des Op\u00e9rations,OU\\=Services,OU\\=Users_Std_XP,OU\\=Siege,OU\\=France,DC\\=intranet,DC\\=corp tls_server_host_name=eu-mobile.events.data.microsoft.com", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0x611c9f51,0x8c73c182,0xe99e964e,0x2addea20}", + "nat_addtnl_rulenum": "0", + "nat_rulenum": "114", + "observer_type": "VPN-1 & FireWall-1", + "origin": "192.168.111.111", + "originsicname": "CN=cip-fw-internet-1,O=HOSTNAME.intranet.corp.xd4pc5", + "product": "VPN-1 & FireWall-1", + "rule_name": "Updatable Objects Services Microsoft" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 443, + "user": { + "name": "LASTNAME FIRSTNAME (CORP0000583)" + } + }, + "network": { + "direction": "outgoing", + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "External" + }, + "ingress": { + "interface": { + "name": "bond151.410" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "0.0.0.0", + "1.1.1.1", + "2.2.2.2", + "3.3.3.3" + ], + "user": [ + "LASTNAME FIRSTNAME (CORP0000583)" + ] + }, + "rule": { + "uuid": "6426c486-c108-47b0-9c72-0adf917d7a0f", + "version": "5" + }, + "service": { + "id": "https" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "nat": { + "ip": "1.1.1.1", + "port": 12435 + }, + "port": 56688, + "user": { + "name": "LASTNAME FIRSTNAME (CORP0000583)" + } + } + } + + ``` + + +=== "CEF_reject.json" + + ```json + + { + "message": "CEF: 0|Check Point|HTTPS Inspection|Check Point|Log|Log|Unknown|act=Reject deviceDirection=0 duser=LASTNAME FIRSTNAME (CORPO10004953) msg=SSL version is not supported. rt=1592575034000 spt=60144 dpt=443 suser=LASTNAME FIRSTNAME (CORPO10004953) loguid={0x5eecc43b,0x2,0x46416ac,0x16efadda} origin=1.1.1.1 originsicname=CN\\=foobarfw002,O\\=foomgmt.foobar.local.zazgch sequencenum=148 version=5 dst=2.2.2.2 https_validation=unsupported product=HTTPS Inspection proto=6 snid=0 src=3.3.3.3 src_user_dn=CN\\=LASTNAME FIRSTNAME,OU\\=Users,OU\\=ServiceDesk,DC\\=ad,DC\\=mycorp,DC\\=com", + "event": { + "code": "Log", + "message": "SSL version is not supported.", + "outcome": "success" + }, + "action": { + "name": "reject", + "outcome": "success", + "outcome_reason": "SSL version is not supported.", + "properties": { + "loguid": "{0x5eecc43b,0x2,0x46416ac,0x16efadda}", + "observer_type": "HTTPS Inspection", + "origin": "1.1.1.1", + "originsicname": "CN=foobarfw002,O=foomgmt.foobar.local.zazgch", + "product": "HTTPS Inspection" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 443, + "user": { + "name": "LASTNAME FIRSTNAME (CORPO10004953)" + } + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "related": { + "ip": [ + "2.2.2.2", + "3.3.3.3" + ], + "user": [ + "LASTNAME FIRSTNAME (CORPO10004953)" + ] + }, + "rule": { + "version": "5" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 60144, + "user": { + "name": "LASTNAME FIRSTNAME (CORPO10004953)" + } + } + } + + ``` + + +=== "CEF_tcp_accept.json" + + ```json + + { + "message": "CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|Log|TCP_135|Unknown|act=Accept deviceDirection=0 rt=1592498107000 spt=62170 dpt=135 cs2Label=Rule Name cs2=Allow all layer_name=Firewall FooBar layer_name=FooBar_policy Application layer_uuid=66f2e247-8237-4d61-b2e9-e4595c7a439c layer_uuid=b66dac35-e2a9-4a13-91bc-21cb9cafb3da match_id=19 match_id=16777244 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=378884f4-0844-4bbb-a5cb-22e9c88d4d09 rule_uid=43b8404c-809b-4f35-927e-2c05b3d28e53 conn_direction=Internal contextnum=1 ifname=eth2 logid=0 loguid={0x5eeb97bb,0x4,0x47e0a0a,0xc0000001} origin=1.1.1.1 originsicname=CN\\=foobarfw002,O\\=foomgmt.foobar.local.zazgch sequencenum=19 version=5 context_num=1 dst=2.2.2.2 hll_key=5221004884709257555 inzone=Internal outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=TCP_135 src=3.3.3.3", + "event": { + "code": "Log", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0x5eeb97bb,0x4,0x47e0a0a,0xc0000001}", + "observer_type": "VPN-1 & FireWall-1", + "origin": "1.1.1.1", + "originsicname": "CN=foobarfw002,O=foomgmt.foobar.local.zazgch", + "product": "VPN-1 & FireWall-1", + "rule_name": "Allow all" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 135 + }, + "network": { + "direction": "internal", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "eth2" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + "rule": { + "uuid": "378884f4-0844-4bbb-a5cb-22e9c88d4d09", + "version": "5" + }, + "service": { + "id": "TCP_135" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 62170 + } + } + + ``` + + +=== "CEF_user_agent.json" + + ```json + + { + "message": "CEF:0||Check Point|URL Filtering|Check Point|News / Media|domain.fr|Unknown|act=Accept app=HTTP \ndeviceDirection=0 duser=LASTNAME FIRSTNAME (CORP0025465) requestClientApplication=Google Chrome rt=1708352128000 dpt=8080 \nsuser=LASTNAME FIRSTNAME (CORP0025465) cp_app_risk=Unknown cp_app_risk=Unknown cs6Label=Application Name cs6=domain.fr \ncs5Label=Matched Category cs5=News / Media flexString1Label=Application Signature ID cs2Label=Rule Name cs2=vers les ressources\ninternes app_category=News / Media app_id=0 app_id=2108684536 app_properties=News / Media,URL Filtering layer_name=Network \nlayer_name=Application layer_uuid=86db1685-ca63-4fcd-b296-c15c99acfc76 layer_uuid=1d7f95ec-0774-4916-a1b4-e8ab1d2d9cae \nmatch_id=273 match_id=637534325 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept \nrule_uid=427fb6b8-dcf9-471a-a346-7c603f4a0852 rule_uid=9ede1042-638a-45cb-bf2f-f72f1e1b7d97 cp_app_risk=Unknown \ncs6Label=Application Name cs6=domain.fr cs5Label=Matched Category cs5=News / Media flexString1Label=Application Signature ID \napp_category=News / Media app_id=2108684536 app_properties=News / Media,URL Filtering requestMethod=CONNECT \nrequest=https://subdomain.domain.fr:443 conn_direction=Internal ifname=bond151.410 logid=256 \nloguid={0xb8627f78,0x96aeacb2,0xe1a3617f,0x615f333f} origin=192.168.111.123 \noriginsicname=CN\\=cip-fw-internet-1,O\\=HOSTNAME.intranet.corp.xd4pc5 sequencenum=1362 version=5 aggregated_log_count=1 \nbrowse_time=0 client_type_os=Windows 10 connection_count=1 creation_time=1708352128 dst=192.168.111.111 duration=0 \nhll_key=16778521701015169890 inzone=Internal last_hit_time=1708352128 outzone=Internal product=URL Filtering proto=6 \nservice_id=HTTP_and_HTTPS_proxy sig_id=0 src=192.168.222.222 src_user_dn=CN\\=LASTNAME \nFIRSTNAME,OU\\=Users_CC,OU\\=RC,OU\\=France,DC\\=intranet,DC\\=corp update_count=1 user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64) \nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36", + "event": { + "code": "News / Media", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "loguid": "{0xb8627f78,0x96aeacb2,0xe1a3617f,0x615f333f}", + "observer_type": "URL Filtering", + "origin": "192.168.111.123", + "originsicname": "CN=cip-fw-internet-1,O=HOSTNAME.intranet.corp.xd4pc5", + "product": "URL Filtering", + "rule_name": "vers les ressources\ninternes" + }, + "target": "network-traffic" + }, + "destination": { + "address": "192.168.111.111", + "ip": "192.168.111.111", + "port": 8080, + "user": { + "name": "LASTNAME FIRSTNAME (CORP0025465)" + } + }, + "http": { + "request": { + "method": "CONNECT" + } + }, + "network": { + "direction": "internal", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "bond151.410" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "192.168.111.111", + "192.168.222.222" + ], + "user": [ + "LASTNAME FIRSTNAME (CORP0025465)" + ] + }, + "rule": { + "uuid": "427fb6b8-dcf9-471a-a346-7c603f4a0852", + "version": "5" + }, + "service": { + "id": "HTTP_and_HTTPS_proxy" + }, + "source": { + "address": "192.168.222.222", + "ip": "192.168.222.222", + "user": { + "name": "LASTNAME FIRSTNAME (CORP0025465)" + } + }, + "url": { + "domain": "subdomain.domain.fr", + "full": "https://subdomain.domain.fr:443", + "original": "https://subdomain.domain.fr:443", + "port": 443, + "registered_domain": "domain.fr", + "scheme": "https", + "subdomain": "subdomain", + "top_level_domain": "fr" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; WOW64) \nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36", + "os": { + "name": "Windows", + "version": "10" + }, + "version": "88.0.4324" + } + } + + ``` + + +=== "Generic_icmp_decrypt.json" + + ```json + + { + "message": "\"1832941\" \"20Dec2019\" \"12:04:05\" \"eth1\" \"2.2.2.2\" \"Log\" \"Decrypt\" \"\" \"\" \"3.3.3.3\" \"1.1.1.1\" \"icmp\" \"5\" \"Supervision\" \"5-FooBar_Policy\" \"\" \"inzone: External; outzone: Internal; service_id: icmp-proto; ICMP: Echo Request; ICMP Type: 8; ICMP Code: 0\" \"Multi-product\" \"\" \"\"#013", + "event": { + "outcome": "success" + }, + "action": { + "name": "decrypt", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "host": { + "hostname": "2.2.2.2", + "name": "2.2.2.2" + }, + "log": { + "hostname": "2.2.2.2" + }, + "network": { + "transport": "icmp" + }, + "related": { + "hosts": [ + "2.2.2.2" + ], + "ip": [ + "1.1.1.1", + "3.3.3.3" + ] + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3" + } + } + + ``` + + +=== "Generic_tcp_allow.json" + + ```json + + { + "message": "\"22\" \"10Dec2019\" \"23:44:49\" \"eth1\" \"FOOBAR-HOST-01\" \"Log\" \"Accept\" \"443\" \"44250\" \"2.2.2.2\" \"1.1.1.1\" \"tcp\" \"81\" \"WebAccess Notes\" \"81-FooBar_Policy\" \"\" \"inzone: External; outzone: Internal; service_id: https\" \"Multi-product\" \"\" \"\"", + "event": { + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 443 + }, + "host": { + "hostname": "FOOBAR-HOST-01", + "name": "FOOBAR-HOST-01" + }, + "log": { + "hostname": "FOOBAR-HOST-01" + }, + "network": { + "transport": "tcp" + }, + "related": { + "hosts": [ + "FOOBAR-HOST-01" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 44250 + } + } + + ``` + + +=== "Generic_tcp_drop.json" + + ```json + + { + "message": "\"21\" \"10Dec2019\" \"23:44:49\" \"eth1\" \"FOOBAR-HOST-01\" \"Log\" \"Drop\" \"58339\" \"46193\" \"1.1.1.1\" \"2.2.2.2\" \"tcp\" \"107\" \"Deny All\" \"107-FooBar_Policy\" \"\" \"inzone: External; outzone: Internal\" \"Security Gateway/Management\" \"\" \"\"", + "event": { + "outcome": "success" + }, + "action": { + "name": "drop", + "outcome": "success", + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 58339 + }, + "host": { + "hostname": "FOOBAR-HOST-01", + "name": "FOOBAR-HOST-01" + }, + "log": { + "hostname": "FOOBAR-HOST-01" + }, + "network": { + "transport": "tcp" + }, + "related": { + "hosts": [ + "FOOBAR-HOST-01" + ], + "ip": [ + "1.1.1.1", + "2.2.2.2" + ] + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1", + "port": 46193 + } + } + + ``` + + +=== "Syslog.json" + + ```json + + { + "message": "syslog[action:\"Drop\"; flags:\"2308\"; ifdir:\"inbound\"; ifname:\"eth1\"; loguid:\"{0x0,0x0,0x0,0x0}\"; origin:\"1.1.1.1\"; time:\"1617710462\"; version:\"1\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={736F50F2-40D8-124E-8D46-F7849455B8AE};mgmt=foobar;date=1615201122;policy_name=FooPolicy\\]\"; dst:\"2.2.2.2\"; inzone:\"External\"; origin_sic_name:\"CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz\"; outzone:\"External\"; product:\"VPN-1 & FireWall-1\"; proto:\"6\"; rule:\"118\"; rule_name:\"Clean-up Rule\"; rule_uid:\"{EA9E7B59-E0DD-4AE1-A2C0-680E3C3FAADC}\"; s_port:\"54377\"; service:\"5530\"; src:\"3.3.3.3\"; ]", + "event": { + "code": "{0x0,0x0,0x0,0x0}", + "outcome": "success" + }, + "action": { + "name": "drop", + "outcome": "success", + "properties": { + "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={736F50F2-40D8-124E-8D46-F7849455B8AE};mgmt=foobar;date=1615201122;policy_name=FooPolicy\\]", + "flags": "2308", + "loguid": "{0x0,0x0,0x0,0x0}", + "origin": "1.1.1.1", + "origin_sic_name": "CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2", + "port": 5530 + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "External" + }, + "ingress": { + "interface": { + "name": "eth1" + }, + "zone": "External" + } + }, + "related": { + "ip": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + "rule": { + "id": "118", + "name": "Clean-up Rule", + "uuid": "{EA9E7B59-E0DD-4AE1-A2C0-680E3C3FAADC}", + "version": "1" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "port": 54377 + } + } + + ``` + + +=== "Syslog_icmp.json" + + ```json + + { + "message": "syslog[action:\"Accept\"; flags:\"18692\"; ifdir:\"inbound\"; ifname:\"eth5\"; loguid:\"{0x607486c9,0x1,0x151e9f0a,0xc0000000}\"; origin:\"1.1.1.1\"; time:\"1618249417\"; version:\"1\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={A8A4FD06-D819-BC43-8607-833A6D14E3A2};mgmt=HOSTBAZ;date=1617956749;policy_name=MyPolicy\\]\"; dst:\"2.2.2.2\"; icmp:\"Echo Request\"; icmp_code:\"0\"; icmp_type:\"8\"; inzone:\"Internal\"; origin_sic_name:\"CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz\"; outzone:\"Internal\"; product:\"VPN-1 & FireWall-1\"; proto:\"1\"; rule:\"21\"; rule_uid:\"{6C86D7C0-B2C8-4222-AEF9-18CC10CEAA2B}\"; service_id:\"echo-request\"; src:\"3.3.3.3\"; ]", + "event": { + "code": "{0x607486c9,0x1,0x151e9f0a,0xc0000000}", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={A8A4FD06-D819-BC43-8607-833A6D14E3A2};mgmt=HOSTBAZ;date=1617956749;policy_name=MyPolicy\\]", + "flags": "18692", + "icmp_code": "0", + "icmp_message": "Echo Request", + "icmp_type": "8", + "loguid": "{0x607486c9,0x1,0x151e9f0a,0xc0000000}", + "origin": "1.1.1.1", + "origin_sic_name": "CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "2.2.2.2", + "ip": "2.2.2.2" + }, + "network": { + "direction": "inbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "eth5" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "2.2.2.2", + "3.3.3.3" + ] + }, + "rule": { + "id": "21", + "uuid": "{6C86D7C0-B2C8-4222-AEF9-18CC10CEAA2B}", + "version": "1" + }, + "service": { + "id": "echo-request" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3" + } + } + + ``` + + +=== "Syslog_key.json" + + ```json + + { + "message": "syslog[action:\"Key Install\"; flags:\"2304\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x0,0x0,0x0,0x0}\"; origin:\"1.1.1.1\"; time:\"1618253000\"; version:\"1\"; community:\"Lab_to_Foo\"; cookiei:\"c1d26a716fed4717\"; cookier:\"6b57dcc95790f11f\"; dst:\"1.1.1.1\"; dstkeyid:\"0x4caf71d8\"; fw_subproduct:\"VPN-1\"; ike::\"Quick Mode completion [UDP (IPv4)\\].\"; ike_ids::\"subnet: 2.2.2.2 (mask= 255.255.254.0) and subnet: 192.168.0.0 (mask= 255.255.255.252)\"; methods::\"ESP: AES-256 + SHA1 + PFS (group 5)\"; msgid:\"4c0515ff\"; origin_sic_name:\"CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz\"; peer_gateway:\"1.1.1.1\"; scheme::\"IKE\"; src:\"1.1.1.1\"; srckeyid:\"0x9dea8f3a\"; vpn_feature_name:\"IKE\"; ]", + "event": { + "code": "{0x0,0x0,0x0,0x0}", + "outcome": "success" + }, + "action": { + "name": "key install", + "outcome": "success", + "properties": { + "community": "Lab_to_Foo", + "destination_key_id": "0x4caf71d8", + "encryption_methods": "ESP: AES-256 + SHA1 + PFS (group 5)", + "encryption_scheme": "IKE", + "flags": "2304", + "ike_ids": "subnet: 2.2.2.2 (mask= 255.255.254.0) and subnet: 192.168.0.0 (mask= 255.255.255.252)", + "ike_initiator_cookie": "c1d26a716fed4717", + "ike_mode": "Quick Mode completion [UDP (IPv4)\\].", + "ike_responder_cookie": "6b57dcc95790f11f", + "loguid": "{0x0,0x0,0x0,0x0}", + "origin": "1.1.1.1", + "origin_sic_name": "CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz", + "source_key_id": "0x9dea8f3a", + "subproduct": "VPN-1", + "vpn_feature_name": "IKE", + "vpn_peer_gateway": "1.1.1.1" + } + }, + "destination": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + }, + "network": { + "direction": "inbound" + }, + "observer": { + "ingress": { + "interface": { + "name": "daemon" + } + } + }, + "related": { + "ip": [ + "1.1.1.1" + ] + }, + "rule": { + "version": "1" + }, + "source": { + "address": "1.1.1.1", + "ip": "1.1.1.1" + } + } + + ``` + + +=== "Syslog_nat.json" + + ```json + + { + "message": "syslog[action:\"Accept\"; flags:\"18692\"; ifdir:\"inbound\"; ifname:\"eth5\"; loguid:\"{0x607486c4,0xa,0x151e9f0a,0xc0000001}\"; origin:\"1.1.1.1\"; time:\"1618249412\"; version:\"1\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={A8A4FD06-D819-BC43-8607-833A6D14E3A2};mgmt=HOSTBAZ;date=1617956749;policy_name=MyPolicy\\]\"; dst:\"192.168.99.111\"; icmp:\"Echo Request\"; icmp_code:\"0\"; icmp_type:\"8\"; inzone:\"Internal\"; nat_addtnl_rulenum:\"1\"; nat_rulenum:\"132\"; origin_sic_name:\"CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz\"; outzone:\"Internal\"; product:\"VPN-1 & FireWall-1\"; proto:\"1\"; rule:\"71\"; rule_name:\"Internet\"; rule_uid:\"{D67042B8-7EC2-4A9F-A047-523DE6CFF8E0}\"; service_id:\"echo-request\"; src:\"3.3.3.3\"; xlatedport:\"0\"; xlatedst:\"0.0.0.0\"; xlatesport:\"0\"; xlatesrc:\"192.168.99.1\"; ]", + "event": { + "code": "{0x607486c4,0xa,0x151e9f0a,0xc0000001}", + "outcome": "success" + }, + "action": { + "name": "accept", + "outcome": "success", + "properties": { + "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={A8A4FD06-D819-BC43-8607-833A6D14E3A2};mgmt=HOSTBAZ;date=1617956749;policy_name=MyPolicy\\]", + "flags": "18692", + "icmp_code": "0", + "icmp_message": "Echo Request", + "icmp_type": "8", + "loguid": "{0x607486c4,0xa,0x151e9f0a,0xc0000001}", + "nat_addtnl_rulenum": "1", + "nat_rulenum": "132", + "origin": "1.1.1.1", + "origin_sic_name": "CN=HOSTBAR,O=FooBaz.prj.fr.mnkqvz", + "product": "VPN-1 & FireWall-1" + }, + "target": "network-traffic" + }, + "destination": { + "address": "192.168.99.111", + "ip": "192.168.99.111", + "nat": { + "ip": "0.0.0.0", + "port": 0 + } + }, + "network": { + "direction": "inbound", + "transport": "icmp" + }, + "observer": { + "egress": { + "zone": "Internal" + }, + "ingress": { + "interface": { + "name": "eth5" + }, + "zone": "Internal" + } + }, + "related": { + "ip": [ + "0.0.0.0", + "192.168.99.1", + "192.168.99.111", + "3.3.3.3" + ] + }, + "rule": { + "id": "71", + "name": "Internet", + "uuid": "{D67042B8-7EC2-4A9F-A047-523DE6CFF8E0}", + "version": "1" + }, + "service": { + "id": "echo-request" + }, + "source": { + "address": "3.3.3.3", + "ip": "3.3.3.3", + "nat": { + "ip": "192.168.99.1", + "port": 0 + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`action.properties.__policy_id_tag` | `keyword` | | +|`action.properties.community` | `keyword` | | +|`action.properties.destination_key_id` | `keyword` | | +|`action.properties.encryption_methods` | `keyword` | | +|`action.properties.encryption_scheme` | `keyword` | | +|`action.properties.flags` | `keyword` | | +|`action.properties.icmp_code` | `keyword` | | +|`action.properties.icmp_message` | `keyword` | | +|`action.properties.icmp_type` | `keyword` | | +|`action.properties.ike_ids` | `keyword` | | +|`action.properties.ike_initiator_cookie` | `keyword` | | +|`action.properties.ike_mode` | `keyword` | | +|`action.properties.ike_responder_cookie` | `keyword` | | +|`action.properties.loguid` | `keyword` | | +|`action.properties.nat_addtnl_rulenum` | `keyword` | | +|`action.properties.nat_rulenum` | `keyword` | | +|`action.properties.observer_type` | `keyword` | | +|`action.properties.origin` | `keyword` | | +|`action.properties.origin_sic_name` | `keyword` | | +|`action.properties.originsicname` | `keyword` | | +|`action.properties.product` | `keyword` | | +|`action.properties.reject_category` | `keyword` | | +|`action.properties.rule_name` | `keyword` | | +|`action.properties.source_key_id` | `keyword` | | +|`action.properties.subproduct` | `keyword` | | +|`action.properties.vpn_feature_name` | `keyword` | | +|`action.properties.vpn_peer_gateway` | `keyword` | | +|`action.target` | `keyword` | | +|`destination.address` | `keyword` | Destination network address. | +|`destination.domain` | `keyword` | The domain name of the destination. | +|`destination.ip` | `ip` | IP address of the destination. | +|`destination.nat.ip` | `ip` | Destination NAT ip | +|`destination.nat.port` | `long` | Destination NAT Port | +|`destination.port` | `long` | Port of the destination. | +|`destination.size_in_char` | `number` | | +|`destination.user.name` | `keyword` | Short name or login of the user. | +|`event.code` | `keyword` | Identification code for this event. | +|`host.hostname` | `keyword` | Hostname of the host. | +|`host.name` | `keyword` | Name of the host. | +|`http.request.method` | `keyword` | HTTP request method. | +|`network.direction` | `keyword` | Direction of the network traffic. | +|`network.protocol` | `keyword` | Application protocol name. | +|`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | +|`observer.egress.zone` | `keyword` | Observer Egress zone | +|`observer.ingress.interface.name` | `keyword` | Interface name | +|`observer.ingress.zone` | `keyword` | Observer ingress zone | +|`rule.id` | `keyword` | Rule ID | +|`rule.name` | `keyword` | Rule name | +|`rule.uuid` | `keyword` | Rule UUID | +|`rule.version` | `keyword` | Rule version | +|`service.id` | `keyword` | Unique identifier of the running service. | +|`source.address` | `keyword` | Source network address. | +|`source.domain` | `keyword` | The domain name of the source. | +|`source.ip` | `ip` | IP address of the source. | +|`source.nat.ip` | `ip` | Source NAT ip | +|`source.nat.port` | `long` | Source NAT port | +|`source.port` | `long` | Port of the source. | +|`source.size_in_char` | `number` | | +|`source.user.name` | `keyword` | Short name or login of the user. | +|`url.full` | `wildcard` | Full unparsed URL. | +|`url.original` | `wildcard` | Unmodified original url as seen in the event source. | +|`user_agent.original` | `keyword` | Unparsed user_agent string. |