From 5c5c66b5187b7446699eb2ce56758d3c44fe110f Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 31 Oct 2023 15:37:13 +0000 Subject: [PATCH] Refresh intakes documentation --- .../466aeca2-e112-4ccc-a109-c6d85b91bbcf.md | 456 +++++++++++++++++- .../6dbdd199-77ae-4705-a5de-5c2722fa020e.md | 88 ++-- 2 files changed, 509 insertions(+), 35 deletions(-) diff --git a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md index c2b49c27c2..505427eb85 100644 --- a/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md +++ b/_shared_content/operations_center/integrations/generated/466aeca2-e112-4ccc-a109-c6d85b91bbcf.md @@ -145,6 +145,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "target": "network-traffic" }, + "cisco": { + "ac": { + "rule_action": "Allow" + }, + "device_id": "b2433c5c-a6a1-11eb-a6e7-be0b9833091f" + }, "destination": { "address": "172.16.20.10", "bytes": 0, @@ -205,6 +211,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "target": "network-traffic" }, + "cisco": { + "ac": { + "rule_action": "
Block with reset" + }, + "device_id": "e8566508-eaa9-11e5-860f-de3e305d8269" + }, "destination": { "address": "10.1.9.9", "bytes": 0, @@ -1943,6 +1955,12 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "target": "network-traffic" }, + "cisco": { + "ac": { + "rule_action": "Allow" + }, + "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa" + }, "destination": { "address": "5.6.7.8", "bytes": 66, @@ -2004,6 +2022,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "target": "network-traffic" }, "cisco": { + "ac": { + "rule_action": "Allow" + }, + "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa", "dns": { "record_type": "a host address", "ttl": "150" @@ -2089,6 +2111,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": { "target": "network-traffic" }, + "cisco": { + "ac": { + "rule_action": "Allow" + }, + "device_id": "1662dc94-665c-4e50-97df-1c5b281556aa", + "url_category": "Computer Security", + "web_application": "Trend Micro" + }, "destination": { "address": "5.6.7.8", "bytes": 5018, @@ -2144,6 +2174,101 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_FTD_430003_3.json" + + ```json + + { + "message": "%FTD-1-430003: EventPriority: Low, DeviceUUID: deyyyyy-844d-11e7-b104-8d1450667052, InstanceID: 1, FirstPacketSecond: 2023-08-23T12:59:00Z, ConnectionID: 55087, AccessControlRuleAction: Allow, SrcIP: 10.55.21.168, DstIP: 142.55.179.67, SrcPort: 77777, DstPort: 80, Protocol: tcp, IngressInterface: LAN, EgressInterface: WAN, IngressZone: LAN, EgressZone: OUT, IngressVRF: Global, EgressVRF: Global, ACPolicy: ACPolicy, AccessControlRuleName: SORTIE_INTERNET_ALL, Prefilter Policy: LALALAND L3-L4 Policy, User: Not Found, UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/537.36, Client: Chrome, ClientVersion: 60.0.3112.32, ApplicationProtocol: HTTP, WebApplication: Google, ConnectionDuration: 0, InitiatorPackets: 5, ResponderPackets: 5, InitiatorBytes: 565, ResponderBytes: 484, NAPPolicy: Balanced Security and Connectivity, ReferencedHost: connectivitycheck.gstatic.com, URLCategory: Infrastructure and Content Delivery Networks, URLReputation: Favorable, URL: http://connectivitycheck.gstatic.com/generate_204, NAT_InitiatorPort: 77777, NAT_ResponderPort: 80, NAT_InitiatorIP: 194.55.57.195, NAT_ResponderIP: 142.55.179.67", + "event": { + "action": "connection-finished", + "category": [ + "network" + ], + "code": "430003", + "kind": "event", + "type": [ + "connection", + "end" + ] + }, + "action": { + "target": "network-traffic" + }, + "cisco": { + "ac": { + "rule_action": "Allow" + }, + "device_id": "deyyyyy-844d-11e7-b104-8d1450667052", + "url_category": "Infrastructure and Content Delivery Networks", + "web_application": "Google" + }, + "destination": { + "address": "142.55.179.67", + "bytes": 484, + "ip": "142.55.179.67", + "packets": 5, + "port": 80 + }, + "log": { + "level": "Low" + }, + "network": { + "protocol": "HTTP", + "transport": "tcp" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.55.21.168", + "142.55.179.67" + ], + "user": [ + "Not Found" + ] + }, + "rule": { + "name": "SORTIE_INTERNET_ALL", + "ruleset": "ACPolicy" + }, + "source": { + "address": "10.55.21.168", + "bytes": 565, + "ip": "10.55.21.168", + "packets": 5, + "port": 77777 + }, + "url": { + "domain": "connectivitycheck.gstatic.com", + "original": "http://connectivitycheck.gstatic.com/generate_204", + "path": "/generate_204", + "port": 80, + "registered_domain": "gstatic.com", + "scheme": "http", + "subdomain": "connectivitycheck", + "top_level_domain": "com" + }, + "user": { + "name": "Not Found" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML", + "os": { + "name": "Linux" + } + } + } + + ``` + + === "test_group_1.json" ```json @@ -2154,7 +2279,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event" + "kind": "event", + "reason": "AnyConnect session lost connection. Waiting to resume." }, "action": { "name": "anyconnect session lost connection", @@ -2184,6 +2310,132 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_group_10.json" + + ```json + + { + "message": "Task ran for 100 msec, Process = aaa_shim_thread, PC = abb111cc, Call stack = 0x000000aaab89d6a0 0x000000aaab88cdec 0x000000aaab88cd68", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "Task ran for 100 msec" + }, + "action": { + "target": "network-traffic" + }, + "cisco": { + "ftd": { + "event": { + "duration": "100" + } + }, + "process": { + "call_stack": "0x000000aaab89d6a0 0x000000aaab88cdec 0x000000aaab88cd68", + "instruction_pointer": "abb111cc" + } + }, + "observer": { + "vendor": "Cisco" + }, + "process": { + "name": "aaa_shim_thread" + } + } + + ``` + + +=== "test_group_1_2.json" + + ```json + + { + "message": "Group User IP <4.3.2.1> IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "IPv4 Address <1.2.3.4> IPv6 address <::> assigned to session" + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1" + ], + "user": [ + "MyUser" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "domain": "MyGroup", + "name": "MyUser" + } + } + + ``` + + +=== "test_group_1_3.json" + + ```json + + { + "message": "Group User IP <4.3.2.1> IPv4 Address <> IPv6 address <3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6> assigned to session", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "IPv4 Address <> IPv6 address <3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6> assigned to session" + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "ip": [ + "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "4.3.2.1" + ], + "user": [ + "MyUser" + ] + }, + "source": { + "address": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "ip": "3deb:3c5e:59d0:53ad:1115:d3d7:58da:47d6", + "nat": { + "ip": "4.3.2.1" + } + }, + "user": { + "domain": "MyGroup", + "name": "MyUser" + } + } + + ``` + + === "test_group_2.json" ```json @@ -2224,6 +2476,48 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_group_2_2.json" + + ```json + + { + "message": "Group User IP <1.2.3.4> Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.07061", + "event": { + "category": [ + "network" + ], + "kind": "event" + }, + "action": { + "target": "network-traffic" + }, + "cisco": { + "client_type": "Cisco AnyConnect VPN Agent for Windows 4.10.07061" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "MyUsser" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "MyGroup", + "name": "MyUsser" + } + } + + ``` + + === "test_group_3.json" ```json @@ -2274,7 +2568,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event" + "kind": "event", + "reason": "Task ran for 109 msec" }, "action": { "target": "network-traffic" @@ -2284,13 +2579,17 @@ Find below few samples of events and how they are normalized by Sekoia.io. "event": { "duration": "109" } + }, + "process": { + "call_stack": "0x000000aaabb34820 0x000000aaabb2429c 0x000000aaabb24218", + "instruction_pointer": "ade9333c" } }, - "host": { - "name": "ade9333c" - }, "observer": { "vendor": "Cisco" + }, + "process": { + "name": "aaa_shim_thread" } } @@ -2307,7 +2606,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. "category": [ "network" ], - "kind": "event" + "kind": "event", + "reason": "No IPv6 address available for SVC connection" }, "action": { "target": "network-traffic" @@ -2323,6 +2623,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "JD34242243" ] }, + "rule": { + "name": "MYGROUP" + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4" @@ -2336,6 +2639,135 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_group_6_2.json" + + ```json + + { + "message": "Group User IP <1.2.3.4> AnyConnect session lost connection. Waiting to resume.", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "AnyConnect session lost connection. Waiting to resume." + }, + "action": { + "name": "anyconnect session lost connection", + "target": "network-traffic" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "MyUser" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "AnyConnect-EXAMPLE", + "name": "MyUser" + } + } + + ``` + + +=== "test_group_7.json" + + ```json + + { + "message": "TunnelGroup GroupPolicy User IP <4.3.2.1> No IPv6 address available for SVC connection", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "No IPv6 address available for SVC connection" + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "ip": [ + "4.3.2.1" + ], + "user": [ + "MyUser" + ] + }, + "rule": { + "name": "MyGroup" + }, + "source": { + "address": "4.3.2.1", + "ip": "4.3.2.1" + }, + "user": { + "domain": "AnyConnect-EX", + "name": "MyUser" + } + } + + ``` + + +=== "test_group_9.json" + + ```json + + { + "message": "Tunnel group search using certificate maps failed for peer certificate: serial number: 111111111111111111111111, subject name: UID=U11111111,CN=JOHN DOE,OU=Unit,O=URAAA,C=US, issuer_name: CN=Admin,OU=Unit,O=Example,C=US.", + "event": { + "category": [ + "network" + ], + "kind": "event", + "reason": "Tunnel group search using certificate maps failed for peer certificate" + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "vendor": "Cisco" + }, + "related": { + "user": [ + "JOHN DOE" + ] + }, + "tls": { + "client": { + "x509": { + "issuer": { + "distinguished_name": "CN=Admin,OU=Unit,O=Example,C=US" + }, + "serial_number": "111111111111111111111111", + "subject": { + "distinguished_name": "UID=U11111111,CN=JOHN DOE,OU=Unit,O=URAAA,C=US" + } + } + } + }, + "user": { + "name": "JOHN DOE" + } + } + + ``` + + @@ -2347,6 +2779,9 @@ The following table lists the fields that are extracted, normalized under the EC | ---- | ---- | ---------------------------| |`@timestamp` | `date` | Date/time when the event originated. | |`action.target` | `keyword` | The target of the action. This field is mandatory for STIX2 compliance | +|`cisco.ac.rule_action` | `keyword` | Access controle rule action | +|`cisco.client_type` | `keyword` | Client type | +|`cisco.device_id` | `keyword` | Device ID | |`cisco.dns.record_type` | `keyword` | Cisco record type returned for the DNS query | |`cisco.dns.ttl` | `keyword` | Cisco ttl returned for the DNS query | |`cisco.ftd.event.duration` | `keyword` | Cisco FTD event duration | @@ -2355,7 +2790,11 @@ The following table lists the fields that are extracted, normalized under the EC |`cisco.ftd.icmp_code` | `keyword` | The ICMP code used by the session responder. | |`cisco.ftd.icmp_type` | `keyword` | The ICMP type used by the session initiator. | |`cisco.ftd.sha_disposition` | `keyword` | Sha disposition | -|`cisco.ftd.spero_disposition` | `keyword` | The descriptive name for the filelog spero status. | +|`cisco.ftd.spero_disposition` | `keyword` | The descriptive name for the filelog spero status. | +|`cisco.process.call_stack` | `keyword` | Stack trace of the CPU hogging process | +|`cisco.process.instruction_pointer` | `keyword` | Instruction pointer of the CPU hogging process | +|`cisco.url_category` | `keyword` | URL category | +|`cisco.web_application` | `keyword` | Web application | |`destination.bytes` | `long` | Bytes sent from the destination to the source. | |`destination.domain` | `keyword` | The domain name of the destination. | |`destination.ip` | `ip` | IP address of the destination. | @@ -2405,6 +2844,9 @@ The following table lists the fields that are extracted, normalized under the EC |`source.packets` | `long` | Packets sent from the source to the destination. | |`source.port` | `long` | Port of the source. | |`threat.software.name` | `keyword` | Name of the software. | +|`tls.client.x509.issuer.distinguished_name` | `keyword` | Distinguished name (DN) of issuing certificate authority. | +|`tls.client.x509.serial_number` | `keyword` | Unique serial number issued by the certificate authority. | +|`tls.client.x509.subject.distinguished_name` | `keyword` | Distinguished name (DN) of the certificate subject entity. | |`url.original` | `wildcard` | Unmodified original url as seen in the event source. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.scheme` | `keyword` | Scheme of the url. | diff --git a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md index 4b2883cda0..ef170cc856 100644 --- a/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md +++ b/_shared_content/operations_center/integrations/generated/6dbdd199-77ae-4705-a5de-5c2722fa020e.md @@ -180,7 +180,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Bot Mitigation", "type": [ "indicator" - ] + ], + "action": "block", + "severity": 5 + }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" }, "@timestamp": "2023-06-29T04:19:05.678000Z", "destination": { @@ -196,11 +203,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" - }, "related": { "hosts": [ "monespacetest.com" @@ -230,6 +232,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "Workflow - NEC PROD v10 - with Bot Migitation and Rate Limiter", "uuid": "f00058d7c75c34e123456789987654" + }, + "tokens": { + "risk": { + "level": "27" + } } } }, @@ -274,7 +281,14 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "Bot Mitigation", "type": [ "indicator" - ] + ], + "action": "block", + "severity": 5 + }, + "observer": { + "name": "waf01.example.org", + "product": "Ubika WAAP", + "vendor": "Ubika" }, "@timestamp": "2019-10-04T08:03:19.762000Z", "destination": { @@ -290,11 +304,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" - }, "related": { "hosts": [ "example.org" @@ -325,6 +334,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - Bot Mitigation", "uuid": "8c73e669cea1a99016ccacb21eccfa69" + }, + "tokens": { + "risk": { + "level": "27" + } } } }, @@ -368,7 +382,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "ICX Engine", "type": [ "indicator" - ] + ], + "action": "block", + "severity": 5 + }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -384,10 +404,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" - }, "related": { "hosts": [ "example.org" @@ -420,6 +436,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" + }, + "tokens": { + "risk": { + "level": "80" + } } } }, @@ -464,7 +485,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "provider": "ICX Engine", "type": [ "indicator" - ] + ], + "action": "block", + "severity": 5 + }, + "observer": { + "product": "Ubika WAAP", + "vendor": "Ubika" }, "@timestamp": "2018-05-25T09:43:30.891000Z", "destination": { @@ -480,10 +507,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "method": "GET" } }, - "observer": { - "product": "Ubika WAAP", - "vendor": "Ubika" - }, "related": { "hosts": [ "example.org" @@ -516,6 +539,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "workflow": { "name": "WF - All logs", "uuid": "x256f94d50d6d66f9732e0ab8532d154" + }, + "tokens": { + "risk": { + "level": "80" + } } } }, @@ -559,7 +587,13 @@ Find below few samples of events and how they are normalized by Sekoia.io. "module": "ubika.waf", "type": [ "indicator" - ] + ], + "action": "block" + }, + "observer": { + "vendor": "Ubika", + "name": "waf01.example.org", + "product": "Ubika WAAP" }, "@timestamp": "2019-10-04T08:58:21.178000Z", "host": { @@ -571,11 +605,6 @@ Find below few samples of events and how they are normalized by Sekoia.io. "referrer": "http://example.org/auth/login" } }, - "observer": { - "name": "waf01.example.org", - "product": "Ubika WAAP", - "vendor": "Ubika" - }, "related": { "hosts": [ "example.org" @@ -635,11 +664,13 @@ The following table lists the fields that are extracted, normalized under the EC |`@timestamp` | `date` | Date/time when the event originated. | |`destination.ip` | `ip` | IP address of the destination. | |`destination.port` | `long` | Port of the destination. | +|`event.action` | `keyword` | The action captured by the event. | |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | |`event.dataset` | `keyword` | Name of the dataset. | |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | |`event.module` | `keyword` | Name of the module this data is coming from. | |`event.provider` | `keyword` | Source of the event. | +|`event.severity` | `long` | Numeric severity of the event. | |`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | |`host.name` | `keyword` | Name of the host. | |`http.request.method` | `keyword` | HTTP request method. | @@ -654,6 +685,7 @@ The following table lists the fields that are extracted, normalized under the EC |`rule.name` | `keyword` | Rule name | |`source.ip` | `ip` | IP address of the source. | |`threat.indicator.type` | `keyword` | Type of indicator | +|`ubika.waap.tokens.risk.level` | `keyword` | Risk score | |`ubika.waap.tunnel.name` | `keyword` | Tunnel name | |`ubika.waap.tunnel.uuid` | `keyword` | Tunnel UID | |`ubika.waap.workflow.name` | `keyword` | Workflow name |