Merge pull request #1654 from SEKOIA-IO/update-intake-documentation

Refresh intakes documentation
SEKOIA-IO · Feb 28, 2024 · 5f0d5ba · 5f0d5ba
2 parents caa6cb0 + 108d37e
commit 5f0d5ba
Show file tree

Hide file tree

Showing 6 changed files with 1,212 additions and 1 deletion.
diff --git a/...perations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md b/...perations_center/integrations/generated/2886cd2d-f686-4e7d-9976-250cba2eaf5b.md
@@ -0,0 +1,152 @@
+
+## Event Categories
+
+
+The following table lists the data source offered by this integration.
+
+| Data Source | Description                          |
+| ----------- | ------------------------------------ |
+| `Web logs` | collect network activities from source |
+
+
+
+
+
+In details, the following table denotes the type of events produced by this integration.
+
+| Name | Values |
+| ---- | ------ |
+| Kind | `event` |
+| Category | `web` |
+| Type | `access` |
+
+
+
+
+## Event Samples
+
+Find below few samples of events and how they are normalized by Sekoia.io.
+
+
+=== "test_event.json"
+
+    ```json
+
+    {
+        "message": "2024-01-12T09:46:02PROXY01.EXAMPLE.ORG bluecoat - access_log - c-ip=1.2.3.4 rs-Content-Type=\"-\"  cs-auth-groups=- cs-bytes=63 cs-categories=\"none\" cs-host=example.org cs-ip=3.4.5.6 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-user-agent=\"-\" cs-username=- dnslookup-time=1 duration=0 rs-status=0 rs-version=- s-action=TCP_ACCELERATED s-ip=5.6.7.8 service.name=\"Explicit HTTP\" service.group=\"Standard\" s-supplier-ip=- s-supplier-name=- sc-bytes=39 sc-filter-result=OBSERVED sc-status=200 time-taken=17 x-exception-id=- x-virus-id=- c-url=\"tcp://example.org:443/\" cs-Referer=\"-\" c-cpu=- connect-time=- cs-auth-groups=- cs-headerlength=63 cs-threat-risk=4 r-ip=- r-supplier-ip=- rs-time-taken=- rs-server=- s-connect-type=Unknown s-icap-status=ICAP_NO_MODIFICATION s-sitename=http.proxy s-source-port=0 s-supplier-country=\"None\" sc-Content-Encoding=- sr-Accept-Encoding=identity x-auth-credential-type=- x-cookie-date=Fri,%2012-Jan-24%2009:46:02%20GMT x-cs-certificate-subject=- x-cs-connection-negotiated-cipher=none x-cs-connection-negotiated-cipher-size=- x-cs-connection-negotiated-ssl-version=- x-cs-ocsp-error=- x-cs-Referer-uri=- x-cs-Referer-uri-address=- x-cs-Referer-uri-extension=- x-cs-Referer-uri-host=- x-cs-Referer-uri-hostname=- x-cs-Referer-uri-path=- x-cs-Referer-uri-pathquery=- x-cs-Referer-uri-port=- x-cs-Referer-uri-query=- x-cs-Referer-uri-scheme=- x-cs-Referer-uri-stem=- x-exception-category=- x-exception-category-review-message=- x-exception-company-name=- x-exception-contact=- x-exception-details=- x-exception-header=- x-exception-help=- x-exception-last-error=- x-exception-reason=\"-\" x-exception-sourcefile=- x-exception-sourceline=0 x-exception-summary=- x-icap-error-code=none x-rs-certificate-hostname=- x-rs-certificate-hostname-category=- x-rs-certificate-observed-errors=- x-rs-certificate-subject=- x-rs-certificate-validate-status=- x-rs-connection-negotiated-cipher=none x-rs-connection-negotiated-cipher-size=- x-rs-connection-negotiated-ssl-version=- x-rs-ocsp-error=- cs-uri-extension=- cs-uri-path=/ cs-uri-query=\"-\" c-uri-pathquery=/",
+        "event": {
+            "action": "TCP_ACCELERATED",
+            "category": [
+                "web"
+            ],
+            "dataset": "access_log",
+            "duration": 17000000,
+            "kind": "event",
+            "type": [
+                "access"
+            ]
+        },
+        "broadcom": {
+            "categories": [
+                "none"
+            ],
+            "threat_risk": {
+                "lvl": "4"
+            }
+        },
+        "client": {
+            "address": "1.2.3.4",
+            "bytes": 63,
+            "ip": "1.2.3.4"
+        },
+        "http": {
+            "request": {
+                "method": "CONNECT"
+            },
+            "response": {
+                "status_code": 200
+            }
+        },
+        "observer": {
+            "name": "PROXY01.EXAMPLE.ORG",
+            "product": "Edge Secure Web Gateway",
+            "type": "proxy",
+            "vendor": "Broadcom"
+        },
+        "related": {
+            "hosts": [
+                "example.org"
+            ],
+            "ip": [
+                "1.2.3.4",
+                "5.6.7.8"
+            ]
+        },
+        "server": {
+            "bytes": 39,
+            "ip": "5.6.7.8"
+        },
+        "url": {
+            "domain": "example.org",
+            "path": "/",
+            "port": 443,
+            "registered_domain": "example.org",
+            "scheme": "tcp",
+            "top_level_domain": "org"
+        }
+    }
+    	
+	```
+
+
+
+
+
+## Extracted Fields
+
+The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
+
+| Name | Type | Description                |
+| ---- | ---- | ---------------------------|
+|`@timestamp` | `date` | Date/time when the event originated. |
+|`broadcom.categories` | `array` |  |
+|`broadcom.data_leak_detected` | `keyword` | Broadcom data leak detected |
+|`broadcom.file_reputation_score` | `keyword` | Broadcom file reputation score |
+|`broadcom.threat_risk.certificate_hostname` | `keyword` | Broadcom threat risk certificate hostname |
+|`broadcom.threat_risk.dns_lvl` | `keyword` | Broadcom threat risk dns lvl |
+|`broadcom.threat_risk.lvl` | `keyword` | Broadcom threat risk lvl |
+|`broadcom.virus_id` | `keyword` | Broadcom virus id |
+|`client.bytes` | `long` | Bytes sent from the client to the server. |
+|`client.ip` | `ip` | IP address of the client. |
+|`client.user.name` | `keyword` | Short name or login of the user. |
+|`dns.answers` | `object` | Array of DNS answers. |
+|`dns.op_code` | `keyword` | The DNS operation code that specifies the kind of query in the message. |
+|`dns.question.class` | `keyword` | The class of records being queried. |
+|`dns.question.name` | `keyword` | The name being queried. |
+|`dns.question.type` | `keyword` | The type of record being queried. |
+|`event.action` | `keyword` | The action captured by the event. |
+|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
+|`event.dataset` | `keyword` | Name of the dataset. |
+|`event.duration` | `long` | Duration of the event in nanoseconds. |
+|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
+|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
+|`host.os.full` | `keyword` | Operating system name, including the version or code name. |
+|`http.request.method` | `keyword` | HTTP request method. |
+|`http.request.referrer` | `keyword` | Referrer for this HTTP request. |
+|`http.response.mime_type` | `keyword` | Mime type of the body of the response. |
+|`http.response.status_code` | `long` | HTTP response status code. |
+|`observer.name` | `keyword` | Custom name of the observer. |
+|`observer.product` | `keyword` | The product name of the observer. |
+|`observer.type` | `keyword` | The type of the observer the data is coming from. |
+|`observer.vendor` | `keyword` | Vendor name of the observer. |
+|`server.bytes` | `long` | Bytes sent from the server to the client. |
+|`server.ip` | `ip` | IP address of the server. |
+|`tls.server.x509.alternative_names` | `keyword` | List of subject alternative names (SAN). |
+|`url.domain` | `keyword` | Domain of the url. |
+|`url.original` | `wildcard` | Unmodified original url as seen in the event source. |
+|`url.path` | `wildcard` | Path of the request, such as "/search". |
+|`url.port` | `long` | Port of the request, such as 443. |
+|`url.query` | `keyword` | Query string of the request. |
+|`url.scheme` | `keyword` | Scheme of the url. |
+|`user_agent.original` | `keyword` | Unparsed user_agent string. |
+