Skip to content

Commit

Permalink
Merge pull request #1520 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@otetard
otetard authored Jan 5, 2024
2 parents 73142b0 + ae59ada commit 63f97cf
Show file tree
Hide file tree
Showing 2 changed files with 271 additions and 2 deletions.
109 changes: 107 additions & 2 deletions ...perations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "userdest"
}
},
"host": {
"name": "FWPA01"
},
"log": {
"hostname": "FWPA01",
"logger": "traffic"
},
"network": {
Expand Down Expand Up @@ -494,7 +498,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"rule": {
"name": "GEN_WINLOG_Users"
"name": "GEN_WINLOG_Users",
"uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b"
},
"source": {
"address": "1.2.3.4",
Expand Down Expand Up @@ -556,7 +561,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "destuser"
}
},
"host": {
"name": "FWPA01"
},
"log": {
"hostname": "FWPA01",
"logger": "traffic"
},
"network": {
Expand Down Expand Up @@ -585,7 +594,8 @@ Find below few samples of events and how they are normalized by Sekoia.io.
]
},
"rule": {
"name": "GEN_WINLOG_Users"
"name": "GEN_WINLOG_Users",
"uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b"
},
"source": {
"address": "1.2.3.4",
Expand Down Expand Up @@ -941,7 +951,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"packets": 0,
"port": 0
},
"host": {
"name": "PA"
},
"log": {
"hostname": "PA",
"logger": "traffic"
},
"network": {
Expand Down Expand Up @@ -1236,7 +1250,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"packets": 1,
"port": 80
},
"host": {
"name": "PP"
},
"log": {
"hostname": "PP",
"logger": "traffic"
},
"network": {
Expand Down Expand Up @@ -3312,6 +3330,89 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "traffic_with_resotimestamp.json"

```json

{
"message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,",
"event": {
"category": [
"network"
],
"dataset": "traffic",
"duration": 0,
"kind": "event",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2024-01-03T12:15:30.547000Z",
"action": {
"name": "allow",
"outcome": "success",
"type": "end"
},
"destination": {
"address": "5.6.7.8",
"bytes": 5015,
"ip": "5.6.7.8",
"nat": {
"ip": "0.0.0.0",
"port": 0
},
"packets": 7,
"port": 443
},
"host": {
"name": "PA2314-CD"
},
"log": {
"hostname": "PA2314-CD",
"logger": "traffic"
},
"network": {
"application": "ssl",
"bytes": 5773,
"packets": 14,
"transport": "tcp"
},
"observer": {
"product": "PAN-OS",
"serial_number": "026701002040"
},
"paloalto": {
"Threat_ContentType": "end",
"VirtualLocation": "vsys1"
},
"related": {
"ip": [
"0.0.0.0",
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "MyRule",
"uuid": "0bbe5a53-f498-4cc2-a170-ced134f4824c"
},
"source": {
"address": "1.2.3.4",
"bytes": 758,
"ip": "1.2.3.4",
"nat": {
"ip": "0.0.0.0",
"port": 0
},
"packets": 7,
"port": 60975
}
}
```


=== "udp_deny_csv.json"

```json
Expand Down Expand Up @@ -3347,7 +3448,11 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"packets": 0,
"port": 53
},
"host": {
"name": "PA-1"
},
"log": {
"hostname": "PA-1",
"logger": "traffic"
},
"network": {
Expand Down
164 changes: 164 additions & 0 deletions ...perations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,100 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "ad_1.json"

```json

{
"message": "{\"CreationTime\":\"2023-08-22T13:51:38\",\"Id\":\"3e4f9ff8\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"12b674a1\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"5bd75e5d\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"1.2.3.4\",\"ObjectId\":\"16aeb910\",\"UserId\":\"[email protected]\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Token\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"5bd75e5d\",\"Type\":0},{\"ID\":\"[email protected]\",\"Type\":5}],\"ActorContextId\":\"12b674a1\",\"ActorIpAddress\":\"1.2.3.4\",\"InterSystemsId\":\"d8254b84\",\"IntraSystemId\":\"3e4f9ff8\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"16aeb910\",\"Type\":0}],\"TargetContextId\":\"12b674a1\",\"ApplicationId\":\"1b3c667f\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows10\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"IsCompliantAndManaged\",\"Value\":\"False\"},{\"Name\":\"SessionId\",\"Value\":\"8e2cdebf\"}],\"ErrorNumber\":\"0\"}",
"event": {
"action": "UserLoggedIn",
"category": [
"authentication"
],
"code": "15",
"kind": "event",
"outcome": "success",
"type": [
"start"
]
},
"@timestamp": "2023-08-22T13:51:38Z",
"action": {
"id": 15,
"name": "UserLoggedIn",
"outcome": "success",
"target": "network-traffic"
},
"host": {
"os": {
"full": "Windows10"
}
},
"office365": {
"audit": {
"object_id": "16aeb910"
},
"auth": {
"request_type": "OAuth2:Token",
"result_status_detail": "Success"
},
"context": {
"aad_session_id": "8e2cdebf",
"correlation": {
"id": "d8254b84"
}
},
"device": {
"browser_type": "Edge",
"is_compliant_and_managed": false
},
"error_number": 0,
"record_type": 15,
"result_status": "Success",
"user_type": {
"code": 0,
"name": "Regular"
}
},
"organization": {
"id": "12b674a1"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"[email protected]"
]
},
"service": {
"name": "AzureActiveDirectory"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"email": "[email protected]",
"id": "5bd75e5d",
"name": "[email protected]"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}
```


=== "automated_investigation_and_response.json"

```json
Expand Down Expand Up @@ -1800,6 +1894,73 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "power_bi.json"

```json

{
"message": "{\"Id\":\"bb6e6d49\",\"RecordType\":20,\"CreationTime\":\"2023-08-22T13:51:33\",\"Operation\":\"ViewReport\",\"OrganizationId\":\"12b674a1\",\"UserType\":0,\"UserKey\":\"1003200\",\"Workload\":\"PowerBI\",\"UserId\":\"[email protected]\",\"ClientIP\":\"1.2.3.4\",\"UserAgent\":\"Mozilla/5.0\",\"Activity\":\"ViewReport\",\"ItemName\":\"Tdb_TI\",\"WorkSpaceName\":\"Tableau de Bord Strat\u00e9gique\",\"DatasetName\":\"Tdb_TI\",\"ReportName\":\"Tdb_TI\",\"CapacityId\":\"5A456BD6\",\"CapacityName\":\"P1_ACOSS\",\"WorkspaceId\":\"08d52dac\",\"AppName\":\"Tableaux de bord de pilotage\",\"ObjectId\":\"Tdb_TI\",\"DatasetId\":\"6f39a3c3\",\"ReportId\":\"213eb6fe\",\"ArtifactId\":\"213eb6fe\",\"ArtifactName\":\"Tdb_TI\",\"IsSuccess\":true,\"ReportType\":\"PowerBIReport\",\"RequestId\":\"94fea00c\",\"ActivityId\":\"147a0db5\",\"AppReportId\":\"fe6a9f80\",\"DistributionMethod\":\"Apps\",\"ConsumptionMethod\":\"Power BI Web\",\"AppId\":\"187ea3f4\",\"ArtifactKind\":\"Report\",\"RefreshEnforcementPolicy\":0}",
"event": {
"action": "ViewReport",
"code": "20",
"kind": "event",
"outcome": "success"
},
"@timestamp": "2023-08-22T13:51:33Z",
"action": {
"id": 20,
"name": "ViewReport",
"outcome": "success",
"target": "user"
},
"office365": {
"audit": {
"object_id": "Tdb_TI"
},
"record_type": 20,
"user_type": {
"code": 0,
"name": "Regular"
}
},
"organization": {
"id": "12b674a1"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"[email protected]"
]
},
"service": {
"name": "PowerBI"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"email": "[email protected]",
"id": "1003200",
"name": "[email protected]"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Other",
"original": "Mozilla/5.0",
"os": {
"name": "Other"
}
}
}
```


=== "security_compliance_alert.json"

```json
Expand Down Expand Up @@ -2432,6 +2593,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"device": {
"browser_type": "Firefox",
"id": "77f6d9ce-da8f-46bf-a651-4bec3c189770",
"is_compliant": true,
"is_compliant_and_managed": true,
Expand Down Expand Up @@ -2531,6 +2693,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"device": {
"browser_type": "Firefox",
"is_compliant_and_managed": false
},
"error_number": 500121,
Expand Down Expand Up @@ -2653,6 +2816,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`office365.defender.email.verdict.reason` | `keyword` | The verdict about the messahe |
|`office365.defender.malware_family` | `keyword` | |
|`office365.defender.system_overrides` | `array` | Overrides that are applicable to the email |
|`office365.device.browser_type` | `keyword` | |
|`office365.device.id` | `keyword` | |
|`office365.device.is_compliant` | `boolean` | |
|`office365.device.is_compliant_and_managed` | `boolean` | |
Expand Down

0 comments on commit 63f97cf

Please sign in to comment.