diff --git a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md index d0fe6b7fbf..efd2bd222c 100644 --- a/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md +++ b/_shared_content/operations_center/integrations/generated/903ec1b8-f206-4ba5-8563-db21da09cafd.md @@ -465,7 +465,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "userdest" } }, + "host": { + "name": "FWPA01" + }, "log": { + "hostname": "FWPA01", "logger": "traffic" }, "network": { @@ -494,7 +498,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "rule": { - "name": "GEN_WINLOG_Users" + "name": "GEN_WINLOG_Users", + "uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b" }, "source": { "address": "1.2.3.4", @@ -556,7 +561,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "name": "destuser" } }, + "host": { + "name": "FWPA01" + }, "log": { + "hostname": "FWPA01", "logger": "traffic" }, "network": { @@ -585,7 +594,8 @@ Find below few samples of events and how they are normalized by Sekoia.io. ] }, "rule": { - "name": "GEN_WINLOG_Users" + "name": "GEN_WINLOG_Users", + "uuid": "5e7eca5b-f585-4633-bbd4-9ed431f7f95b" }, "source": { "address": "1.2.3.4", @@ -941,7 +951,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 0, "port": 0 }, + "host": { + "name": "PA" + }, "log": { + "hostname": "PA", "logger": "traffic" }, "network": { @@ -1236,7 +1250,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 1, "port": 80 }, + "host": { + "name": "PP" + }, "log": { + "hostname": "PP", "logger": "traffic" }, "network": { @@ -3312,6 +3330,89 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "traffic_with_resotimestamp.json" + + ```json + + { + "message": "1,2024/01/03 13:15:29,026701002040,TRAFFIC,end,2816,2024/01/03 13:15:29,1.2.3.4,5.6.7.8,0.0.0.0,0.0.0.0,MyRule,,,ssl,vsys1,Z_DMZ_PROXY,Z_INTERCO_WAN,ethernet1/22.301,ethernet1/3.104,Log Profile,2024/01/03 13:15:29,219781,1,60975,443,0,0,0x41c,tcp,allow,5773,758,5015,14,2024/01/03 13:15:14,0,not-resolved,,7312415129244589397,0x0,10.0.0.0-10.255.255.255,United States,,7,7,tcp-fin,0,0,0,0,,PA2314-CD,from-policy,,,0,,0,,N/A,0,0,0,0,0bbe5a53-f498-4cc2-a170-ced134f4824c,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-01-03T13:15:30.547+01:00,,,encrypted-tunnel,networking,browser-based,4,\\\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\\\",,ssl,no,no,0,NonProxyTraffic,", + "event": { + "category": [ + "network" + ], + "dataset": "traffic", + "duration": 0, + "kind": "event", + "outcome": "success", + "type": [ + "end" + ] + }, + "@timestamp": "2024-01-03T12:15:30.547000Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "end" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 5015, + "ip": "5.6.7.8", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "packets": 7, + "port": 443 + }, + "host": { + "name": "PA2314-CD" + }, + "log": { + "hostname": "PA2314-CD", + "logger": "traffic" + }, + "network": { + "application": "ssl", + "bytes": 5773, + "packets": 14, + "transport": "tcp" + }, + "observer": { + "product": "PAN-OS", + "serial_number": "026701002040" + }, + "paloalto": { + "Threat_ContentType": "end", + "VirtualLocation": "vsys1" + }, + "related": { + "ip": [ + "0.0.0.0", + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "name": "MyRule", + "uuid": "0bbe5a53-f498-4cc2-a170-ced134f4824c" + }, + "source": { + "address": "1.2.3.4", + "bytes": 758, + "ip": "1.2.3.4", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "packets": 7, + "port": 60975 + } + } + + ``` + + === "udp_deny_csv.json" ```json @@ -3347,7 +3448,11 @@ Find below few samples of events and how they are normalized by Sekoia.io. "packets": 0, "port": 53 }, + "host": { + "name": "PA-1" + }, "log": { + "hostname": "PA-1", "logger": "traffic" }, "network": { diff --git a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md index a30fbb973e..27ceb3013c 100644 --- a/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md +++ b/_shared_content/operations_center/integrations/generated/caa13404-9243-493b-943e-9848cadb1f99.md @@ -115,6 +115,100 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "ad_1.json" + + ```json + + { + "message": "{\"CreationTime\":\"2023-08-22T13:51:38\",\"Id\":\"3e4f9ff8\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"12b674a1\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"5bd75e5d\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"1.2.3.4\",\"ObjectId\":\"16aeb910\",\"UserId\":\"jone.doe@user.fr\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Token\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"5bd75e5d\",\"Type\":0},{\"ID\":\"joe.doe@user.fr\",\"Type\":5}],\"ActorContextId\":\"12b674a1\",\"ActorIpAddress\":\"1.2.3.4\",\"InterSystemsId\":\"d8254b84\",\"IntraSystemId\":\"3e4f9ff8\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"16aeb910\",\"Type\":0}],\"TargetContextId\":\"12b674a1\",\"ApplicationId\":\"1b3c667f\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows10\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"IsCompliantAndManaged\",\"Value\":\"False\"},{\"Name\":\"SessionId\",\"Value\":\"8e2cdebf\"}],\"ErrorNumber\":\"0\"}", + "event": { + "action": "UserLoggedIn", + "category": [ + "authentication" + ], + "code": "15", + "kind": "event", + "outcome": "success", + "type": [ + "start" + ] + }, + "@timestamp": "2023-08-22T13:51:38Z", + "action": { + "id": 15, + "name": "UserLoggedIn", + "outcome": "success", + "target": "network-traffic" + }, + "host": { + "os": { + "full": "Windows10" + } + }, + "office365": { + "audit": { + "object_id": "16aeb910" + }, + "auth": { + "request_type": "OAuth2:Token", + "result_status_detail": "Success" + }, + "context": { + "aad_session_id": "8e2cdebf", + "correlation": { + "id": "d8254b84" + } + }, + "device": { + "browser_type": "Edge", + "is_compliant_and_managed": false + }, + "error_number": 0, + "record_type": 15, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "12b674a1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jone.doe@user.fr" + ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "jone.doe@user.fr", + "id": "5bd75e5d", + "name": "jone.doe@user.fr" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + === "automated_investigation_and_response.json" ```json @@ -1800,6 +1894,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "power_bi.json" + + ```json + + { + "message": "{\"Id\":\"bb6e6d49\",\"RecordType\":20,\"CreationTime\":\"2023-08-22T13:51:33\",\"Operation\":\"ViewReport\",\"OrganizationId\":\"12b674a1\",\"UserType\":0,\"UserKey\":\"1003200\",\"Workload\":\"PowerBI\",\"UserId\":\"joe.doe@user.fr\",\"ClientIP\":\"1.2.3.4\",\"UserAgent\":\"Mozilla/5.0\",\"Activity\":\"ViewReport\",\"ItemName\":\"Tdb_TI\",\"WorkSpaceName\":\"Tableau de Bord Strat\u00e9gique\",\"DatasetName\":\"Tdb_TI\",\"ReportName\":\"Tdb_TI\",\"CapacityId\":\"5A456BD6\",\"CapacityName\":\"P1_ACOSS\",\"WorkspaceId\":\"08d52dac\",\"AppName\":\"Tableaux de bord de pilotage\",\"ObjectId\":\"Tdb_TI\",\"DatasetId\":\"6f39a3c3\",\"ReportId\":\"213eb6fe\",\"ArtifactId\":\"213eb6fe\",\"ArtifactName\":\"Tdb_TI\",\"IsSuccess\":true,\"ReportType\":\"PowerBIReport\",\"RequestId\":\"94fea00c\",\"ActivityId\":\"147a0db5\",\"AppReportId\":\"fe6a9f80\",\"DistributionMethod\":\"Apps\",\"ConsumptionMethod\":\"Power BI Web\",\"AppId\":\"187ea3f4\",\"ArtifactKind\":\"Report\",\"RefreshEnforcementPolicy\":0}", + "event": { + "action": "ViewReport", + "code": "20", + "kind": "event", + "outcome": "success" + }, + "@timestamp": "2023-08-22T13:51:33Z", + "action": { + "id": 20, + "name": "ViewReport", + "outcome": "success", + "target": "user" + }, + "office365": { + "audit": { + "object_id": "Tdb_TI" + }, + "record_type": 20, + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "12b674a1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "joe.doe@user.fr" + ] + }, + "service": { + "name": "PowerBI" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "joe.doe@user.fr", + "id": "1003200", + "name": "joe.doe@user.fr" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0", + "os": { + "name": "Other" + } + } + } + + ``` + + === "security_compliance_alert.json" ```json @@ -2432,6 +2593,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "device": { + "browser_type": "Firefox", "id": "77f6d9ce-da8f-46bf-a651-4bec3c189770", "is_compliant": true, "is_compliant_and_managed": true, @@ -2531,6 +2693,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "device": { + "browser_type": "Firefox", "is_compliant_and_managed": false }, "error_number": 500121, @@ -2653,6 +2816,7 @@ The following table lists the fields that are extracted, normalized under the EC |`office365.defender.email.verdict.reason` | `keyword` | The verdict about the messahe | |`office365.defender.malware_family` | `keyword` | | |`office365.defender.system_overrides` | `array` | Overrides that are applicable to the email | +|`office365.device.browser_type` | `keyword` | | |`office365.device.id` | `keyword` | | |`office365.device.is_compliant` | `boolean` | | |`office365.device.is_compliant_and_managed` | `boolean` | |