Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app
sekoia-io-cross-repo-comm-app[bot] authored Jan 26, 2024
1 parent 4a2bf32 commit 69cea0f
Show file tree
Hide file tree
Showing 3 changed files with 1,822 additions and 9 deletions.
284 changes: 283 additions & 1 deletion ...perations_center/integrations/generated/98fa7079-41ae-4033-a93f-bbd70d114188.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,74 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "application/x-gzip",
"type": "HTTPcontenttype"
},
{
"trigger_value": "100",
"type": "RareexternalIP"
},
{
"trigger_value": "100",
"type": "Raredomain"
},
{
"trigger_value": "false",
"type": "Trustedhostname"
},
{
"trigger_value": "15",
"type": "Taggedinternalsource"
},
{
"trigger_value": "104.18.103.100",
"type": "DestinationIP"
},
{
"trigger_value": "kali.download",
"type": "Connectionhostname"
},
{
"trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz",
"type": "URI"
},
{
"trigger_value": "200",
"type": "HTTPresponsecode"
},
{
"trigger_value": "60493165",
"type": "Individualsizedown"
},
{
"trigger_value": "679",
"type": "Individualsizeup"
},
{
"trigger_value": "0",
"type": "Dataratio"
},
{
"trigger_value": "43965774",
"type": "Ageofdestination"
},
{
"trigger_value": "AS13335CLOUDFLARENET",
"type": "ASN"
}
]
},
"creationTime": 1687967508000,
"device": {
"firstSeen": 1644001727000,
Expand Down Expand Up @@ -233,6 +301,9 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": []
},
"creationTime": 1687987892000,
"device": {
"firstSeen": 1649669953000,
Expand Down Expand Up @@ -327,6 +398,34 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "kali.download",
"type": "DNShostlookup"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "58",
"type": "Taggedinternalsource"
}
]
},
"creationTime": 1688266130000,
"device": {
"firstSeen": 1644001727000,
Expand Down Expand Up @@ -434,6 +533,46 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com",
"type": "Message"
},
{
"trigger_value": "true",
"type": "Watchedendpoint"
},
{
"trigger_value": "100",
"type": "Watchedendpointstrength"
},
{
"trigger_value": "true",
"type": "Internaldestination"
},
{
"trigger_value": "12",
"type": "Internaldestinationdevicetype"
}
]
},
"creationTime": 1687774148000,
"device": {
"firstSeen": 1639068361000,
Expand Down Expand Up @@ -531,6 +670,50 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "ThreatIntel",
"type": "Watchedendpointsource"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "7",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "38123579",
"type": "Ageofdestination"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "0",
"type": "Rareexternalendpoint"
},
{
"trigger_value": "clients2.google.com",
"type": "Message"
}
]
},
"creationTime": 1687793540000,
"device": {
"firstSeen": 1666276905000,
Expand Down Expand Up @@ -574,7 +757,10 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"id": "39",
"ip": [
"192.168.1.3"
]
],
"os": {
"name": "Windows(10.0)"
}
},
"observer": {
"name": "Darktrace",
Expand Down Expand Up @@ -608,6 +794,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "80",
"type": "Destinationport"
}
]
},
"creationTime": 1687811713000,
"device": {
"firstSeen": 1649669953000,
Expand Down Expand Up @@ -696,6 +890,18 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago",
"type": "Event details"
},
{
"trigger_value": "Probe error",
"type": "System message"
}
]
},
"creationTime": 1700634481000,
"model": {
"then": {
Expand Down Expand Up @@ -727,6 +933,78 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "test_summurizer.json"

```json

{
"message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
"event": {
"action": "CREATE_NEEDSCONFIRMATION",
"category": "network",
"kind": "event",
"type": [
"info"
]
},
"darktrace": {
"threat_visualizer": {
"device": {
"firstSeen": 1671027693000,
"ip": "1.2.3.4",
"ips": [
{
"ip": "1.2.3.4",
"sid": 69,
"time": "2023-12-18 10:00:00",
"timems": 1702893600000,
"vlan": 0
}
],
"lastSeen": 1702896182000,
"sid": 69,
"typelabel": "Desktop",
"typename": "desktop"
},
"pbid": 0
}
},
"host": {
"hostname": "test_hostname",
"id": "901",
"ip": [
"1.2.3.4"
],
"name": "test_hostname",
"os": {
"name": "Windows"
}
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"hosts": [
"test_hostname"
],
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"user": {
"name": "JDOE"
}
}
}
```





Expand All @@ -745,6 +1023,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`darktrace.threat_visualizer.category` | `keyword` | The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical') |
|`darktrace.threat_visualizer.children` | `array` | A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
|`darktrace.threat_visualizer.commentCount` | `number` | The number of comments made against this breach. |
|`darktrace.threat_visualizer.components.filters` | `array` | |
|`darktrace.threat_visualizer.creationTime` | `number` | The timestamp that the record of the breach was created. This is distinct from the time field. |
|`darktrace.threat_visualizer.currentGroup` | `keyword` | The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
|`darktrace.threat_visualizer.device.firstSeen` | `number` | The first time the device was seen on the network. |
Expand Down Expand Up @@ -809,15 +1088,18 @@ The following table lists the fields that are extracted, normalized under the EC
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.reason` | `keyword` | Reason why this event happened, according to the source |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`host.hostname` | `keyword` | Hostname of the host. |
|`host.id` | `keyword` | Unique host id. |
|`host.ip` | `ip` | Host ip addresses. |
|`host.mac` | `keyword` | Host MAC addresses. |
|`host.name` | `keyword` | Name of the host. |
|`host.os.name` | `keyword` | Operating system name, without the version. |
|`observer.name` | `keyword` | Custom name of the observer. |
|`observer.product` | `keyword` | The product name of the observer. |
|`service.name` | `keyword` | Name of the service. |
|`source.user.name` | `keyword` | Short name or login of the user. |
|`user.email` | `keyword` | User email address. |
|`user.name` | `keyword` | Short name or login of the user. |

Loading

0 comments on commit 69cea0f

Please sign in to comment.