Merge pull request #1565 from SEKOIA-IO/update-intake-documentation

Refresh intakes documentation

_shared_content/operations_center/integrations/generated/22f2afd2-c858-443d-8e06-7b335e439c29.md

@@ -444,6 +444,126 @@ Find below few samples of events and how they are normalized by Sekoia.io.
 	```
 
 
+=== "mobile_detection_summary_1.json"
+
+    ```json
+
+    {
+        "message": "{\n    \"metadata\": {\n        \"customerIDString\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n        \"offset\": 701283,\n        \"eventType\": \"MobileDetectionSummaryEvent\",\n        \"eventCreationTime\": 1649420269000,\n        \"version\": \"1.0\"\n    },\n    \"event\": {\n        \"SensorId\": \"85ae98xxxxxxd9a8f2\",\n        \"MobileDetectionId\": 1310556238,\n        \"ComputerName\": \"CS-SE-EZ64\",\n        \"UserName\": \"demo\",\n        \"ContextTimeStamp\": 1649061056,\n        \"DetectId\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238\",\n        \"DetectName\": \"AppSideloadDetected\",\n        \"DetectDescription\": \"Apps are installed from outside the PlayStore. Trigger based on a System callback when apps are installed or updated.\",\n        \"Tactic\": \"Insecure security posture\",\n        \"TacticId\": \"CSTA0009\",\n        \"Technique\": \"Bad device settings\",\n        \"TechniqueId\": \"CST0024\",\n        \"Objective\": \"Falcon Detection Method\",\n        \"Severity\": 50,\n        \"FalconHostLink\": \"https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n        \"MobileAppsDetails\": [\n            {\n                \"AppIdentifier\": \"com.facebook.katana\",\n                \"AndroidAppLabel\": \"Facebook\",\n                \"DexFileHashes\": \"abc456xxxxxxxxxxxxxxxxdef789\",\n                \"ImageFileName\": \"/data/app/com.facebook.katana-djFExxxxxxxxxrkg==/base.apk\",\n                \"AppInstallerInformation\": \"unknown\",\n                \"IsBeingDebugged\": false,\n                \"AndroidAppVersionName\": \"323.0.0.46.119\",\n                \"IsContainerized\": false\n            }\n        ]\n    }\n}",
+        "event": {
+            "category": [
+                "intrusion_detection"
+            ],
+            "dataset": [
+                "MobileDetection"
+            ],
+            "kind": "alert",
+            "severity": 50,
+            "type": "info",
+            "url": "https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV"
+        },
+        "@timestamp": "2022-04-08T12:17:49Z",
+        "agent": {
+            "id": "85ae98xxxxxxd9a8f2"
+        },
+        "crowdstrike": {
+            "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+            "detect_description": "Apps are installed from outside the PlayStore. Trigger based on a System callback when apps are installed or updated.",
+            "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238",
+            "detect_name": "AppSideloadDetected",
+            "event_objective": "Falcon Detection Method",
+            "event_type": "MobileDetectionSummaryEvent"
+        },
+        "host": {
+            "name": "CS-SE-EZ64"
+        },
+        "observer": {
+            "product": "Falcon for Mobile",
+            "vendor": "CrowdStrike"
+        },
+        "related": {
+            "user": [
+                "demo"
+            ]
+        },
+        "threat": {
+            "tactic": {
+                "id": "CSTA0009",
+                "name": "Insecure security posture"
+            },
+            "technique": {
+                "id": "CST0024",
+                "name": "Bad device settings"
+            }
+        },
+        "user": {
+            "name": "demo"
+        }
+    }
+    	
+	```
+
+
+=== "mobile_detection_summary_2.json"
+
+    ```json
+
+    {
+        "message": "{\n    \"metadata\": {\n        \"customerIDString\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n        \"offset\": 701283,\n        \"eventType\": \"MobileDetectionSummaryEvent\",\n        \"eventCreationTime\": 1649420269000,\n        \"version\": \"1.0\"\n    },\n  \"event\": {\n        \"SensorId\": \"85ae98xxxxxxd9a8f2\",\n        \"MobileDetectionId\": 1310556238,\n        \"ComputerName\": \"CS-SE-EZ64\",\n        \"UserName\": \"demo\",\n        \"ContextTimeStamp\": 1649061056,\n        \"DetectId\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238\",\n    \"DetectName\": \"PlayIntegrityAppCheckFailed\",\n    \"DetectDescription\": \"The Google Play Integrity application check for Falcon for Mobile failed. The application communicating with the cloud is not legitimate.\",\n    \"Tactic\": \"Persistence\",\n    \"TacticId\": \"TA0028\",\n    \"Technique\": \"Compromise Application Executable\",\n    \"TechniqueId\": \"T1577\",\n    \"Objective\": \"Keep Access\",\n    \"Severity\": 90,\n    \"FalconHostLink\": \"https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n    \"VerifiedBootState\": 0,\n    \"PlayIntegrityErrorList\": [\n      7,\n      12\n    ],\n    \"PlayIntegrityMeetsBasicIntegrity\": true,\n    \"PlayIntegrityMeetsDeviceIntegrity\": true,\n    \"PlayIntegrityMeetsStrongIntegrity\": true,\n    \"SourceVendors\": \"CrowdStrike\",\n    \"SourceProducts\": \"Falcon for Mobile\",\n    \"DataDomains\": \"Endpoint\"\n  }\n}",
+        "event": {
+            "category": [
+                "intrusion_detection"
+            ],
+            "dataset": [
+                "MobileDetection"
+            ],
+            "kind": "alert",
+            "severity": 90,
+            "type": "info",
+            "url": "https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV"
+        },
+        "@timestamp": "2022-04-08T12:17:49Z",
+        "agent": {
+            "id": "85ae98xxxxxxd9a8f2"
+        },
+        "crowdstrike": {
+            "customer_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV",
+            "detect_description": "The Google Play Integrity application check for Falcon for Mobile failed. The application communicating with the cloud is not legitimate.",
+            "detect_id": "0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238",
+            "detect_name": "PlayIntegrityAppCheckFailed",
+            "event_objective": "Keep Access",
+            "event_type": "MobileDetectionSummaryEvent"
+        },
+        "host": {
+            "name": "CS-SE-EZ64"
+        },
+        "observer": {
+            "product": "Falcon for Mobile",
+            "vendor": "CrowdStrike"
+        },
+        "related": {
+            "user": [
+                "demo"
+            ]
+        },
+        "threat": {
+            "tactic": {
+                "id": "TA0028",
+                "name": "Persistence"
+            },
+            "technique": {
+                "id": "T1577",
+                "name": "Compromise Application Executable"
+            }
+        },
+        "user": {
+            "name": "demo"
+        }
+    }
+    	
+	```
+
+
 === "module_event.json"
 
     ```json
@@ -787,6 +907,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`crowdstrike.detect_name` | `keyword` | Name of the identity-based detection |
 |`crowdstrike.edge.subject_id` | `keyword` | The identifier of a parent vertex in the graph exploration |
 |`crowdstrike.edge.type` | `keyword` | The type of relationship with the subject |
+|`crowdstrike.event_objective` | `keyword` | Objective of the event |
 |`crowdstrike.event_type` | `keyword` | Type of the event |
 |`crowdstrike.host_groups` | `keyword` | The ids of groups the host belongs to |
 |`crowdstrike.host_id` | `keyword` | The crowdstrike identifier of the host |
@@ -809,6 +930,7 @@ The following table lists the fields that are extracted, normalized under the EC
 |`destination.port` | `long` | Port of the destination. |
 |`event.action` | `keyword` | The action captured by the event. |
 |`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
+|`event.dataset` | `keyword` | Name of the dataset. |
 |`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
 |`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
 |`event.reason` | `keyword` | Reason why this event happened, according to the source |
@@ -825,6 +947,9 @@ The following table lists the fields that are extracted, normalized under the EC
 |`host.ip` | `ip` | Host ip addresses. |
 |`host.mac` | `keyword` | Host MAC addresses. |
 |`host.name` | `keyword` | Name of the host. |
+|`network.application` | `keyword` | Application level protocol name. |
+|`observer.product` | `keyword` | The product name of the observer. |
+|`observer.vendor` | `keyword` | Vendor name of the observer. |
 |`process.command_line` | `wildcard` | Full command line that started the process. |
 |`process.end` | `date` | The time the process ended. |
 |`process.executable` | `keyword` | Absolute path to the process executable. |
@@ -848,7 +973,9 @@ The following table lists the fields that are extracted, normalized under the EC
 |`threat.indicator.description` | `keyword` | Indicator description |
 |`threat.indicator.file.hash.sha256` | `keyword` | SHA256 hash. |
 |`threat.indicator.type` | `keyword` | Type of indicator |
+|`threat.tactic.id` | `keyword` | Threat tactic id. |
 |`threat.tactic.name` | `keyword` | Threat tactic. |
+|`threat.technique.id` | `keyword` | Threat technique id. |
 |`threat.technique.name` | `keyword` | Threat technique name. |
 |`user.domain` | `keyword` | Name of the directory the user is a member of. |
 |`user.email` | `keyword` | User email address. |