Skip to content

Commit

Permalink
Refresh intakes documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sekoia-io-cross-repo-comm-app
sekoia-io-cross-repo-comm-app[bot] authored Oct 24, 2023
1 parent 6603a56 commit 70ea574
Show file tree
Hide file tree
Showing 3 changed files with 358 additions and 16 deletions.
32 changes: 16 additions & 16 deletions ...perations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "09/29/2023:07:40:56 GMT ADC-WEB1 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"",
"event": {
"category": [
"network"
Expand All @@ -49,7 +49,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"@timestamp": "2023-09-29T07:40:56Z",
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
}
}
Expand Down Expand Up @@ -124,7 +124,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:46 ADC-WEB1 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1",
"message": "2023/07/04:09:03:46 ADC 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1",
"event": {
"category": [
"network"
Expand All @@ -150,7 +150,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -172,7 +172,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1",
"message": "2023/07/04:09:03:46 ADC 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1",
"event": {
"category": [
"network"
Expand All @@ -198,7 +198,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -220,7 +220,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "2023/07/04:09:03:45 ADC-WEB1 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762",
"message": "2023/07/04:09:03:45 ADC 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762",
"event": {
"category": [
"network"
Expand Down Expand Up @@ -250,7 +250,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
},
"related": {
"ip": [
Expand Down Expand Up @@ -339,7 +339,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:41 ADC-WEB1 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"",
"message": "\"2023/07/04:09:03:41 ADC 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"",
"event": {
"category": [
"network"
Expand All @@ -354,7 +354,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
},
"@timestamp": "2023-07-04T09:03:41Z",
"observer": {
"name": "ADC-WEB1"
"name": "ADC"
}
}
Expand All @@ -366,7 +366,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"",
"message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"",
"event": {
"category": [
"network"
Expand All @@ -388,7 +388,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
}
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -414,7 +414,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
"message": "\"2023/07/04:09:03:46 ADC 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User <vpn17590>, Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"",
"event": {
"category": [
"network"
Expand All @@ -437,7 +437,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand All @@ -462,7 +462,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```json

{
"message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context [email protected] - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"",
"message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context [email protected] - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"",
"event": {
"category": [
"network"
Expand All @@ -488,7 +488,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8"
},
"observer": {
"name": "ADC-VPN"
"name": "ADC"
},
"related": {
"ip": [
Expand Down
239 changes: 239 additions & 0 deletions ...perations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,239 @@

## Event Categories


The following table lists the data source offered by this integration.

| Data Source | Description |
| ----------- | ------------------------------------ |
| `Email gateway` | Trend Micro Email Security generates various types of logs such as mail tracking logs. |





In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `email` |
| Type | `info` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "test_bounced.json"

```json

{
"message": "{\"size\": 8245, \"action\": \"Bounced\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"details\": \"mail for example.org loops back to myself\", \"genTime\": \"2023-09-28T13:55:45Z\", \"subject\": \"My subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: None\", \"headerTo\": [\"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<22222222222222222222222222222222222222222222222222222222@EXAMPLE>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:55:33Z\", \"headerFrom\": \"[email protected]\", \"deliveredTo\": \"none\", \"deliveryTime\": \"2023-09-28T13:55:33Z\"}",
"event": {
"action": "Bounced",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:55:33Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "22222222222222222222222222222222222222222222222222222222@EXAMPLE",
"sender": {
"address": "[email protected]"
},
"subject": "My subject",
"to": {
"address": [
"[email protected]"
]
}
}
}
```


=== "test_delivered.json"

```json

{
"message": "{\"size\": 2538013, \"action\": \"Delivered\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"details\": \"250 2.0.0 1z3r022fdx-1 Message accepted for delivery\", \"genTime\": \"2023-09-28T13:51:23Z\", \"subject\": \"Automn is coming\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: TLS 1.2\", \"headerTo\": [\"[email protected]\", \"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<[email protected]>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:51:13Z\", \"headerFrom\": \"[email protected]\", \"attachments\": [{\"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"fileName\": \"attachment.pdf\"}], \"deliveredTo\": \"antispam.example.org[5.6.7.8]:25\", \"deliveryTime\": \"2023-09-28T13:51:18Z\", \"embeddedUrls\": [\"https://aws.amazon.com\", \"https://cloud.google.com\", \"https://www.azure.com\"]}",
"event": {
"action": "Delivered",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:51:13Z",
"email": {
"attachments": [
{
"file": {
"hash": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"name": "attachment.pdf"
}
}
],
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "[email protected]",
"sender": {
"address": "[email protected]"
},
"subject": "Automn is coming",
"to": {
"address": [
"[email protected]",
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"https://aws.amazon.com",
"https://cloud.google.com",
"https://www.azure.com"
]
}
}
}
```


=== "test_quarantined.json"

```json

{
"message": "{\"size\": 51149, \"action\": \"Quarantined\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"genTime\": \"2023-09-28T13:47:18Z\", \"subject\": \"My beautiful subject\", \"headerTo\": [\"[email protected]\"], \"direction\": \"in\", \"messageID\": \"<11111111111111111111111111111111111111111111111111111111111111111@example.org>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:45:59Z\", \"headerFrom\": \"[email protected]\", \"embeddedUrls\": [\"https://sekoia.io\", \"https://www.nytimes.com\"]}",
"event": {
"action": "Quarantined",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:45:59Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "11111111111111111111111111111111111111111111111111111111111111111@example.org",
"sender": {
"address": "[email protected]"
},
"subject": "My beautiful subject",
"to": {
"address": [
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"https://sekoia.io",
"https://www.nytimes.com"
]
}
}
}
```


=== "test_scanned.json"

```json

{
"message": "{\"size\": 48984, \"action\": \"Scanning in sandbox\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"[email protected]\", \"genTime\": \"2023-09-28T13:55:53Z\", \"subject\": \"My beautiful subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.3\", \"headerTo\": [\"[email protected]\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"in\", \"messageID\": \"<[email protected]>\", \"recipient\": \"[email protected]\", \"timestamp\": \"2023-09-28T13:55:44Z\", \"headerFrom\": \"[email protected]\", \"embeddedUrls\": [\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\", \"https://lemonde.fr\"]}",
"event": {
"action": "Scanning in sandbox",
"category": [
"email"
],
"kind": "event",
"type": [
"info"
]
},
"@timestamp": "2023-09-28T13:55:44Z",
"email": {
"from": {
"address": "[email protected]"
},
"local_id": "b879ff84-55a3-4813-be99-9e0386a446f7",
"message_id": "[email protected]",
"sender": {
"address": "[email protected]"
},
"subject": "My beautiful subject",
"to": {
"address": [
"[email protected]"
]
}
},
"trendmicro": {
"email": {
"embedded_urls": [
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd",
"https://lemonde.fr"
]
}
}
}
```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`email.attachments` | `nested` | List of objects describing the attachments. |
|`email.from.address` | `keyword` | The sender's email address. |
|`email.local_id` | `keyword` | Unique identifier given by the source. |
|`email.message_id` | `wildcard` | Value from the Message-ID header. |
|`email.sender.address` | `keyword` | Address of the message sender. |
|`email.subject` | `keyword` | The subject of the email message. |
|`email.to.address` | `keyword` | Email address of recipient |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. |
|`trendmicro.email.embedded_urls` | `array` | |

Loading

0 comments on commit 70ea574

Please sign in to comment.