From 70ea57453e707b26794f56423047bc3b0bb0f5c0 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" Date: Tue, 24 Oct 2023 16:46:51 +0000 Subject: [PATCH] Refresh intakes documentation --- .../02a74ceb-a9b0-467c-97d1-588319e39d71.md | 32 +-- .../2e9d87ed-6606-445a-90d1-9c7695b28335.md | 239 ++++++++++++++++++ .../5702ae4e-7d8a-455f-a47b-ef64dd87c981.md | 103 ++++++++ 3 files changed, 358 insertions(+), 16 deletions(-) create mode 100644 _shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md diff --git a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md index 1f5faa8f6d..6c75f6aff4 100644 --- a/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md +++ b/_shared_content/operations_center/integrations/generated/02a74ceb-a9b0-467c-97d1-588319e39d71.md @@ -34,7 +34,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "09/29/2023:07:40:56 GMT ADC-WEB1 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", + "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", "event": { "category": [ "network" @@ -49,7 +49,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2023-09-29T07:40:56Z", "observer": { - "name": "ADC-WEB1" + "name": "ADC" } } @@ -124,7 +124,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "2023/07/04:09:03:46 ADC-WEB1 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1", + "message": "2023/07/04:09:03:46 ADC 0-PPE-2 : default TCP CONN_TERMINATE 4556618 0 : Source 1.2.3.4:443 - Destination 5.6.7.8:43566 - Start Time 2023/07/04:09:03:46 - End Time 2023/07/04:09:03:46 - Total_bytes_send 473 - Total_bytes_recv 1", "event": { "category": [ "network" @@ -150,7 +150,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8" }, "observer": { - "name": "ADC-WEB1" + "name": "ADC" }, "related": { "ip": [ @@ -172,7 +172,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1", + "message": "2023/07/04:09:03:46 ADC 0-PPE-0 : default TCP CONN_TERMINATE 19695388 0 : Source 1.2.3.4:5557 - Destination 5.6.7.8:39654 - Start Time 2023/07/04:09:03:01 - End Time 2023/07/04:09:03:46 - Total_bytes_send 1 - Total_bytes_recv 1", "event": { "category": [ "network" @@ -198,7 +198,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8" }, "observer": { - "name": "ADC-VPN" + "name": "ADC" }, "related": { "ip": [ @@ -220,7 +220,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "2023/07/04:09:03:45 ADC-WEB1 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762", + "message": "2023/07/04:09:03:45 ADC 0-PPE-1 : default TCP CONN_DELINK 4356922 0 : Source 1.2.3.4:13788 - Vserver 192.168.152.11:443 - NatIP 4.3.2.1:3198 - Destination 5.6.7.8:443 - Delink Time 2023/07/04:09:03:45 - Total_bytes_send 0 - Total_bytes_recv 762", "event": { "category": [ "network" @@ -250,7 +250,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8" }, "observer": { - "name": "ADC-WEB1" + "name": "ADC" }, "related": { "ip": [ @@ -339,7 +339,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "\"2023/07/04:09:03:41 ADC-WEB1 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"", + "message": "\"2023/07/04:09:03:41 ADC 0-PPE-1 : default SNMP TRAP_SENT 0 0 : appfwPolicyHit (appfwLogMsg = \"\"CEF:0|Citrix|NetScaler|NS13.1|APPFW|APPFW_POLI...\"\", nsPartitionName = default)\"", "event": { "category": [ "network" @@ -354,7 +354,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "@timestamp": "2023-07-04T09:03:41Z", "observer": { - "name": "ADC-WEB1" + "name": "ADC" } } @@ -366,7 +366,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"", + "message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 19695351 0 : SPCBId 1265452 - ClientIP 1.2.3.4 - ClientPort 50130 - VserverServiceIP 192.168.152.11 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"\"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\"\" - Session New - HandshakeTime 27 ms\"", "event": { "category": [ "network" @@ -388,7 +388,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } }, "observer": { - "name": "ADC-VPN" + "name": "ADC" }, "related": { "ip": [ @@ -414,7 +414,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "\"2023/07/04:09:03:46 ADC-VPN 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User , Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"", + "message": "\"2023/07/04:09:03:46 ADC 0-PPE-0 : default SSLVPN Message 19695397 0 : \"\"SSLVPN Mux Authorize result is Deny, User , Srcip: 1.2.3.4, Dstip: 5.6.7.8, denied_by_policy: SESSPOL_VPN_Remoteadmin\"\"\"", "event": { "category": [ "network" @@ -437,7 +437,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8" }, "observer": { - "name": "ADC-VPN" + "name": "ADC" }, "related": { "ip": [ @@ -462,7 +462,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ```json { - "message": "\"2023/07/04:09:03:39 ADC-VPN 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context vpn35939@91.170.235.67 - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"", + "message": "\"2023/07/04:09:03:39 ADC 0-PPE-0 : default SSLVPN NONHTTP_RESOURCEACCESS_DENIED 19695356 0 : Context vpn35939@91.170.235.67 - SessionId: 1286 - User vpn35939 - Client_ip 1.2.3.4 - Nat_ip 4.3.2.1 - Vserver 192.168.152.11:443 - Source 1.2.3.4:50130 - Destination 5.6.7.8:514 - Total_bytes_send 340 - Total_bytes_recv 0 - Denied_by_policy \"\"AUTHZ_DENY\"\" - Group(s) \"\"vpndsin,vpndsin\"\"\"", "event": { "category": [ "network" @@ -488,7 +488,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. "ip": "5.6.7.8" }, "observer": { - "name": "ADC-VPN" + "name": "ADC" }, "related": { "ip": [ diff --git a/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md new file mode 100644 index 0000000000..95fb9110ab --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/2e9d87ed-6606-445a-90d1-9c7695b28335.md @@ -0,0 +1,239 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Email gateway` | Trend Micro Email Security generates various types of logs such as mail tracking logs. | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `event` | +| Category | `email` | +| Type | `info` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "test_bounced.json" + + ```json + + { + "message": "{\"size\": 8245, \"action\": \"Bounced\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"noreply@example.org\", \"details\": \"mail for example.org loops back to myself\", \"genTime\": \"2023-09-28T13:55:45Z\", \"subject\": \"My subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: None\", \"headerTo\": [\"jane.doe@example.org\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<22222222222222222222222222222222222222222222222222222222@EXAMPLE>\", \"recipient\": \"jane.doe@example.org\", \"timestamp\": \"2023-09-28T13:55:33Z\", \"headerFrom\": \"noreply@example.org\", \"deliveredTo\": \"none\", \"deliveryTime\": \"2023-09-28T13:55:33Z\"}", + "event": { + "action": "Bounced", + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-28T13:55:33Z", + "email": { + "from": { + "address": "noreply@example.org" + }, + "local_id": "b879ff84-55a3-4813-be99-9e0386a446f7", + "message_id": "22222222222222222222222222222222222222222222222222222222@EXAMPLE", + "sender": { + "address": "noreply@example.org" + }, + "subject": "My subject", + "to": { + "address": [ + "jane.doe@example.org" + ] + } + } + } + + ``` + + +=== "test_delivered.json" + + ```json + + { + "message": "{\"size\": 2538013, \"action\": \"Delivered\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"john.doe@example.org\", \"details\": \"250 2.0.0 1z3r022fdx-1 Message accepted for delivery\", \"genTime\": \"2023-09-28T13:51:23Z\", \"subject\": \"Automn is coming\", \"tlsInfo\": \"upstreamTLS: TLS 1.2; downstreamTLS: TLS 1.2\", \"headerTo\": [\"jane.doe@example.org\", \"cedric.martin@example.org\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"out\", \"messageID\": \"<11111111111111111111111111111111111111@example.org>\", \"recipient\": \"jane.doe@example.org\", \"timestamp\": \"2023-09-28T13:51:13Z\", \"headerFrom\": \"john.doe@example.org\", \"attachments\": [{\"sha256\": \"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\", \"fileName\": \"attachment.pdf\"}], \"deliveredTo\": \"antispam.example.org[5.6.7.8]:25\", \"deliveryTime\": \"2023-09-28T13:51:18Z\", \"embeddedUrls\": [\"https://aws.amazon.com\", \"https://cloud.google.com\", \"https://www.azure.com\"]}", + "event": { + "action": "Delivered", + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-28T13:51:13Z", + "email": { + "attachments": [ + { + "file": { + "hash": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b", + "name": "attachment.pdf" + } + } + ], + "from": { + "address": "john.doe@example.org" + }, + "local_id": "b879ff84-55a3-4813-be99-9e0386a446f7", + "message_id": "11111111111111111111111111111111111111@example.org", + "sender": { + "address": "john.doe@example.org" + }, + "subject": "Automn is coming", + "to": { + "address": [ + "cedric.martin@example.org", + "jane.doe@example.org" + ] + } + }, + "trendmicro": { + "email": { + "embedded_urls": [ + "https://aws.amazon.com", + "https://cloud.google.com", + "https://www.azure.com" + ] + } + } + } + + ``` + + +=== "test_quarantined.json" + + ```json + + { + "message": "{\"size\": 51149, \"action\": \"Quarantined\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"john.doe@example.org\", \"genTime\": \"2023-09-28T13:47:18Z\", \"subject\": \"My beautiful subject\", \"headerTo\": [\"jane.doe@example.org\"], \"direction\": \"in\", \"messageID\": \"<11111111111111111111111111111111111111111111111111111111111111111@example.org>\", \"recipient\": \"jane.doe@example.org\", \"timestamp\": \"2023-09-28T13:45:59Z\", \"headerFrom\": \"john.doe@example.org\", \"embeddedUrls\": [\"https://sekoia.io\", \"https://www.nytimes.com\"]}", + "event": { + "action": "Quarantined", + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-28T13:45:59Z", + "email": { + "from": { + "address": "john.doe@example.org" + }, + "local_id": "b879ff84-55a3-4813-be99-9e0386a446f7", + "message_id": "11111111111111111111111111111111111111111111111111111111111111111@example.org", + "sender": { + "address": "john.doe@example.org" + }, + "subject": "My beautiful subject", + "to": { + "address": [ + "jane.doe@example.org" + ] + } + }, + "trendmicro": { + "email": { + "embedded_urls": [ + "https://sekoia.io", + "https://www.nytimes.com" + ] + } + } + } + + ``` + + +=== "test_scanned.json" + + ```json + + { + "message": "{\"size\": 48984, \"action\": \"Scanning in sandbox\", \"mailID\": \"b879ff84-55a3-4813-be99-9e0386a446f7\", \"sender\": \"bounce@example.org\", \"genTime\": \"2023-09-28T13:55:53Z\", \"subject\": \"My beautiful subject\", \"tlsInfo\": \"upstreamTLS: TLS 1.3\", \"headerTo\": [\"jane.doe@example.org\"], \"senderIP\": \"1.2.3.4\", \"direction\": \"in\", \"messageID\": \"<11111111111111111111111111111111@example.org>\", \"recipient\": \"jane.doe@example.org\", \"timestamp\": \"2023-09-28T13:55:44Z\", \"headerFrom\": \"john.doe@example.org\", \"embeddedUrls\": [\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\", \"https://lemonde.fr\"]}", + "event": { + "action": "Scanning in sandbox", + "category": [ + "email" + ], + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-28T13:55:44Z", + "email": { + "from": { + "address": "john.doe@example.org" + }, + "local_id": "b879ff84-55a3-4813-be99-9e0386a446f7", + "message_id": "11111111111111111111111111111111@example.org", + "sender": { + "address": "bounce@example.org" + }, + "subject": "My beautiful subject", + "to": { + "address": [ + "jane.doe@example.org" + ] + } + }, + "trendmicro": { + "email": { + "embedded_urls": [ + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd", + "https://lemonde.fr" + ] + } + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`email.attachments` | `nested` | List of objects describing the attachments. | +|`email.from.address` | `keyword` | The sender's email address. | +|`email.local_id` | `keyword` | Unique identifier given by the source. | +|`email.message_id` | `wildcard` | Value from the Message-ID header. | +|`email.sender.address` | `keyword` | Address of the message sender. | +|`email.subject` | `keyword` | The subject of the email message. | +|`email.to.address` | `keyword` | Email address of recipient | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`trendmicro.email.embedded_urls` | `array` | | + diff --git a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md index 48ca84adfd..9c3e679c4d 100644 --- a/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md +++ b/_shared_content/operations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md @@ -1151,6 +1151,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "fortinet": { "fortigate": { + "attack": { + "id": "16777316", + "name": "icmp_ flood" + }, "event": { "severity": "critical", "type": "anomaly" @@ -1224,6 +1228,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. }, "fortinet": { "fortigate": { + "attack": { + "id": "16777316", + "name": "icmp_ flood" + }, "event": { "severity": "critical", "type": "anomaly" @@ -2292,6 +2300,99 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "test_ips.STANDARD.json" + + ```json + + { + "message": "timestamp=1698046849 devname=\"abc\" devid=\"1\" vd=\"root\" date=2023-10-23 time=00:40:49 eventtime=1698046849852012802 tz=\"-0700\" logid=\"0101037130\" type=\"utm\" subtype=\"ips\" eventtype=\"signature\" level=\"alert\" severity=\"low\" srcip=1.2.3.4 srccountry=\"Reserved\" dstip=4.5.6.7 dstcountry=\"Reserved\" srcintf=\"port2\" srcintfrole=\"undefined\" dstintf=\"port2\" dstintfrole=\"undefined\" sessionid=1234567890 action=\"detected\" proto=6 service=\"HTTP\" policyid=494 poluuid=\"aecacfaf-8d3f-4809-a60f-bf873e0fcab3\" policytype=\"policy\" attack=\"Qualys.Vulnerability.Scanner\" srcport=37364 dstport=80 hostname=\"10.20.30.40\" url=\"/cgi/rocket.pl?var1=alpha\" direction=\"outgoing\" attackid=45660 profile=\"Example_IPS\" ref=\"http://www.fortinet.com/ids/VID45660\" incidentserialno=1234567 msg=\"tools: Qualys.Vulnerability.Scanner\" crscore=5 craction=32768 crlevel=\"low\"\n", + "event": { + "action": "detected", + "category": "utm", + "code": "0101037130", + "reason": "tools: Qualys.Vulnerability.Scanner", + "timezone": "-0700" + }, + "@timestamp": "2023-10-23T07:40:49Z", + "action": { + "name": "detected", + "outcome": "success", + "outcome_reason": "tools: Qualys.Vulnerability.Scanner", + "target": "network-traffic", + "type": "ips" + }, + "destination": { + "address": "4.5.6.7", + "domain": "10.20.30.40", + "ip": "4.5.6.7", + "port": 80 + }, + "fortinet": { + "fortigate": { + "attack": { + "id": "45660", + "name": "Qualys.Vulnerability.Scanner" + }, + "event": { + "severity": "low", + "type": "utm" + }, + "virtual_domain": "root" + } + }, + "host": { + "name": "abc" + }, + "log": { + "hostname": "abc", + "level": "alert" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "port2" + } + }, + "hostname": "abc", + "ingress": { + "interface": { + "name": "port2" + } + }, + "serial_number": "1" + }, + "related": { + "hosts": [ + "10.20.30.40", + "abc" + ], + "ip": [ + "1.2.3.4", + "4.5.6.7" + ] + }, + "rule": { + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 37364 + }, + "url": { + "original": "/cgi/rocket.pl?var1=alpha", + "path": "/cgi/rocket.pl", + "query": "var1=alpha" + } + } + + ``` + + === "test_unauthuser.json" ```json @@ -3547,6 +3648,8 @@ The following table lists the fields that are extracted, normalized under the EC |`file.name` | `keyword` | Name of the file including the extension, without the directory. | |`file.size` | `long` | File size in bytes. | |`fortinet.fortigate.apprisk` | `keyword` | Risk level of the application. | +|`fortinet.fortigate.attack.id` | `keyword` | ID of the detected attack | +|`fortinet.fortigate.attack.name` | `keyword` | Name of the detected attack | |`fortinet.fortigate.event.desc` | `keyword` | Type of log. | |`fortinet.fortigate.event.severity` | `keyword` | Anomaly severity as reported by Fortigate | |`fortinet.fortigate.event.type` | `keyword` | Type of the event. |