Skip to content

Commit

Permalink
Merge pull request #2049 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@squioc
squioc authored Oct 17, 2024
2 parents 31274a7 + bef70d5 commit 74268c1
Show file tree
Hide file tree
Showing 8 changed files with 7,640 additions and 36 deletions.
30 changes: 0 additions & 30 deletions ...perations_center/integrations/generated/162064f0-c594-455e-ac24-2d7129137688.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "pam_unix(sudo:auth): conversation failed"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "error"
Expand Down Expand Up @@ -73,9 +70,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "pam_unix(sudo:auth): auth could not identify password for [omsagent]"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "critical"
Expand Down Expand Up @@ -107,9 +101,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "(root) CMD (/usr/lib64/sa/sa1 1 1)"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -148,9 +139,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "(root) CMD ([ -f /etc/krb5.keytab ] && [ \\( ! -f /etc/opt/omi/creds/omi.keytab \\) -o \\( /etc/krb5.keytab -nt /etc/opt/omi/creds/omi.keytab \\) ] && /opt/omi/bin/support/ktstrip /etc/krb5.keytab /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1 || true)"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -188,9 +176,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "Received disconnect from 185.122.161.248 port 39070:11: disconnected by user"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -233,9 +218,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "omsagent : TTY=unknown ; PWD=/opt/microsoft/omsconfig/Scripts/2.6x-2.7x ; USER=root ; COMMAND=/opt/microsoft/omsconfig/Scripts/OMSYumUpdates.sh"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -278,9 +260,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "omsagent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/test -r /var/lib/docker/containers/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16/bf64bddcdb7d18a3090980d2539e2c15c924138f489c280871941064850f7d16-json.log"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -325,9 +304,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "pam_unix(sudo:session): session closed for user root"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -367,9 +343,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "pam_unix(sudo:session): session opened for user root by (uid=0)"
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down Expand Up @@ -409,9 +382,6 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"azure_linux": {
"message": "Started Session 13124 of user omsagent."
},
"host": {
"name": "LinuxRedhatDesktop"
},
"log": {
"hostname": "LinuxRedhatDesktop",
"level": "info"
Expand Down
47 changes: 47 additions & 0 deletions ...perations_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -718,6 +718,15 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"product": "Thinkst Canary",
"vendor": "Thinkst Canary"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"thinkst_canary": {
"incident_id": "incident:canarytoken:68b329da9893e34099c7d:1.2.3.4:1720684212"
}
Expand All @@ -726,6 +735,44 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "test_ip_field.json"

```json

{
"message": "{\"incident_id\":\"incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485\",\"event_type\":\"incident\",\"summary\":\"RDP Login Attempt\",\"timestamp\":\"1111497485\"}",
"event": {
"category": [
"intrusion_detection"
],
"kind": "alert",
"reason": "RDP Login Attempt",
"type": [
"denied"
]
},
"@timestamp": "2005-03-22T13:18:05Z",
"observer": {
"product": "Thinkst Canary",
"vendor": "Thinkst Canary"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"thinkst_canary": {
"incident_id": "incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485"
}
}
```


=== "test_ldap_bind_attempt.json"

```json
Expand Down
14 changes: 14 additions & 0 deletions ...ns_center/integrations/generated/89346697-b64b-45d4-a456-72fd8a2be5d8_sample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,20 @@ In this section, you will find examples of raw logs as generated natively by the



=== "test_ip_field"


```json
{
"incident_id": "incident:rdplogin:144444cff2d13e844444444444:1.2.3.4:1111497485",
"event_type": "incident",
"summary": "RDP Login Attempt",
"timestamp": "1111497485"
}
```



=== "test_ldap_bind_attempt"


Expand Down
138 changes: 138 additions & 0 deletions ...perations_center/integrations/generated/9281438c-f7c3-4001-9bcc-45fd108ba1be.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5420,6 +5420,144 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "process_8002.json"

```json

{
"message": "{\"EventTime\":\"2024-10-02 10:42:24\",\"Hostname\":\"HOST.test.fr\",\"Keywords\":-9223372036854775808,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8002,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":1812526,\"ProcessID\":2476,\"ThreadID\":2720,\"Channel\":\"Microsoft-Windows-AppLocker/EXE and DLL\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%SYSTEM32%\\\\TEST\\\\APP.EXE was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:25\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
"event": {
"code": "8002",
"message": "%SYSTEM32%\\TEST\\APP.EXE was allowed to run.",
"provider": "Microsoft-Windows-AppLocker"
},
"action": {
"id": 8002,
"properties": {
"AccountName": "SYSTEM",
"AccountType": "User",
"Domain": "NT AUTHORITY",
"EventType": "INFO",
"Keywords": "-9223372036854775808",
"OpcodeValue": 0,
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Severity": "INFO",
"SourceName": "Microsoft-Windows-AppLocker",
"Task": 0
},
"record_id": 1812526,
"type": "Microsoft-Windows-AppLocker/EXE and DLL"
},
"file": {
"name": "APP.EXE",
"path": "%SYSTEM32%\\TEST\\APP.EXE"
},
"host": {
"hostname": "HOST.test.fr",
"name": "HOST.test.fr"
},
"log": {
"hostname": "HOST.test.fr",
"level": "info"
},
"os": {
"family": "windows",
"platform": "windows"
},
"process": {
"id": 2476,
"pid": 2476,
"thread": {
"id": 2720
}
},
"related": {
"hosts": [
"HOST.test.fr"
],
"user": [
"SYSTEM"
]
},
"user": {
"domain": "NT AUTHORITY",
"id": "S-1-2-34",
"name": "SYSTEM"
}
}

```


=== "process_8005.json"

```json

{
"message": "{\"EventTime\":\"2024-10-02 10:42:01\",\"Hostname\":\"FOOBAR\",\"Keywords\":4611686018427388000,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":8005,\"SourceName\":\"Microsoft-Windows-AppLocker\",\"ProviderGuid\":\"{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}\",\"Version\":0,\"Task\":0,\"OpcodeValue\":0,\"RecordNumber\":16535331,\"ActivityID\":\"{FE138280-0FB7-0002-8AA0-31FEB70FDB01}\",\"ProcessID\":5532,\"ThreadID\":10772,\"Channel\":\"Microsoft-Windows-AppLocker/MSI and Script\",\"Domain\":\"DOM\",\"AccountName\":\"account\",\"UserID\":\"S-1-2-34\",\"AccountType\":\"User\",\"Message\":\"%OSDRIVE%\\\\USERS\\\\ACCOUNT\\\\APPDATA\\\\LOCAL\\\\TEMP\\\\file.test was allowed to run.\",\"Opcode\":\"Info\",\"EventReceivedTime\":\"2024-10-02 10:42:02\",\"SourceModuleName\":\"eventlog\",\"SourceModuleType\":\"im_msvistalog\"}",
"event": {
"code": "8005",
"message": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test was allowed to run.",
"provider": "Microsoft-Windows-AppLocker"
},
"action": {
"id": 8005,
"properties": {
"AccountName": "account",
"AccountType": "User",
"Domain": "DOM",
"EventType": "INFO",
"Keywords": "4611686018427388000",
"OpcodeValue": 0,
"ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"Severity": "INFO",
"SourceName": "Microsoft-Windows-AppLocker",
"Task": 0
},
"record_id": 16535331,
"type": "Microsoft-Windows-AppLocker/MSI and Script"
},
"file": {
"name": "file.test",
"path": "%OSDRIVE%\\USERS\\ACCOUNT\\APPDATA\\LOCAL\\TEMP\\file.test"
},
"host": {
"hostname": "FOOBAR",
"name": "FOOBAR"
},
"log": {
"hostname": "FOOBAR",
"level": "info"
},
"os": {
"family": "windows",
"platform": "windows"
},
"process": {
"id": 5532,
"pid": 5532,
"thread": {
"id": 10772
}
},
"related": {
"hosts": [
"FOOBAR"
],
"user": [
"account"
]
},
"user": {
"domain": "DOM",
"id": "S-1-2-34",
"name": "account"
}
}

```


=== "process_creation.json"

```json
Expand Down
Loading

0 comments on commit 74268c1

Please sign in to comment.