From b0aff8b6c208578beff591918fc5862a7b362620 Mon Sep 17 00:00:00 2001 From: "sekoia-io-cross-repo-comm-app[bot]" <99295792+sekoia-io-cross-repo-comm-app[bot]@users.noreply.github.com> Date: Wed, 19 Jun 2024 08:29:53 +0000 Subject: [PATCH] Refresh intakes documentation --- .../2259adc3-9d93-4150-9c1c-46804e636084.md | 98 +++ .../e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md | 13 + .../f0a10c21-37d1-419f-8671-77903dc8de69.md | 69 ++ .../fc03f783-5039-415e-915a-a4b010d9a872.md | 744 ++++++++++++++++++ 4 files changed, 924 insertions(+) create mode 100644 _shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md diff --git a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md index c75a7d4024..849d12a3b6 100644 --- a/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md +++ b/_shared_content/operations_center/integrations/generated/2259adc3-9d93-4150-9c1c-46804e636084.md @@ -20,6 +20,86 @@ The following table lists the data source offered by this integration. Find below few samples of events and how they are normalized by Sekoia.io. +=== "attack.json" + + ```json + + { + "message": "cat=attack date_time=2023-12-08T02:34:17+01:00 user_id=9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf user_name=jdoe@example.org login_user=\"Unknown\" ep_id=5446331978 app_name=\"Staging\" ep_region=europe-west3 ep_domain=staging.example.org src_ip=1.2.3.4 src_port=45344 backend_service=unknown dst_port=443 srccountry=\"Ireland\" service=https/tls1.3 action=Block main_type=\"Known Bots Detection\" sub_type=\"Crawler\" threat_level=Moderate threat_weight=25 http_host=staging.example.org http_url=/ http_version=1.x http_method=GET http_agent=\"Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)\" http_refer=none length=1546 signature_id=N/A signature_cve_id=N/A owasp_top10=\"N/A\" msg=\"Known Bots: Malicious Bot Netcraft in category Crawler Violation\" log_id=20000213 msg_id=001415055359", + "event": { + "action": "Block", + "message": "Known Bots: Malicious Bot Netcraft in category Crawler Violation" + }, + "action": { + "properties": { + "cat": "attack", + "log_id": "20000213" + } + }, + "destination": { + "port": 443 + }, + "host": { + "name": "tyR4LrYORLPlEIBp" + }, + "http": { + "request": { + "method": "GET", + "referrer": "none" + }, + "version": "1.x" + }, + "log": { + "hostname": "tyR4LrYORLPlEIBp" + }, + "related": { + "hosts": [ + "staging.example.org" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "1.2.3.4", + "geo": { + "name": "Ireland" + }, + "ip": "1.2.3.4", + "port": 45344 + }, + "url": { + "domain": "staging.example.org", + "path": "/", + "registered_domain": "example.org", + "subdomain": "staging", + "top_level_domain": "org", + "username": "jdoe@example.org" + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "id": "9a8d2e96-0d28-48ef-ac6c-8e23236e9eaf", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)", + "os": { + "name": "Other" + } + } + } + + ``` + + === "https_traffic.json" ```json @@ -68,9 +148,15 @@ Find below few samples of events and how they are normalized by Sekoia.io. "protocol": "tcp" }, "related": { + "hosts": [ + "api.sns-security.fr" + ], "ip": [ "172.26.8.20", "192.168.36.2" + ], + "user": [ + "Unknown" ] }, "rule": { @@ -88,9 +174,16 @@ Find below few samples of events and how they are normalized by Sekoia.io. "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" }, "url": { + "domain": "api.sns-security.fr", "path": "/apiv1/wan/list?take=12&skip=84&orderBy=ponderationValue&sortDirection=desc&filter[]=monitor,equalsBool,true&filter[]=status,equal,DOWN", + "registered_domain": "sns-security.fr", + "subdomain": "api", + "top_level_domain": "fr", "username": "Unknown" }, + "user": { + "name": "Unknown" + }, "user_agent": { "device": { "name": "Other" @@ -156,6 +249,7 @@ The following table lists the fields that are extracted, normalized under the EC | Name | Type | Description | | ---- | ---- | ---------------------------| +|`action.properties.cat` | `keyword` | | |`action.properties.device_id` | `keyword` | | |`action.properties.log_id` | `keyword` | | |`destination.ip` | `ip` | IP address of the destination. | @@ -177,8 +271,12 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`source.port` | `long` | Port of the source. | |`tls.cipher` | `keyword` | String indicating the cipher used during the current connection. | +|`url.domain` | `keyword` | Domain of the url. | |`url.path` | `wildcard` | Path of the request, such as "/search". | |`url.username` | `keyword` | Username of the request. | +|`user.domain` | `keyword` | Name of the directory the user is a member of. | +|`user.email` | `keyword` | User email address. | +|`user.id` | `keyword` | Unique identifier of the user. | |`user.name` | `keyword` | Short name or login of the user. | |`user_agent.original` | `keyword` | Unparsed user_agent string. | diff --git a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md index 94afe749b3..4110d15048 100644 --- a/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md +++ b/_shared_content/operations_center/integrations/generated/e4a758fc-7620-49e6-b8ed-b7fb3d7fa232.md @@ -104,6 +104,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ], "from_header": "user user@test.fr", + "last_report_date": "0001-01-01T00:00:00Z", "overdict": "clean", "status": "LOW_SPAM", "to_header": "header stuff", @@ -262,6 +263,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. ], "folder": "JunkEmail", "from_header": "Test SEKOIA.IO ", + "last_report_date": "0001-01-01T00:00:00Z", "status": "PHISHING", "to_header": "\"test@vadesecure.com\" ", "whitelist": "false" @@ -329,6 +331,7 @@ Find below few samples of events and how they are normalized by Sekoia.io. } ], "from_header": "Test SEKOIA.IO ", + "last_report_date": "0001-01-01T00:00:00Z", "status": "LEGIT", "to_header": "\"test@vadesecure.com\" ", "whitelist": "true" @@ -361,6 +364,9 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "MOVE" } ], + "actions_labels": [ + "MOVE" + ], "id": "zekfnzejnf576rge8768", "nb_messages_remediated": 1, "nb_messages_remediated_read": 0, @@ -398,6 +404,10 @@ Find below few samples of events and how they are normalized by Sekoia.io. "action": "FAILED" } ], + "actions_labels": [ + "DELETE", + "FAILED" + ], "id": "zekfnzejnf576rge8768", "nb_messages_remediated": 76, "nb_messages_remediated_read": 0, @@ -431,12 +441,15 @@ The following table lists the fields that are extracted, normalized under the EC |`source.ip` | `ip` | IP address of the source. | |`vadesecure.attachments` | `array` | vadesecure.to_header | |`vadesecure.campaign.actions` | `array` | The actions carried out for the remediation campaign. | +|`vadesecure.campaign.actions_labels` | `keyword` | | |`vadesecure.campaign.id` | `keyword` | The ID of the campaign | |`vadesecure.campaign.nb_messages_remediated` | `long` | The total number of messages involved in the remediation. | |`vadesecure.campaign.nb_messages_remediated_read` | `long` | The number of total read messages involved in the remediation. | |`vadesecure.campaign.nb_messages_remediated_unread` | `long` | The number of total unread messages involved in the remediation. | |`vadesecure.folder` | `keyword` | vadesecure.folder | |`vadesecure.from_header` | `keyword` | vadesecure.from_header | +|`vadesecure.last_report` | `keyword` | | +|`vadesecure.last_report_date` | `datetime` | | |`vadesecure.overdict` | `keyword` | vadesecure.overdict | |`vadesecure.status` | `keyword` | vadesecure.status | |`vadesecure.substatus` | `keyword` | vadesecure.substatus | diff --git a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md index e84ad947c5..18bcd1f4f2 100644 --- a/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md +++ b/_shared_content/operations_center/integrations/generated/f0a10c21-37d1-419f-8671-77903dc8de69.md @@ -726,6 +726,73 @@ Find below few samples of events and how they are normalized by Sekoia.io. ``` +=== "CEF_syslog.json" + + ```json + + { + "message": "0|Check Point|SmartDefense|Check Point|IPS|Syslog Message Length Enforcement|Medium|act=Detect cp_severity=Medium cnt=53 cs1Label=Threat Prevention Rule Name cs2Label=Protection ID cs2=02syslg_max_msg_len_tab cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Syslog Message Length Enforcement cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} deviceDirection=1 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=phpFileManager cmd Parameter Command Execution in=0 msg=Syslog Protocol Violation out=0 rt=1705349059000 spt=57789 dpt=514 Signature=CVE-1999-0063, CVE-1999-0381 cs4Label=Threat Prevention Rule ID cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs4={C29BF96E-4967-4BC0-9759-8CD2E668D37E} cs1Label=Threat Prevention Rule Name layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_name=dn Threat Prevention layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} layer_uuid={FB7CC4DE-9326-4CB5-9CDF-33A2996F1F57} smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy smartdefense_profile=XXXX_IPS_policy ifname=eth5.996 loguid={0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d} origin=3.4.5.6 originsicname=CN\\=DN-EXAMPLE,O\\=alfi.defo.ccse.nl sequencenum=12 version=5 capture_uuid={0x65a58fcb,0x1,0x4d1f8365,0xc5a8726d} description_url=02syslg_max_msg_len_tab_help.html dst=5.6.7.8 lastupdatetime=1705352059 log_id=2 policy=dn policy_time=1705348793 product=SmartDefense proto=17 rule_uid=b16110f0-fc9f-43b1-9f87-a8ad3f995237 session_id={0x65a58fc3,0x3,0x4d1f8365,0xc5a8726d} smartdefense_profile=XXXX_IPS_policy src=1.2.3.4", + "event": { + "code": "IPS", + "message": "Syslog Protocol Violation", + "outcome": "success" + }, + "action": { + "name": "detect", + "outcome": "success", + "outcome_reason": "Syslog Protocol Violation", + "properties": { + "loguid": "{0xc4f7efea,0x4a15abc5,0x796000a8,0x18edf12d}", + "observer_type": "SmartDefense", + "origin": "3.4.5.6", + "originsicname": "CN=DN-EXAMPLE,O=alfi.defo.ccse.nl", + "product": "SmartDefense", + "signature": [ + "CVE-1999-0063", + "CVE-1999-0381" + ] + }, + "target": "network-traffic" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 514 + }, + "log": { + "level": "Medium" + }, + "network": { + "direction": "outbound", + "transport": "udp" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth5.996" + } + } + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "uuid": "b16110f0-fc9f-43b1-9f87-a8ad3f995237", + "version": "5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 57789 + } + } + + ``` + + === "CEF_tcp_accept.json" ```json @@ -1345,6 +1412,7 @@ The following table lists the fields that are extracted, normalized under the EC |`action.properties.product` | `keyword` | | |`action.properties.reject_category` | `keyword` | | |`action.properties.rule_name` | `keyword` | | +|`action.properties.signature` | `array` | | |`action.properties.source_key_id` | `keyword` | | |`action.properties.subproduct` | `keyword` | | |`action.properties.vpn_feature_name` | `keyword` | | @@ -1362,6 +1430,7 @@ The following table lists the fields that are extracted, normalized under the EC |`host.hostname` | `keyword` | Hostname of the host. | |`host.name` | `keyword` | Name of the host. | |`http.request.method` | `keyword` | HTTP request method. | +|`log.level` | `keyword` | Log level of the log event. | |`network.direction` | `keyword` | Direction of the network traffic. | |`network.protocol` | `keyword` | Application protocol name. | |`network.transport` | `keyword` | Protocol Name corresponding to the field `iana_number`. | diff --git a/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md new file mode 100644 index 0000000000..24a4d237a6 --- /dev/null +++ b/_shared_content/operations_center/integrations/generated/fc03f783-5039-415e-915a-a4b010d9a872.md @@ -0,0 +1,744 @@ + +## Event Categories + + +The following table lists the data source offered by this integration. + +| Data Source | Description | +| ----------- | ------------------------------------ | +| `Authentication logs` | Audit journal | +| `File monitoring` | Integrated file system (IFS) log files | +| `Process monitoring` | Message queues, database monitoring | + + + + + +In details, the following table denotes the type of events produced by this integration. + +| Name | Values | +| ---- | ------ | +| Kind | `` | +| Category | `authentication`, `database`, `file`, `network`, `process`, `session` | +| Type | `change`, `end`, `info`, `start` | + + + + +## Event Samples + +Find below few samples of events and how they are normalized by Sekoia.io. + + +=== "cpc1126_1.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|act=CodeSample reason=CPC1126 msg=The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPC1126", + "dataset": "QSYS-QHST", + "reason": "The user QSYSOPR has stopped the job 080352/QTMHHTTP/ADMIN.", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QSYSOPR/UPSA_QHTTP", + "pid": 86157 + }, + "related": { + "user": [ + "QSYSOPR" + ] + }, + "user": { + "name": "QSYSOPR" + } + } + + ``` + + +=== "cpc1126_2.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPC1126|Low|reason=CPC1126 msg=L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN. suser=QSYSOPR sproc=086157/QSYSOPR/UPSA_QHTTP shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPC1126", + "dataset": "QSYS-QHST", + "reason": "L'utilisateur QSYSOPR a arr\u00eat{ le travail 080352/QTMHHTTP/ADMIN.", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QSYSOPR/UPSA_QHTTP", + "pid": 86157 + }, + "related": { + "user": [ + "QSYSOPR" + ] + }, + "user": { + "name": "QSYSOPR" + } + } + + ``` + + +=== "cpf0907.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|MSGMON|CPF0907|5|cat=MSG Queue Messages rt=2020-04-30-11.35.29.886549 reason=CPF0907 cs1Label=msgSev cs1=ERROR cs2Label=msgQueue cs2=QSYS/QSYSOPR cs3Label=pgmName cs3=QWCATARE msg=Serious storage condition may exist. Press HELP. cs4Label=srdb cs4=I5OSP4 suser=QSYS sproc=541034/QSYS/QSYSARB5 shost=I5OSP4", + "event": { + "category": [ + "process" + ], + "dataset": "MSGMON", + "reason": "Serious storage condition may exist. Press HELP.", + "type": [ + "info" + ] + }, + "@timestamp": "2020-04-30T11:35:29.886549Z", + "host": { + "name": "I5OSP4" + }, + "ibm_i": { + "cat": "MSG Queue Messages", + "pgmName": "QWCATARE" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "QSYS/QSYSARB5", + "pid": 541034 + }, + "related": { + "user": [ + "QSYS" + ] + }, + "user": { + "name": "QSYS" + } + } + + ``` + + +=== "cpf0927.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF0927|Low|reason=CPF0927 msg=Subsystem QBATCH stopped suser=QSYS sproc=080211/QSYS/QSYSARB4 shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPF0927", + "dataset": "QSYS-QHST", + "reason": "Subsystem QBATCH stopped", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QSYS/QSYSARB4", + "pid": 80211 + }, + "related": { + "user": [ + "QSYS" + ] + }, + "user": { + "name": "QSYS" + } + } + + ``` + + +=== "cpf1124_1.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04. suser=QZRDSRMOWN sproc=722506/QZRDSRMOWN/SLMSQMONS shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPF1124", + "dataset": "QSYS-QHST", + "reason": "Job 722506/QZRDSRMOWN/SLMSQMONS started on 25.08.20 at 18:59:04 in subsystem SLSBS in QZRDSECSRM. Job entered system on 25.08.20 at 18:59:04.", + "type": [ + "start" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "QZRDSRMOWN/SLMSQMONS", + "pid": 722506 + }, + "related": { + "user": [ + "QZRDSRMOWN" + ] + }, + "user": { + "name": "QZRDSRMOWN" + } + } + + ``` + + +=== "cpf1124_2.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1124|Low|reason=CPF1124 msg=Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51. suser=QZRDSRMOWN sproc=086167/QZRDSRMOWN/SLMSQMONS shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPF1124", + "dataset": "QSYS-QHST", + "reason": "Travail 086167/QZRDSRMOWN/SLMSQMONS d{marr{ le 12/03/24 @ 02:08:51 dans le sous-syst}me SLSBS de QZRDSECSRM ; soumis le 12/03/24 @ 02:08:51.", + "type": [ + "start" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QZRDSRMOWN/SLMSQMONS", + "pid": 86167 + }, + "related": { + "user": [ + "QZRDSRMOWN" + ] + }, + "user": { + "name": "QZRDSRMOWN" + } + } + + ``` + + +=== "cpf1164_1.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 . suser=JDOE sproc=111111/JDOE/JPRC shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPF1164", + "dataset": "QSYS-QHST", + "reason": "Job 111111/JDOE/JPRC stopped at 12/03/24 @ 02:06:54; UC time 0,002; exit code 123 .", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "exit_code": 123, + "name": "JDOE/JPRC", + "pid": 111111 + }, + "related": { + "user": [ + "JDOE" + ] + }, + "user": { + "name": "JDOE" + } + } + + ``` + + +=== "cpf1164_2.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPF1164|High|reason=CPF1164 msg=Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 . suser=QSPLJOB sproc=080694/QSPLJOB/RMTW000008 shost=EXPC3", + "event": { + "category": [ + "process" + ], + "code": "CPF1164", + "dataset": "QSYS-QHST", + "reason": "Travail 080694/QSPLJOB/RMTW000008 arr\u00eat{ le 12/03/24 @ 02:05:56; temps UC 0,005; code fin 50 .", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "exit_code": 50, + "name": "QSPLJOB/RMTW000008", + "pid": 80694 + }, + "related": { + "user": [ + "QSPLJOB" + ] + }, + "user": { + "name": "QSPLJOB" + } + } + + ``` + + +=== "cpi3e34_1.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3", + "event": { + "category": [ + "session" + ], + "code": "CPI3E34", + "dataset": "QSYS-QHST", + "reason": "User QBRMS, client 192.168.242.20, was connected to the job 086171/QUSER/QRWTSRVR in the subsystem QSYSWRK, QSYS, 12/03/24, 02:16:22.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-12-03T02:16:22Z", + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QUSER/QRWTSRVR", + "pid": 86171 + }, + "related": { + "ip": [ + "192.168.242.20" + ], + "user": [ + "QBRMS" + ] + }, + "source": { + "address": "192.168.242.20", + "ip": "192.168.242.20" + }, + "user": { + "name": "QBRMS" + } + } + + ``` + + +=== "cpi3e34_2.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|CPI3E34|Low|reason=CPI3E34 msg=L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22. suser=QBRMS sproc=086171/QUSER/QRWTSRVR shost=EXPC3", + "event": { + "category": [ + "session" + ], + "code": "CPI3E34", + "dataset": "QSYS-QHST", + "reason": "L'utilisateur QBRMS, client 192.168.242.20, est connect{ au travail 086171/QUSER/QRWTSRVR dans le sous-syst}me QSYSWRK, QSYS, 12/03/24, 02:16:22.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-12-03T02:16:22Z", + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QUSER/QRWTSRVR", + "pid": 86171 + }, + "related": { + "ip": [ + "192.168.242.20" + ], + "user": [ + "QBRMS" + ] + }, + "source": { + "address": "192.168.242.20", + "ip": "192.168.242.20" + }, + "user": { + "name": "QBRMS" + } + } + + ``` + + +=== "db2mon.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|DB2MON|DB2 change monitoring (Journal Extract Tool)|3|act=UPDATE rt=2020-04-30-12.11.52.265056 sproc=551907/BARLEN/QPADEV000D shost=I5OSP4 suser=BARLEN fname=QZRDSECSRM/SLTHSTENT cs1Label=pgmName cs1=CFGSLHSTP cs2Label=updatedColumnNames cs2=EVTUSER1,EVTMSGID1,EVTMSGID2,EVTMSGID3 cs5Label=rowDataBefore cs5=QJ_JOURNAL_ENTRY_TYPE\\=\"UB\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22145\" EVTUSER1\\=\"BARLEN\" EVTMSGID1\\=\"CPF1122\" EVTMSGID2\\=\"CPF9998\" EVTMSGID3\\=\"SLS0040\" cs4Label=rowDataAfter cs4=QJ_JOURNAL_ENTRY_TYPE\\=\"UP\" QJ_RECEIVER_NAME\\=\"DETRCV0010\" QJ_SEQUENCE_NUMBER\\=\"22146\" EVTUSER1\\=\"BARLEN3\" EVTMSGID1\\=\"CPF1129\" EVTMSGID2\\=\"CPF9997\" EVTMSGID3\\=\"SLS0042\"", + "event": { + "action": "UPDATE", + "category": [ + "database" + ], + "dataset": "DB2MON", + "type": [ + "change" + ] + }, + "@timestamp": "2020-04-30T12:11:52.265056Z", + "host": { + "name": "I5OSP4" + }, + "ibm_i": { + "pgmName": "CFGSLHSTP" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "BARLEN/QPADEV000D", + "pid": 551907 + }, + "related": { + "user": [ + "BARLEN" + ] + }, + "user": { + "name": "BARLEN" + } + } + + ``` + + +=== "isfmon.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|IFSMON|IFS File Monitor Journal Entry Type B-WA|3|act=B-WA Write, after-image event sproc=722496/BARLEN/QZSHSH suser=BARLEN shost=CTCSECT5 filePath=/home/barlen/ifsmon/weblog2.log fileType=*STMF cs2Label=changedDataLength cs2=0000000064 cs3Label=changedDataPart cs3=*ONLY cs4Label=changedDataFileOffset cs4=00000000000000788915 cs1Label=changedData cs1=Unauthorized access to Web resource accountInfo by user TBARLEN", + "event": { + "category": [ + "file" + ], + "dataset": "IFSMON", + "reason": "Unauthorized access to Web resource accountInfo by user TBARLEN", + "type": [ + "info" + ] + }, + "file": { + "directory": "/home/barlen/ifsmon", + "name": "weblog2.log", + "path": "/home/barlen/ifsmon/weblog2.log" + }, + "host": { + "name": "CTCSECT5" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "BARLEN/QZSHSH", + "pid": 722496 + }, + "related": { + "user": [ + "BARLEN" + ] + }, + "user": { + "name": "BARLEN" + } + } + + ``` + + +=== "taf.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-AF|Medium|reason=Authority failure msg=Not authorized to object fileType=*PGM cs1Label=objName cs1=QZRDSECSRM/CFGJSCR suser=THOMAS sproc=722470/THOMAS/QPADEV000P shost=I5OSP4 src=192.168.126.71 spt=36868 evtAggregation=*NO entryTypeField=A", + "event": { + "category": [ + "authentication" + ], + "dataset": "QSYS-QAUDJRN", + "reason": "Not authorized to object", + "type": [ + "info" + ] + }, + "host": { + "name": "I5OSP4" + }, + "ibm_i": { + "objName": "QZRDSECSRM/CFGJSCR" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "THOMAS/QPADEV000P", + "pid": 722470 + }, + "related": { + "ip": [ + "192.168.126.71" + ], + "user": [ + "THOMAS" + ] + }, + "source": { + "address": "192.168.126.71", + "ip": "192.168.126.71", + "port": 36868 + }, + "user": { + "name": "THOMAS" + } + } + + ``` + + +=== "tcd.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.4|QSYS-QAUDJRN|T-CD|Low|reason=Command string audit msg=Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS) fileType=*CMD cs1Label=objName cs1=QSYS/CHGENVVAR suser=BARLEN sproc=721738/BARLEN/QPADEV000Q shost=I5OSP4 src=192.168.126.71 spt=36888 evtAggregation=*NO entryTypeField=C", + "event": { + "category": [ + "process" + ], + "dataset": "QSYS-QAUDJRN", + "reason": "Command run interactively from a command line or by choosing a menu option that runs a CL command - CHGENVVAR ENVVAR(test4) VALUE(77777) LEVEL(*SYS)", + "type": [ + "start" + ] + }, + "host": { + "name": "I5OSP4" + }, + "ibm_i": { + "objName": "QSYS/CHGENVVAR" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.4" + }, + "process": { + "name": "BARLEN/QPADEV000Q", + "pid": 721738 + }, + "related": { + "ip": [ + "192.168.126.71" + ], + "user": [ + "BARLEN" + ] + }, + "source": { + "address": "192.168.126.71", + "ip": "192.168.126.71", + "port": 36888 + }, + "user": { + "name": "BARLEN" + } + } + + ``` + + +=== "tcp2617.json" + + ```json + + { + "message": "CEF:0|IBM|IBM i|7.3|QSYS-QHST|TCP2617|Low|reason=TCP2617 msg=TCP/IP connection to remote system 10.1.43.58 closed, reason code 1. suser=QSYS sproc=080247/QSYS/QTCPWRK shost=EXPC3", + "event": { + "category": [ + "network" + ], + "code": "TCP2617", + "dataset": "QSYS-QHST", + "reason": "TCP/IP connection to remote system 10.1.43.58 closed, reason code 1.", + "type": [ + "end" + ] + }, + "host": { + "name": "EXPC3" + }, + "observer": { + "product": "IBM i", + "vendor": "IBM", + "version": "7.3" + }, + "process": { + "name": "QSYS/QTCPWRK", + "pid": 80247 + }, + "related": { + "user": [ + "QSYS" + ] + }, + "user": { + "name": "QSYS" + } + } + + ``` + + + + + +## Extracted Fields + +The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed. + +| Name | Type | Description | +| ---- | ---- | ---------------------------| +|`@timestamp` | `date` | Date/time when the event originated. | +|`event.action` | `keyword` | The action captured by the event. | +|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. | +|`event.code` | `keyword` | Identification code for this event. | +|`event.dataset` | `keyword` | Name of the dataset. | +|`event.reason` | `keyword` | Reason why this event happened, according to the source | +|`event.type` | `keyword` | Event type. The third categorization field in the hierarchy. | +|`file.directory` | `keyword` | Directory where the file is located. | +|`file.name` | `keyword` | Name of the file including the extension, without the directory. | +|`file.path` | `keyword` | Full path to the file, including the file name. | +|`host.name` | `keyword` | Name of the host. | +|`ibm_i.cat` | `keyword` | The category of the object | +|`ibm_i.objName` | `keyword` | The name of the object | +|`ibm_i.pgmName` | `keyword` | The name of the program | +|`observer.product` | `keyword` | The product name of the observer. | +|`observer.vendor` | `keyword` | Vendor name of the observer. | +|`observer.version` | `keyword` | Observer version. | +|`process.exit_code` | `long` | The exit code of the process. | +|`process.name` | `keyword` | Process name. | +|`process.pid` | `long` | Process id. | +|`source.ip` | `ip` | IP address of the source. | +|`source.port` | `long` | Port of the source. | +|`user.name` | `keyword` | Short name or login of the user. | +