Skip to content

Commit

Permalink
Merge pull request #1769 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@otetard
otetard authored May 13, 2024
2 parents d9ceb14 + 8bdacba commit 7a6a8b4
Show file tree
Hide file tree
Showing 4 changed files with 3,209 additions and 321 deletions.
95 changes: 13 additions & 82 deletions ...perations_center/integrations/generated/07c0cac8-f68f-11ea-adc1-0242ac120002.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "2 424805057484 eni-0f06a40fc9be596f6 212.83.179.156 10.0.0.96 123 123 17 2 152 1599665193 1599665488 ACCEPT OK",
"event": {
"action": "accept",
"category": [
"network"
],
"end": "2020-09-09T15:31:28Z",
"outcome": "ok",
"start": "2020-09-09T15:26:33Z",
"type": [
"allowed"
]
"start": "2020-09-09T15:26:33Z"
},
"@timestamp": "2020-09-09T15:26:33Z",
"action": {
Expand All @@ -60,10 +56,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "424805057484"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "10.0.0.96",
Expand Down Expand Up @@ -93,9 +86,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "212.83.179.156",
"packets": 2,
"port": 123
},
"user": {
"id": "424805057484"
}
}
Expand All @@ -109,16 +99,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"5.6.7.8\",\"dstaddr\":\"1.2.3.4\",\"srcport\":4712,\"dstport\":53205,\"protocol\":6,\"packets\":12,\"bytes\":2610,\"start\":1661950735,\"end\":1661950746,\"action\":\"ACCEPT\",\"log_status\":\"OK\"}\n",
"event": {
"action": "accept",
"category": [
"network"
],
"end": "2022-08-31T12:59:06Z",
"outcome": "ok",
"start": "2022-08-31T12:58:55Z",
"type": [
"allowed"
]
"start": "2022-08-31T12:58:55Z"
},
"@timestamp": "2022-08-31T12:58:55Z",
"action": {
Expand All @@ -131,10 +117,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "424805057484"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "1.2.3.4",
Expand Down Expand Up @@ -164,9 +147,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "5.6.7.8",
"packets": 12,
"port": 4712
},
"user": {
"id": "424805057484"
}
}
Expand All @@ -180,16 +160,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "5 424805057484 eni-1235b8ca123456789 52.95.128.179 10.0.0.71 46945 53 17 1 73 1658131186 1658131216 ACCEPT OK vpc-abcdefab012345678 subnet-aaaaaaaa012345678 - 0 IPv4 52.95.128.179 10.0.0.71 eu-west-1 euw1-az3 - - - - egress 8",
"event": {
"action": "accept",
"category": [
"network"
],
"end": "2022-07-18T08:00:16Z",
"outcome": "ok",
"start": "2022-07-18T07:59:46Z",
"type": [
"allowed"
]
"start": "2022-07-18T07:59:46Z"
},
"@timestamp": "2022-07-18T07:59:46Z",
"action": {
Expand All @@ -202,10 +178,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "424805057484"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "10.0.0.71",
Expand Down Expand Up @@ -235,9 +208,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "52.95.128.179",
"packets": 1,
"port": 46945
},
"user": {
"id": "424805057484"
}
}
Expand All @@ -251,16 +221,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK",
"event": {
"action": "accept",
"category": [
"network"
],
"end": "2016-10-31T11:37:00Z",
"outcome": "ok",
"start": "2016-10-31T11:35:08Z",
"type": [
"allowed"
]
"start": "2016-10-31T11:35:08Z"
},
"@timestamp": "2016-10-31T11:35:08Z",
"action": {
Expand All @@ -273,10 +239,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "123456789010"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "2001:db8:1234:a102:3304:8879:34cf:4071",
Expand Down Expand Up @@ -306,9 +269,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "2001:db8:1234:a100:8d6e:3477:df66:f105",
"packets": 54,
"port": 34892
},
"user": {
"id": "123456789010"
}
}
Expand Down Expand Up @@ -338,20 +298,14 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "123456789010"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"observer": {
"ingress": {
"interface": {
"name": "eni-1235b8ca123456789"
}
}
},
"user": {
"id": "123456789010"
}
}
Expand All @@ -365,16 +319,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "2 424805057484 eni-0f06a40fc9be596f6 195.14.170.50 10.0.0.96 53996 20248 6 1 40 1599665374 1599665428 REJECT OK",
"event": {
"action": "reject",
"category": [
"network"
],
"end": "2020-09-09T15:30:28Z",
"outcome": "ok",
"start": "2020-09-09T15:29:34Z",
"type": [
"denied"
]
"start": "2020-09-09T15:29:34Z"
},
"@timestamp": "2020-09-09T15:29:34Z",
"action": {
Expand All @@ -387,10 +337,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "424805057484"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "10.0.0.96",
Expand Down Expand Up @@ -420,9 +367,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "195.14.170.50",
"packets": 1,
"port": 53996
},
"user": {
"id": "424805057484"
}
}
Expand All @@ -436,16 +380,12 @@ Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"version\":2,\"account_id\":\"424805057484\",\"interface_id\":\"eni-0f06a40fc9be596f6\",\"srcaddr\":\"1.2.3.4\",\"dstaddr\":\"5.6.7.8\",\"srcport\":53094,\"dstport\":2323,\"protocol\":6,\"packets\":1,\"bytes\":40,\"start\":1661950735,\"end\":1661950746,\"action\":\"REJECT\",\"log_status\":\"OK\"}\n",
"event": {
"action": "reject",
"category": [
"network"
],
"end": "2022-08-31T12:59:06Z",
"outcome": "ok",
"start": "2022-08-31T12:58:55Z",
"type": [
"denied"
]
"start": "2022-08-31T12:58:55Z"
},
"@timestamp": "2022-08-31T12:58:55Z",
"action": {
Expand All @@ -458,10 +398,7 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"account": {
"id": "424805057484"
},
"provider": "aws",
"service": {
"name": "vpc"
}
"provider": "aws"
},
"destination": {
"address": "5.6.7.8",
Expand Down Expand Up @@ -491,9 +428,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"ip": "1.2.3.4",
"packets": 1,
"port": 53094
},
"user": {
"id": "424805057484"
}
}
Expand All @@ -516,10 +450,8 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.type` | `keyword` | The type of the action |
|`cloud.account.id` | `keyword` | The cloud account or organization id. |
|`cloud.provider` | `keyword` | Name of the cloud provider. |
|`cloud.service.name` | `keyword` | The cloud service name. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`event.action` | `keyword` | The action captured by the event. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.end` | `date` | event.end contains the date when the event ended or when the activity was last observed. |
|`event.start` | `date` | event.start contains the date when the event started or when the activity was first observed. |
Expand All @@ -529,5 +461,4 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.ip` | `ip` | IP address of the source. |
|`source.packets` | `long` | Packets sent from the source to the destination. |
|`source.port` | `long` | Port of the source. |
|`user.id` | `keyword` | Unique identifier of the user. |

7 changes: 0 additions & 7 deletions ...perations_center/integrations/generated/5702ae4e-7d8a-455f-a47b-ef64dd87c981.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"@timestamp": "2021-11-23T15:35:08.541882Z",
"action": {
"outcome_reason": "Configuration is changed in the admin session",
"target": "network-traffic",
"type": "system"
},
"log": {
Expand Down Expand Up @@ -658,7 +657,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "roll-log",
"outcome": "success",
"outcome_reason": "Disk log has rolled.",
"target": "network-traffic",
"type": "system"
},
"fortinet": {
Expand Down Expand Up @@ -2280,7 +2278,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "login",
"outcome": "failed",
"outcome_reason": "Login disabled from IP 1.1.1.1 for 60 seconds because of 3 bad attempts",
"target": "network-traffic",
"type": "system"
},
"log": {
Expand Down Expand Up @@ -2315,7 +2312,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "ssl-new-con",
"outcome": "success",
"outcome_reason": "SSL new connection",
"target": "network-traffic",
"type": "vpn"
},
"destination": {
Expand Down Expand Up @@ -3523,7 +3519,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "CRL_1",
"outcome": "success",
"outcome_reason": "A certificate is updated",
"target": "network-traffic",
"type": "vpn"
},
"fortinet": {
Expand Down Expand Up @@ -3581,7 +3576,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "ssl-login-fail",
"outcome": "success",
"outcome_reason": "SSL user failed to logged in",
"target": "network-traffic",
"type": "vpn"
},
"fortinet": {
Expand Down Expand Up @@ -3651,7 +3645,6 @@ Find below few samples of events and how they are normalized by Sekoia.io.
"name": "ssl-login-fail",
"outcome": "success",
"outcome_reason": "SSL user failed to logged in",
"target": "network-traffic",
"type": "vpn"
},
"fortinet": {
Expand Down
Loading

0 comments on commit 7a6a8b4

Please sign in to comment.