Skip to content

Commit

Permalink
Merge pull request #1440 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history 
Refresh intakes documentation
  • Loading branch information
@otetard
otetard authored Nov 17, 2023
2 parents 65f1af3 + 98146e0 commit 8d129d3
Show file tree
Hide file tree
Showing 4 changed files with 3,069 additions and 178 deletions.
225 changes: 225 additions & 0 deletions ...perations_center/integrations/generated/340e3bc7-2b76-48e4-9833-e971451b2979.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,232 @@ The following table lists the data source offered by this integration.



In details, the following table denotes the type of events produced by this integration.

| Name | Values |
| ---- | ------ |
| Kind | `event` |
| Category | `network` |
| Type | `` |




## Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.


=== "test_begin.json"

```json

{
"message": "{\"flow_state\": \"begin\",\"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1493763938,1.2.3.4,5.6.7.8,35370,23,T,I,A,B,,,,\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowVnetOutBound"
},
"action": {
"type": "DefaultRule_AllowVnetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "begin",
"Version": "2"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "inbound"
},
"source": {
"ip": "1.2.3.4",
"port": 35370,
"mac": "DB831EFEC376",
"address": "1.2.3.4"
},
"destination": {
"ip": "5.6.7.8",
"port": 23,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
}
}
```


=== "test_end.json"

```json

{
"message": "{\"flow_state\": \"end\", \"resourceId\":\"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\",\"macAddress\":\"DB831EFEC376\",\"flow.0\":\"1607984156,1.2.3.4,5.6.7.8,36422,8086,T,O,A,E,1,74,1,74\",\"rule\":\"DefaultRule_AllowVnetOutBound\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"time\":\"2020-12-14T22:16:46.3528160Z\",\"version\":\"2\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowVnetOutBound"
},
"action": {
"type": "DefaultRule_AllowVnetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "end",
"Version": "2"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "outbound"
},
"source": {
"ip": "1.2.3.4",
"port": 36422,
"packets": 1,
"bytes": 74,
"mac": "DB831EFEC376",
"address": "1.2.3.4"
},
"destination": {
"ip": "5.6.7.8",
"port": 8086,
"packets": 1,
"bytes": 74,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
}
}
```


=== "test_short.json"

```json

{
"message": "{\"flow_state\": \"begin\", \"source_addr\": \"1.3.4.2\", \"macAddress\": \"DB831EFEC376\", \"operationName\": \"NetworkSecurityGroupFlowEvents\", \"resourceId\": \"/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG\", \"time\": \"2021-03-24T10:55:03.0680749Z\", \"rule\": \"DefaultRule_AllowInternetOutBound\", \"flow.0\": \"1616583277,1.2.3.4,5.6.7.8,55486,443,T,O,A\"}",
"event": {
"kind": "event",
"category": [
"network"
],
"code": "NetworkSecurityGroupFlowEvents",
"action": "accept",
"type": [
"allowed"
]
},
"rule": {
"name": "DefaultRule_AllowInternetOutBound"
},
"action": {
"type": "DefaultRule_AllowInternetOutBound",
"target": "network-traffic",
"properties": [
{
"OperationName": "NetworkSecurityGroupFlowEvents",
"FlowState": "begin"
}
],
"name": "accept"
},
"host": {
"name": "/SUBSCRIPTIONS/13C8046C-DB72-4C35-9D71-60667ED9E869/RESOURCEGROUPS/INTEGRATION/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/TEST-NSG"
},
"network": {
"transport": "tcp",
"direction": "inbound"
},
"source": {
"ip": "1.3.4.2",
"port": 55486,
"mac": "DB831EFEC376",
"address": "1.3.4.2"
},
"destination": {
"ip": "5.6.7.8",
"port": 443,
"address": "5.6.7.8"
},
"related": {
"ip": [
"1.3.4.2",
"5.6.7.8"
]
}
}
```





## Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

| Name | Type | Description |
| ---- | ---- | ---------------------------|
|`@timestamp` | `date` | Date/time when the event originated. |
|`action.properties` | `array` | action.properties |
|`action.target` | `keyword` | The target of the action |
|`destination.bytes` | `long` | Bytes sent from the destination to the source. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.packets` | `long` | Packets sent from the destination to the source. |
|`destination.port` | `long` | Port of the destination. |
|`event.category` | `keyword` | Event category. The second categorization field in the hierarchy. |
|`event.code` | `keyword` | Identification code for this event. |
|`event.kind` | `keyword` | The kind of the event. The highest categorization field in the hierarchy. |
|`host.name` | `keyword` | Name of the host. |
|`rule.name` | `keyword` | Rule name |
|`source.bytes` | `long` | Bytes sent from the source to the destination. |
|`source.ip` | `ip` | IP address of the source. |
|`source.mac` | `keyword` | MAC address of the source. |
|`source.packets` | `long` | Packets sent from the source to the destination. |
|`source.port` | `long` | Port of the source. |

63 changes: 63 additions & 0 deletions ...perations_center/integrations/generated/ab25af2e-4916-40ba-955c-34d2301c1f51.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,69 @@ Find below few samples of events and how they are normalized by Sekoia.io.
```


=== "json_post.json"

```json

{
"message": "8.8.8.8 - - [15/Nov/2023:12:49:15 +0100] \"POST /path/to/url HTTP/1.1\" 200 6390 \"https://example.of.address/12345\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.0.0.0 Safari/537.36 Edg/1.0.0.0\" 0.239 0.223 .",
"event": {
"category": [
"web"
],
"dataset": "access",
"kind": "event",
"type": [
"access"
]
},
"@timestamp": "2023-11-15T11:49:15Z",
"http": {
"request": {
"method": "POST",
"referrer": "https://example.of.address/12345"
},
"response": {
"bytes": 6390,
"status_code": 200
},
"version": "1.1"
},
"observer": {
"product": "nginx",
"type": "WEB server",
"vendor": "F5"
},
"related": {
"ip": [
"8.8.8.8"
]
},
"source": {
"address": "8.8.8.8",
"ip": "8.8.8.8"
},
"url": {
"original": "/path/to/url",
"path": "/path/to/url"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Edge",
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.0.0.0 Safari/537.36 Edg/1.0.0.0",
"os": {
"name": "Windows",
"version": "10"
},
"version": "1.0.0"
}
}
```





Expand Down
Loading

0 comments on commit 8d129d3

Please sign in to comment.