Skip to content

Commit

Permalink
Merge pull request #2019 from SEKOIA-IO/update-intake-documentation
Browse files Browse the repository at this point in the history
Refresh intakes documentation
  • Loading branch information
squioc authored Oct 2, 2024
2 parents 5562718 + b7d8ab7 commit 8d9949e
Show file tree
Hide file tree
Showing 22 changed files with 3,936 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "84:fa:b1:70:bf:8e",
"port": 56468
},
"host": {
Expand Down Expand Up @@ -452,6 +453,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "80:95:bb:71:95:aa",
"port": 443
}
}
Expand Down Expand Up @@ -481,6 +483,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "b0:df:72:9d:29:9b",
"port": 7680
},
"host": {
Expand Down Expand Up @@ -512,6 +515,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "10:9f:4b:3c:50:d7",
"port": 56499
}
}
Expand Down Expand Up @@ -1121,6 +1125,68 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
```


=== "test_device_network_connection.json"

```json

{
"message": "{\"time\":\"2024-09-30T14:02:12.4790551Z\",\"tenantId\":\"d9eae684-f70a-4ac1-b304-53de40a8db56\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"_TimeReceivedBySvc\":\"2024-09-30T14:01:00.5234998Z\",\"properties\":{\"DeviceName\":\"ml022\",\"DeviceId\":\"dbe5c34434fb4792bea6874dd0b1f107\",\"ReportId\":21118,\"RemoteIP\":\"1.2.3.4\",\"RemotePort\":57410,\"LocalIP\":\"5.6.7.8\",\"LocalPort\":7680,\"Protocol\":\"TcpV4\",\"RemoteUrl\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessId\":0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessParentId\":0,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\":\"None\",\"AppGuardContainerId\":\"\",\"LocalIPType\":null,\"RemoteIPType\":null,\"ActionType\":\"ConnectionAttempt\",\"InitiatingProcessSHA256\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"direction\\\":\\\"In\\\",\\\"Source Mac\\\":\\\"0a:ac:f5:b4:e6:37\\\",\\\"Destination Mac\\\":\\\"18:e8:f8:74:c9:0d\\\",\\\"Tcp Flags\\\":2,\\\"Packet Size\\\":66}\",\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessSessionId\":null,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-09-30T14:00:41.9341182Z\",\"MachineGroup\":\"Windows 10/11 - remediate threats automatically\"},\"Tenant\":\"DefaultTenant\"}\n",
"event": {
"category": [
"network"
],
"dataset": "device_network_events",
"type": [
"info"
]
},
"@timestamp": "2024-09-30T14:00:41.934118Z",
"action": {
"type": "ConnectionAttempt"
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "0a:ac:f5:b4:e6:37",
"port": 7680
},
"host": {
"id": "dbe5c34434fb4792bea6874dd0b1f107",
"name": "ml022"
},
"microsoft": {
"defender": {
"report": {
"id": "21118"
}
}
},
"network": {
"protocol": "TcpV4"
},
"process": {
"parent": {
"pid": 0
},
"pid": 0
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "18:e8:f8:74:c9:0d",
"port": 57410
}
}
```


=== "test_device_network_events.json"

```json
Expand Down Expand Up @@ -2135,6 +2201,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "0a:ac:f5:b4:e6:37",
"port": 443
},
"host": {
Expand Down Expand Up @@ -2166,6 +2233,7 @@ This section demonstrates how the raw logs will be transformed by our parsers. I
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "18:e8:f8:74:c9:0d",
"port": 46112
}
}
Expand Down Expand Up @@ -2367,6 +2435,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`container.id` | `keyword` | Unique container id. |
|`container.runtime` | `keyword` | Runtime managing this container. |
|`destination.ip` | `ip` | IP address of the destination. |
|`destination.mac` | `keyword` | MAC address of the destination. |
|`destination.port` | `long` | Port of the destination. |
|`email.attachments` | `nested` | List of objects describing the attachments. |
|`email.from.address` | `keyword` | The email address of the sender, typically from the RFC 5322 From: header field |
Expand Down Expand Up @@ -2473,6 +2542,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`source.geo.city_name` | `keyword` | City name. |
|`source.geo.country_iso_code` | `keyword` | Country ISO code. |
|`source.ip` | `ip` | IP address of the source. |
|`source.mac` | `keyword` | MAC address of the source. |
|`source.port` | `long` | Port of the source. |
|`threat.technique.name` | `keyword` | Threat technique name. |
|`url.domain` | `keyword` | Domain of the url. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -861,6 +861,69 @@ In this section, you will find examples of raw logs as generated natively by the



=== "test_device_network_connection"


```json
{
"time": "2024-09-30T14:02:12.4790551Z",
"tenantId": "d9eae684-f70a-4ac1-b304-53de40a8db56",
"operationName": "Publish",
"category": "AdvancedHunting-DeviceNetworkEvents",
"_TimeReceivedBySvc": "2024-09-30T14:01:00.5234998Z",
"properties": {
"DeviceName": "ml022",
"DeviceId": "dbe5c34434fb4792bea6874dd0b1f107",
"ReportId": 21118,
"RemoteIP": "1.2.3.4",
"RemotePort": 57410,
"LocalIP": "5.6.7.8",
"LocalPort": 7680,
"Protocol": "TcpV4",
"RemoteUrl": null,
"InitiatingProcessCreationTime": null,
"InitiatingProcessId": 0,
"InitiatingProcessCommandLine": null,
"InitiatingProcessParentCreationTime": null,
"InitiatingProcessParentId": 0,
"InitiatingProcessParentFileName": null,
"InitiatingProcessSHA1": null,
"InitiatingProcessMD5": null,
"InitiatingProcessFolderPath": null,
"InitiatingProcessAccountName": null,
"InitiatingProcessAccountDomain": null,
"InitiatingProcessAccountSid": null,
"InitiatingProcessFileName": null,
"InitiatingProcessIntegrityLevel": null,
"InitiatingProcessTokenElevation": "None",
"AppGuardContainerId": "",
"LocalIPType": null,
"RemoteIPType": null,
"ActionType": "ConnectionAttempt",
"InitiatingProcessSHA256": null,
"InitiatingProcessAccountUpn": null,
"InitiatingProcessAccountObjectId": null,
"AdditionalFields": "{\"direction\":\"In\",\"Source Mac\":\"0a:ac:f5:b4:e6:37\",\"Destination Mac\":\"18:e8:f8:74:c9:0d\",\"Tcp Flags\":2,\"Packet Size\":66}",
"InitiatingProcessFileSize": null,
"InitiatingProcessVersionInfoCompanyName": null,
"InitiatingProcessVersionInfoProductName": null,
"InitiatingProcessVersionInfoProductVersion": null,
"InitiatingProcessVersionInfoInternalFileName": null,
"InitiatingProcessVersionInfoOriginalFileName": null,
"InitiatingProcessVersionInfoFileDescription": null,
"InitiatingProcessSessionId": null,
"IsInitiatingProcessRemoteSession": false,
"InitiatingProcessRemoteSessionDeviceName": null,
"InitiatingProcessRemoteSessionIP": null,
"Timestamp": "2024-09-30T14:00:41.9341182Z",
"MachineGroup": "Windows 10/11 - remediate threats automatically"
},
"Tenant": "DefaultTenant"
}
```



=== "test_device_network_events"


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2340,11 +2340,15 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.CallerProcessName` | `keyword` | |
|`action.properties.CategoryID` | `keyword` | |
|`action.properties.CategoryName` | `keyword` | |
|`action.properties.CertIssuerName` | `keyword` | |
|`action.properties.CertSerialNumber` | `keyword` | |
|`action.properties.CertThumbprint` | `keyword` | |
|`action.properties.ClientProcessId` | `keyword` | |
|`action.properties.ClientProcessStartKey` | `keyword` | |
|`action.properties.DetectionID` | `keyword` | |
|`action.properties.DetectionTime` | `keyword` | |
|`action.properties.DetectionUser` | `keyword` | |
|`action.properties.Domain` | `keyword` | |
|`action.properties.ElevatedToken` | `keyword` | |
|`action.properties.EngineVersion` | `keyword` | |
|`action.properties.Engineup-to-date` | `keyword` | |
Expand Down Expand Up @@ -2386,6 +2390,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.LogonGuid` | `keyword` | |
|`action.properties.LogonProcessName` | `keyword` | |
|`action.properties.LogonType` | `keyword` | |
|`action.properties.MemberName` | `keyword` | |
|`action.properties.NRIengineversion` | `keyword` | |
|`action.properties.NRIsecurityintelligenceversion` | `keyword` | |
|`action.properties.NotValidAfter` | `keyword` | |
Expand All @@ -2401,7 +2406,9 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.Platformversion` | `keyword` | |
|`action.properties.PolicyBits` | `keyword` | |
|`action.properties.PostCleanStatus` | `keyword` | |
|`action.properties.PreAuthType` | `keyword` | |
|`action.properties.PreExecutionStatus` | `keyword` | |
|`action.properties.PrivilegeList` | `keyword` | |
|`action.properties.ProcessId` | `keyword` | |
|`action.properties.ProcessName` | `keyword` | |
|`action.properties.ProcessNameBuffer` | `keyword` | |
Expand All @@ -2426,6 +2433,8 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.ScriptBlockText` | `keyword` | |
|`action.properties.SecureRequired` | `keyword` | |
|`action.properties.SecurityintelligenceVersion` | `keyword` | |
|`action.properties.ServiceName` | `keyword` | |
|`action.properties.ServiceSid` | `keyword` | |
|`action.properties.SeverityID` | `keyword` | |
|`action.properties.SeverityName` | `keyword` | |
|`action.properties.ShareLocalPath` | `keyword` | |
Expand Down Expand Up @@ -2460,6 +2469,8 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.TaskName` | `keyword` | |
|`action.properties.ThreatID` | `keyword` | |
|`action.properties.ThreatName` | `keyword` | |
|`action.properties.TicketEncryptionType` | `keyword` | |
|`action.properties.TicketOptions` | `keyword` | |
|`action.properties.TotalSignatureCount` | `keyword` | |
|`action.properties.TransmittedServices` | `keyword` | |
|`action.properties.TypeID` | `keyword` | |
Expand All @@ -2470,6 +2481,7 @@ The following table lists the fields that are extracted, normalized under the EC
|`action.properties.Unused4` | `keyword` | |
|`action.properties.Unused5` | `keyword` | |
|`action.properties.Unused6` | `keyword` | |
|`action.properties.User` | `keyword` | |
|`action.properties.ValidatedPolicy` | `keyword` | |
|`action.properties.ValidatedSigningLevel` | `keyword` | |
|`action.properties.VerificationError` | `keyword` | |
Expand Down
Loading

0 comments on commit 8d9949e

Please sign in to comment.